ThemeHackers

33 exploits Active since Feb 2024
CVE-2025-55182 GITLAB CRITICAL WORKING POC
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS 10.0
CVE-2025-54100 GITLAB HIGH WORKING POC
Windows PowerShell - Unauthenticated Command Injection
Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.
CVSS 7.8
CVE-2025-13780 GITLAB CRITICAL WRITEUP
pgAdmin < 9.10 - Remote Code Execution via PLAIN-Format Dump File Restore
pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.
CVSS 9.1
CVE-2024-38063 GITLAB CRITICAL WORKING POC
Windows TCP/IP - Remote Code Execution
Windows TCP/IP Remote Code Execution Vulnerability
CVSS 9.8
CVE-2024-21413 GITLAB CRITICAL SUSPICIOUS
Microsoft 365 Apps and Office 2016-2019 - Remote Code Execution via Moniker Link
Microsoft Outlook Remote Code Execution Vulnerability
CVSS 9.8
CVE-2024-10914 GITLAB HIGH WORKING POC
D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L - OS Command Injection via cgi_user_add name Parameter
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
CVSS 8.1
CVE-2024-3094 GITLAB CRITICAL SCANNER
xz <5.6.0 - Code Injection
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
CVSS 10.0
CVE-2024-6387 GITLAB HIGH WORKING POC
OpenSSH - DoS
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
CVSS 8.1