NABEEL

6 exploits Active since Mar 2026
CVE-2026-3228 GITHUB MEDIUM python WORKING POC
NextScripts Social Networks Auto-Poster <4.4.6 - XSS
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
10 stars
CVSS 6.4
CVE-2026-27944 GITHUB CRITICAL python WORKING POC
nginxui/nginx_ui < 2.3.3 - Unauthenticated Sensitive Data Exposure via Backup Endpoint
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
10 stars
CVSS 9.8
CVE-2026-27944 NOMISEC CRITICAL WORKING POC
nginxui/nginx_ui < 2.3.3 - Unauthenticated Sensitive Data Exposure via Backup Endpoint
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
3 stars
CVSS 9.8
CVE-2026-41940 GITHUB CRITICAL python WORKING POC
cPanel and WHM Authentication Bypass via Login Flow
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
1 stars
CVSS 9.8
CVE-2026-22730 NOMISEC HIGH WORKING POC
CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization.
1 stars
CVSS 8.8
CVE-2026-3228 NOMISEC MEDIUM WORKING POC
NextScripts Social Networks Auto-Poster <4.4.6 - XSS
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
1 stars
CVSS 6.4