Poloss

4 exploits Active since Jan 2026
CVE-2026-23550 GITHUB CRITICAL python WORKING POC
Modular DS - Privilege Escalation
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
10 stars
CVSS 9.8
CVE-2026-33868 NOMISEC MEDIUM SCANNER
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
2 stars
CVSS 4.3
CVE-2026-0920 NOMISEC CRITICAL WORKING POC
LA-Studio Element Kit - Privilege Escalation
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
2 stars
CVSS 9.8
CVE-2026-23550 NOMISEC CRITICAL WORKING POC
Modular DS - Privilege Escalation
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
1 stars
CVSS 9.8