Valentin Lobstein

99 exploits Active since Nov 2013
CVE-2025-2292 METASPLOIT MEDIUM ruby WORKING POC
Xorcom Completepbx < 5.2.36.1 - Path Traversal
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.
CVSS 6.5
CVE-2024-1071 METASPLOIT CRITICAL ruby WORKING POC
WordPress Ultimate Member SQL Injection (CVE-2024-1071)
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 9.8
CVE-2024-45256 METASPLOIT CRITICAL ruby WORKING POC
BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)
An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.
CVSS 9.8
CVE-2024-51378 METASPLOIT CRITICAL ruby WORKING POC
Cyberpanel < 2.3.8 - OS Command Injection
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVSS 10.0
CVE-2023-46214 METASPLOIT HIGH ruby WORKING POC
Splunk Enterprise <9.0.7-9.1.2 - RCE
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
CVSS 8.0
CVE-2025-34073 METASPLOIT CRITICAL ruby WORKING POC
stamparm/maltrail <=0.54 - Command Injection
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.
CVE-2025-58360 METASPLOIT HIGH ruby WORKING POC
GeoServer WMS GetMap XXE Arbitrary File Read
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
CVSS 8.2
CVE-2022-0169 METASPLOIT CRITICAL ruby WORKING POC
WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
CVSS 9.8
CVE-2025-2011 METASPLOIT HIGH ruby WORKING POC
WordPress Depicter Plugin SQL Injection (CVE-2025-2011)
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 7.5
CVE-2025-30406 METASPLOIT CRITICAL ruby WORKING POC
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
CVSS 9.0
CVE-2024-8856 METASPLOIT CRITICAL ruby WORKING POC
WordPress WP Time Capsule Arbitrary File Upload to RCE
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-11749 METASPLOIT CRITICAL ruby WORKING POC
WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
CVSS 9.8
CVE-2024-5084 METASPLOIT CRITICAL ruby WORKING POC
Hashthemes Hash Form < 1.1.1 - Unrestricted File Upload
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-2563 METASPLOIT HIGH ruby WORKING POC
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
CVSS 8.1
CVE-2023-5360 METASPLOIT CRITICAL ruby WORKING POC
WordPress Royal Elementor Addons RCE
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
CVSS 9.8
CVE-2025-8943 METASPLOIT CRITICAL ruby WORKING POC
Flowise < 3.0.1 - Missing Authorization
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
CVSS 9.8
CVE-2024-25600 METASPLOIT CRITICAL ruby WORKING POC
Unauthenticated Remote Code Execution - Bricks <= 1.9.6
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
CVSS 10.0
CVE-2024-31819 METASPLOIT CRITICAL ruby WORKING POC
WWBN AVideo <14.2 - RCE
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
CVSS 9.8
CVE-2025-47812 METASPLOIT CRITICAL ruby WORKING POC
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
CVSS 10.0
CVE-2025-34433 METASPLOIT CRITICAL ruby WORKING POC
AVideo <20.1 - RCE
AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.
CVE-2025-34299 METASPLOIT CRITICAL ruby WORKING POC
Monstaftp Monsta FTP < 2.11 - Unrestricted File Upload
Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.
CVSS 9.8
CVE-2013-4557 METASPLOIT ruby WORKING POC
SPIP <3.0.12 - RCE
The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.
CVE-2024-8517 METASPLOIT CRITICAL ruby WORKING POC
SPIP <4.3.2-4.1.18 - Command Injection
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
CVSS 9.8
CVE-2024-7954 METASPLOIT CRITICAL ruby WORKING POC
SPIP - RCE
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
CVSS 9.8
CVE-2025-59528 METASPLOIT CRITICAL ruby WORKING POC
Flowise < 3.0.6 - Code Injection
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
CVSS 10.0