coiffeur

10 exploits Active since Apr 2020
CVE-2025-34085 NOMISEC WORKING POC
Rejected
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2020-36847.
CVE-2020-36996 EXPLOITDB MEDIUM text WRITEUP
PHPFusion 9.03.50 - XSS
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.
CVSS 6.4
CVE-2020-36847 METASPLOIT CRITICAL ruby WORKING POC
Simple-File-List Plugin <4.2.2 - RCE
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
CVSS 9.8
CVE-2023-27372 METASPLOIT CRITICAL ruby WORKING POC
Spip < 3.2.18 - Insecure Deserialization
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
CVSS 9.8
EIP-2026-114528 EXPLOITDB text WORKING POC
YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection
EIP-2026-114049 EXPLOITDB python WORKING POC
WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload
EIP-2026-114050 EXPLOITDB python WORKING POC
WordPress Plugin Simple File List 4.2.2 - Remote Code Execution
CVE-2020-11819 EXPLOITDB CRITICAL bash WORKING POC
Rukovoditel - Path Traversal
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
CVSS 9.8
EIP-2026-110814 EXPLOITDB text WORKING POC
PHP-Fusion 9.03.60 - PHP Object Injection
EIP-2026-106514 EXPLOITDB python WORKING POC
Dolibarr 12.0.3 - SQLi to RCE