XiaomingX

190 exploits Active since Oct 2024
CVE-2026-20660 GITHUB HIGH python WORKING POC
macOS Tahoe <26.3 - Info Disclosure
A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user may be able to write arbitrary files.
10 stars
CVSS 7.5
CVE-2025-69727 GITHUB MEDIUM python STUB
INDEX-EDUCATION PRONOTE <2025.2.8 - Info Disclosure
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers.
10 stars
CVSS 5.3
CVE-2026-3442 GITHUB MEDIUM python WORKING POC
Red Hat Enterprise Linux 10 - Buffer Overflow
A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.
10 stars
CVSS 6.1
CVE-2026-2461 GITHUB MEDIUM python WORKING POC
Missing authorization check allows unauthorized modification of other users' comments on a board
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
10 stars
CVSS 4.3
CVE-2026-26118 GITHUB HIGH python SCANNER
Azure MCP Server - Authenticated Server-Side Request Forgery
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
10 stars
CVSS 8.8
CVE-2025-5548 GITHUB HIGH python WORKING POC
FreeFloat FTP Server 1.0 - Buffer Overflow
A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component NOOP Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
10 stars
CVSS 7.3
CVE-2025-47273 GITHUB HIGH python WORKING POC
setuptools < 78.1.1 - Path Traversal and Arbitrary File Write via PackageIndex
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
10 stars
CVSS 8.8
CVE-2026-25595 GITHUB MEDIUM python WRITEUP
InvoicePlane < 1.7.1 - Authenticated Stored Cross-Site Scripting via Invoice Number Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
10 stars
CVSS 4.8
CVE-2026-25596 GITHUB MEDIUM python WRITEUP
InvoicePlane < 1.7.1 - Authenticated Stored Cross-Site Scripting via Product Unit Name Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.
10 stars
CVSS 4.8
CVE-2026-31899 GITHUB HIGH python WRITEUP
CairoSVG < 2.9.0 - Denial of Service via Recursive <use> Element Amplification
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
10 stars
CVSS 7.5
CVE-2025-15276 GITHUB HIGH python WORKING POC
FontForge - Remote Code Execution via SFD File Parsing
FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198.
10 stars
CVSS 7.8
CVE-2026-25594 GITHUB MEDIUM python WRITEUP
InvoicePlane < 1.7.1 - Stored Cross-Site Scripting via Family Name Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
10 stars
CVSS 4.8
CVE-2026-4092 GITHUB HIGH python WRITEUP
Google Clasp < 3.2.0 - Remote Code Execution via Directory Traversal in Filename
Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.
10 stars
CVSS 8.8
CVE-2026-31802 GITHUB MEDIUM python WORKING POC
tar < 7.5.11 - Path Traversal via Drive-Relative Symlink Target
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
10 stars
CVSS 5.5
CVE-2026-25177 GITHUB HIGH python SCANNER
Active Directory Domain Services - Privilege Escalation
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
10 stars
CVSS 8.8
CVE-2026-1311 GITHUB HIGH python WORKING POC
Worry Proof Backup Plugin <0.2.4 - Path Traversal
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
10 stars
CVSS 8.8
CVE-2026-27097 GITHUB HIGH python WORKING POC
CasaMia Theme <=1.1.2 - PHP Local File Inclusion
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.
10 stars
CVSS 8.1
CVE-2026-29000 GITHUB CRITICAL python WORKING POC
pac4j-jwt <4.5.9/5.7.9/6.3.3 - Auth Bypass
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
10 stars
CVSS 9.1
CVE-2026-31816 GITHUB CRITICAL python WORKING POC
Budibase < 3.31.4 - Unauthenticated API Access Bypass via Webhook Path Query String
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
10 stars
CVSS 9.1
CVE-2026-2058 GITHUB HIGH python WORKING POC
mathurvishal CloudClassroom-PHP-Project - SQL Injection via gnamex Parameter
A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
10 stars
CVSS 7.3
CVE-2026-27884 GITHUB MEDIUM python WORKING POC
NetExec < 1.5.1 - Path Traversal and Arbitrary File Write via SMB Share Filename
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_plus improperly creates the output file and folder path when saving files from SMB shares. It does not take into account that it is possible for Linux SMB shares to have path traversal characters such as `../` in them. An attacker can craft a filename in an SMB share that includes these characters, which when spider_plus crawls and downloads, can write or overwrite arbitrary files. The issue is patched in v1.5.1. As a workaround, do not run spider_plus with DOWNLOAD=true against targets.
10 stars
CVSS 5.3
CVE-2026-31844 GITHUB HIGH python SCANNER
Koha Staff Interface - SQL Injection
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. Successful exploitation may lead to full compromise of the backend database, including disclosure or modification of stored data.
10 stars
CVSS 8.8
CVE-2026-32127 GITHUB HIGH python WORKING POC
OpenEMR < 8.0.0.1 - Authenticated SQL Injection via AJAX Graphs Library
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1.
10 stars
CVSS 8.8
CVE-2026-30945 GITHUB HIGH python WORKING POC
StudioCMS <0.4.0 - Privilege Escalation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
10 stars
CVSS 7.1
CVE-2026-30944 GITHUB HIGH python WORKING POC
StudioCMS <0.4.0 - Privilege Escalation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.
10 stars
CVSS 8.8