chrisWalker11

9 exploits Active since May 2024
CVE-2024-32002 NOMISEC CRITICAL WORKING POC
Git <2.45.1-2.39.4 - Code Injection
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
CVSS 9.0
CVE-2025-45313 WRITEUP MEDIUM WRITEUP
hortusfox-web 4.4 - Stored Cross-Site Scripting via /tasks Endpoint Title Parameter
A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter.
CVSS 6.1
CVE-2025-45314 WRITEUP MEDIUM WRITEUP
hortusfox-web 4.4 - Stored Cross-Site Scripting via Calendar Add Function
A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the add function.
CVSS 6.1
CVE-2025-45315 WRITEUP MEDIUM WRITEUP
hortusfox-web 4.4 - Cross-Site Scripting via Email Parameter
A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter.
CVSS 5.4
CVE-2025-45316 WRITEUP MEDIUM WRITEUP
hortusfox-web 4.4 - Stored Cross-Site Scripting via TextBlockModule Name Parameter
A cross-site scripting (XSS) vulnerability in the TextBlockModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter.
CVSS 6.1
CVE-2025-45317 WRITEUP MEDIUM WRITEUP
hortusfox-web 4.4 - Remote Code Execution via Zip Slip in ImportModule.php
A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive.
CVSS 6.5
CVE-2025-50946 WRITEUP MEDIUM WRITEUP
Olivetin 2025.4.22 - Command Injection
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
CVSS 6.5
CVE-2025-70296 WRITEUP MEDIUM WRITEUP
Mealie 3.3.1-3.7.9 - Authenticated Stored HTML Injection in Recipe Notes Renderer
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
CVSS 5.4
CVE-2025-70297 WRITEUP MEDIUM WRITEUP
Mealie 3.3.1-3.5.9 - Authenticated Stored Cross-Site Scripting via SVG File Upload
A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.
CVSS 6.1