brokendreamsclub

9 exploits Active since Dec 2018
CVE-2025-3515 NOMISEC HIGH WORKING POC
Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
17 stars
CVSS 8.1
CVE-2025-57819 NOMISEC CRITICAL WORKING POC
FreePBX 15.0-15.0.65 - Unauthenticated Authentication Bypass and Remote Code Execution
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
3 stars
CVSS 9.8
CVE-2025-53693 NOMISEC CRITICAL WORKING POC
Sitecore XM/X <10.5 - Cache Poisoning
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
1 stars
CVSS 9.8
CVE-2025-53691 GITHUB HIGH python WORKING POC
Sitecore XP 9.0-9.3, 10.0-10.4 - RCE via Untrusted Deserialization
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
CVSS 8.8
CVE-2025-53694 NOMISEC HIGH WORKING POC
Sitecore Experience Manager and Experience Platform 9.2-10.4 - Exposure of Sensitive Information
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
CVSS 7.5
CVE-2025-53691 NOMISEC HIGH WORKING POC
Sitecore XP 9.0-9.3, 10.0-10.4 - RCE via Untrusted Deserialization
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
CVSS 8.8
CVE-2025-53694 NOMISEC HIGH WORKING POC
Sitecore Experience Manager and Experience Platform 9.2-10.4 - Exposure of Sensitive Information
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
CVSS 7.5
CVE-2025-54309 NOMISEC CRITICAL WORKING POC
CrushFTP 10.0.0-10.8.4 and 11.0.0-11.3.3 - Unauthenticated Remote Admin Access via AS2 Validation Bypass
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
CVSS 9.0
CVE-2018-19323 NOMISEC CRITICAL WORKING POC
GIGABYTE APP Center <v1.05.21 - Info Disclosure
The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes functionality to read and write Machine Specific Registers (MSRs).
CVSS 9.8