XiaomingX

190 exploits Active since Oct 2024
CVE-2026-26417 GITHUB HIGH python WRITEUP
TCS Cognix Recon Client 3.0 - Privilege Escalation
A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated users to reset passwords of arbitrary user accounts via crafted requests.
10 stars
CVSS 8.1
CVE-2026-26416 GITHUB HIGH python WRITEUP
TCS Cognix Recon Client 3.0 - Privilege Escalation
An authorization bypass vulnerability in Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated users to escalate privileges across role boundaries via crafted requests.
10 stars
CVSS 8.8
CVE-2026-26418 GITHUB HIGH python WRITEUP
TCS Cognix Recon Client 3.0 - Auth Bypass
Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 allows remote attackers to access application functionality without restriction via the network.
10 stars
CVSS 7.5
CVE-2025-6019 GITHUB HIGH python WORKING POC
Red Hat Enterprise Linux - Local Privilege Escalation via libblockdev XFS Image Resizing
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
10 stars
CVSS 7.0
CVE-2026-21385 GITHUB HIGH python SCANNER
Qualcomm Memory Allocation Alignments Firmware - Memory Corruption
Memory corruption while using alignments for memory allocation.
10 stars
CVSS 7.8
CVE-2026-27636 GITHUB HIGH python SCANNER
FreeScout < 1.8.206 - Authenticated Remote Code Execution via .htaccess Upload
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.
10 stars
CVSS 8.8
CVE-2026-2628 GITHUB CRITICAL python SUSPICIOUS
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <2.2.5 - Authentication Bypass
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.
10 stars
CVSS 9.8
CVE-2026-21902 GITHUB CRITICAL python WORKING POC
Juniper Junos OS Evolved 25.4-25.4R1-S1-EVO, 25.4R2-EVO - Remote Code Execution via Anomaly Detection
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.
10 stars
CVSS 9.8
CVE-2026-23842 GITHUB HIGH python WORKING POC
ChatterBot < 1.2.11 - Denial of Service via SQLAlchemy Connection Pool Exhaustion
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.
10 stars
CVSS 7.5
CVE-2026-3395 GITHUB HIGH python WORKING POC
MaxSite CMS <109.1 - Code Injection
A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
10 stars
CVSS 7.3
CVE-2025-33073 GITHUB HIGH python SCANNER
Windows SMB - Authenticated Privilege Escalation via Improper Access Control
Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
10 stars
CVSS 8.8
CVE-2026-27179 GITHUB HIGH python TROJAN
MajorDoMo - Unauthenticated SQL Injection
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
10 stars
CVSS 8.2
CVE-2026-0006 GITHUB CRITICAL python STUB
Google Android - Heap Buffer Overflow
In multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
10 stars
CVSS 9.8
CVE-2026-28372 GITHUB HIGH python WORKING POC
GNU inetutils <=2.7 - Privilege Escalation
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.
10 stars
CVSS 7.4
CVE-2026-2472 GITHUB HIGH python WORKING POC
Google Cloud Vertex AI SDK 1.98.0-1.131.0 - XSS
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.
10 stars
CVE-2025-24132 GITHUB MEDIUM python WORKING POC
AirPlay Audio and Video SDK < 2.7.1 and < 3.6.0.126 - Denial of Service via Memory Corruption
The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1 and AirPlay video SDK 3.6.0.126. An attacker on the local network may cause an unexpected app termination.
10 stars
CVSS 6.5
CVE-2025-15030 GITHUB CRITICAL python NO CODE
User Profile Builder <3.15.2 - Info Disclosure
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
10 stars
CVSS 9.8
CVE-2026-20127 GITHUB CRITICAL python SUSPICIOUS
Cisco Catalyst SD-WAN - Auth Bypass
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root&nbsp;user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.&nbsp;
10 stars
CVSS 10.0
CVE-2026-23829 GITHUB MEDIUM python WORKING POC
Mailpit < 1.28.3 - SMTP Header Injection via RCPT TO and MAIL FROM Address Validation
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
10 stars
CVSS 5.3
CVE-2026-23723 GITHUB HIGH python WORKING POC
WeGIA < 3.6.2 - Authenticated SQL Injection via Atendido_ocorrenciaControle id_memorando Parameter
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2.
10 stars
CVSS 7.2
CVE-2026-1457 GITHUB HIGH python WRITEUP
TP-Link VIGI C385 V1 - Buffer Overflow
An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges.
10 stars
CVSS 8.8
CVE-2026-23550 GITHUB CRITICAL python WORKING POC
Modular DS <= 2.5.1 - Incorrect Privilege Assignment
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
10 stars
CVSS 9.8
CVE-2026-22807 GITHUB HIGH python WORKING POC
vllm 0.10.1-0.13.0 - Remote Code Execution via Hugging Face auto_map Dynamic Module Loading
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
10 stars
CVSS 8.8
CVE-2026-1405 GITHUB CRITICAL python WORKING POC
Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload via slider_future_handle_image_upload
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
10 stars
CVSS 9.8
CVE-2025-61183 GITHUB MEDIUM python WORKING POC
vaahcms 2.3.1 - Cross-Site Scripting via UserBase.php storeAvatar() Upload Method
Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php
10 stars
CVSS 6.1