ShadowByte1

4 exploits Active since Jan 2025
CVE-2024-48245 NOMISEC HIGH WRITEUP
Vehicle Management System 1.0 - SQL Injection via Booking ID, Action Name, or Payment Confirmation ID
Vehicle Management System 1.0 is vulnerable to SQL Injection. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include "Booking ID", "Action Name", and "Payment Confirmation ID", which are present in /newvehicle.php and /newdriver.php.
1 stars
CVSS 7.2
CVE-2024-48246 NOMISEC MEDIUM WRITEUP
Vehicle Management System 1.0 - Stored Cross-Site Scripting via Name Parameter
Vehicle Management System 1.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the "Name" parameter of /vehicle-management/booking.php.
1 stars
CVSS 5.4
CVE-2024-53345 NOMISEC HIGH WORKING POC
Car Rental Management System <1.4 - Authenticated RCE
An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.
1 stars
CVSS 8.8
CVE-2026-42154 NOMISEC HIGH STUB
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
CVSS 7.5