Onurcan Genç

5 exploits Active since Sep 2025
CVE-2025-57520 NOMISEC MEDIUM WRITEUP
Techhub.p-m Decap Cms < 3.8.3 - XSS
A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user views the preview panel. The vulnerability affects multiple input vectors and does not require user interaction beyond viewing the affected content.
CVSS 6.1
CVE-2025-10878 NOMISEC CRITICAL WRITEUP
Omran Fikir Odalari Adminpando < 1.0.1 - SQL Injection
A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
CVSS 10.0
CVE-2025-60506 WRITEUP MEDIUM WRITEUP
Moodle PDF Annotator plugin v1.5 release 9 - XSS
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or Admin) views the annotated PDF, the payload is executed in their browser, leading to session hijacking, credential theft, or other attacker-controlled actions.
CVSS 5.4
CVE-2025-60507 WRITEUP HIGH WRITEUP
Moodle GeniAI 2.3.6 - XSS
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.
CVSS 8.9
CVE-2025-60511 WRITEUP MEDIUM WRITEUP
Moodle OpenAI Chat Block plugin 3.0.1 - IDOR
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.
CVSS 4.3