Yassine Damiri

6 exploits Active since Mar 2025
CVE-2026-40519 WRITEUP HIGH WRITEUP
Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
CVSS 7.5
CVE-2025-25680 WRITEUP HIGH WRITEUP
LSC Indoor PTZ Camera 7.6.32 - Remote Code Execution via Crafted QR Code in Wi-Fi Configuration
LSC Smart Connect LSC Indoor PTZ Camera 7.6.32 is contains a RCE vulnerability in the tuya_ipc_direct_connect function of the anyka_ipc process. The vulnerability allows arbitrary code execution through the Wi-Fi configuration process when a specially crafted QR code is presented to the camera.
CVSS 7.7
CVE-2025-29659 WRITEUP CRITICAL WRITEUP
Yi IOT XY-3820 6.0.24.10 - Remote Code Execution via cmd_listen Function
Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary.
CVSS 9.8
CVE-2025-29659 WRITEUP CRITICAL WRITEUP
Yi IOT XY-3820 6.0.24.10 - Remote Code Execution via cmd_listen Function
Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary.
CVSS 9.8
CVE-2025-29660 WRITEUP CRITICAL WRITEUP
Yi IOT XY-3820 v6.0.24.10 - Arbitrary Script Execution via Directory Traversal in TCP Service
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.
CVSS 9.8
CVE-2025-29660 WRITEUP CRITICAL WRITEUP
Yi IOT XY-3820 v6.0.24.10 - Arbitrary Script Execution via Directory Traversal in TCP Service
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.
CVSS 9.8