Mohamed Shahat (shiky8)

6 exploits Active since Nov 2025
CVE-2025-63952 WRITEUP MEDIUM WORKING POC
Magewell Pro Convert <1.2.213 - CSRF
A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.
CVSS 5.7
CVE-2025-63953 WRITEUP MEDIUM WORKING POC
Magewell Pro Convert <1.2.213 - CSRF
A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.
CVSS 6.5
CVE-2025-65228 WRITEUP LOW WRITEUP
RVR Tlk302t Firmware - XSS
A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799).
CVSS 3.5
CVE-2025-65229 WRITEUP MEDIUM WRITEUP
Lyrion Music Server < 9.0.3 - XSS
A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.
CVSS 4.6
CVE-2025-65230 WRITEUP MEDIUM WRITEUP
Barix Instreamer Firmware - XSS
Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.
CVSS 5.4
CVE-2025-65231 WRITEUP MEDIUM WORKING POC
Barix Instreamer Firmware < 4.06 - XSS
Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.
CVSS 6.1