h00die

198 exploits Active since Jul 1997
CVE-2022-0492 METASPLOIT HIGH ruby WORKING POC
Docker cgroups Container Escape
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
CVSS 7.8
CVE-2022-37706 METASPLOIT HIGH ruby WORKING POC
Ubuntu Enlightenment Mount Priv Esc
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
CVSS 7.8
CVE-2017-1000112 METASPLOIT HIGH ruby WORKING POC
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS 7.0
CVE-2023-34039 METASPLOIT CRITICAL ruby WORKING POC
VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
CVSS 9.8
CVE-2020-3950 METASPLOIT HIGH ruby WORKING POC
VMware Fusion <11.5.2 - Privilege Escalation
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
CVSS 7.8
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-2020-7012 METASPLOIT HIGH ruby WORKING POC
Kibana 6.7.0-6.8.8 and 7.0.0-7.6.2 - Authenticated Code Injection in Upgrade Assistant
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
CVSS 8.8
CVE-2017-15889 METASPLOIT HIGH ruby WORKING POC
Synology DiskStation Manager < 5.2-5967-5 - Authenticated Command Injection via smart.cgi Disk Field
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
CVSS 8.8
CVE-2020-7357 METASPLOIT CRITICAL ruby WORKING POC
Cayin CMS - Authenticated OS Command Injection via NTP_Server_IP Parameter
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.
CVSS 9.6
CVE-2023-39265 METASPLOIT LOW ruby WORKING POC
Apache Superset <= 2.1.0 - SQLite Database Connection Manipulation via Alternative Driver Names
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
CVSS 3.8
CVE-2025-34115 METASPLOIT HIGH ruby WORKING POC
OP5 Monitor <7.1.9 - Command Injection
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0.
CVE-2017-6526 METASPLOIT CRITICAL ruby WORKING POC
dnaTools dnaLIMS 4-2015s13 - Unauthenticated Remote Code Execution via sysAdmin.cgi
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
CVSS 9.8
CVE-2017-12478 METASPLOIT CRITICAL ruby WORKING POC
Unitrends UEB http api remote code execution
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.
CVSS 9.8
CVE-2023-20887 METASPLOIT CRITICAL ruby WORKING POC
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
CVSS 9.8
CVE-2018-1335 EXPLOITDB HIGH ruby WORKING POC
Apache Tika <1.18 - Command Injection
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
CVSS 8.1
EIP-2026-114801 EXPLOITDB ruby WORKING POC
Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)
EIP-2026-114665 EXPLOITDB ruby WORKING POC
Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)
EIP-2026-114674 EXPLOITDB ruby WORKING POC
Werkzeug - Debug Shell Command Execution (Metasploit)
EIP-2026-114798 EXPLOITDB ruby WORKING POC
pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit)
EIP-2026-106553 EXPLOITDB text WRITEUP
dotProject 2.1.3 - Cross-Site Scripting / Improper Permissions
EIP-2026-105863 EXPLOITDB text WRITEUP
CiviCRM 3.1 < Beta 5 - Multiple Cross-Site Scripting Vulnerabilities
EIP-2026-105352 EXPLOITDB text WORKING POC
B-Hind CMS (tiny_mce) - Arbitrary File Upload
CVE-2020-11108 EXPLOITDB HIGH ruby WORKING POC
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
CVSS 8.8