Shadowbyte

6 exploits Active since Oct 2025
CVE-2024-57494 WRITEUP MEDIUM WRITEUP
Neto E-Commerce CMS 6.313.0-6.3115 - Cross-Site Scripting via kw Parameter
Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.
CVSS 6.5
CVE-2025-28357 WRITEUP HIGH WRITEUP
Neto CMS 6.313.0-6.314.0 - Remote Code Execution via CRLF Injection
A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.
CVSS 8.8
CVE-2025-43718 WRITEUP LOW WRITEUP
Poppler <25.04.0 - Memory Corruption
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).
CVSS 2.9
CVE-2025-46205 WRITEUP HIGH WRITEUP
podofo 0.10.0-0.10.5 - Use-After-Free in PdfTokenizer::ReadDictionary
A heap-use-after free in the PdfTokenizer::ReadDictionary function of podofo v0.10.0 to v0.10.5 allows attackers to cause a Denial of Service (DoS) by supplying a crafted PDF file. NOTE: this is disputed by the Supplier because there is no available file to reproduce the issue.
CVSS 8.1
CVE-2025-57393 WRITEUP HIGH WRITEUP
Kissflow Work Platform 7337 Account 2.0-4.2 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
CVSS 8.8
CVE-2025-60991 WRITEUP HIGH WRITEUP
Codazon Magento Themes <2.4.7 - XSS
A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
CVSS 8.8