horizon3ai

45 exploits Active since Feb 2021
CVE-2024-29824 NOMISEC HIGH WORKING POC
Ivanti EPM RecordGoodApp SQLi RCE
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
26 stars
CVSS 8.8
CVE-2023-28324 NOMISEC CRITICAL WORKING POC
Ivanti Endpoint Manager < 2022 - Privilege Escalation or Remote Code Execution
A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
20 stars
CVSS 9.8
CVE-2024-8190 NOMISEC HIGH WORKING POC
Ivanti Cloud Services Appliance <4.6.518 - Command Injection
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
17 stars
CVSS 7.2
CVE-2024-1403 NOMISEC CRITICAL WORKING POC
OpenEdge < 11.7.19 - Authentication Bypass via Credential Handling Failure
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.  
16 stars
CVSS 10.0
CVE-2024-13159 NOMISEC CRITICAL WORKING POC
Ivanti Endpoint Manager < 2022 - Unauthenticated Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
13 stars
CVSS 9.8
CVE-2021-44142 NOMISEC HIGH WORKING POC
Samba < 4.13.17 - Out-of-bounds Read and Write via Extended File Attributes
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
10 stars
CVSS 8.8
CVE-2026-22200 NOMISEC HIGH WORKING POC
Enhancesoft osTicket 1.17.0-1.17.6 and 1.18.0-1.18.2 - Unauthenticated Arbitrary File Read via Ticket PDF Export
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
8 stars
CVSS 7.5
CVE-2024-28987 NOMISEC CRITICAL WORKING POC
SolarWinds Web Help Desk - Hardcoded Credential
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
7 stars
CVSS 9.1
CVE-2025-55182 GITHUB CRITICAL python WORKING POC
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
2 stars
CVSS 10.0
CVE-2025-11700 GITHUB HIGH python WORKING POC
N-able N-Central Authentication Bypass and XXE Scanner
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
2 stars
CVSS 7.5
CVE-2025-9316 NOMISEC MEDIUM WORKING POC
N-central <2025.4 - Info Disclosure
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
2 stars
CVE-2023-20198 NOMISEC CRITICAL WORKING POC
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
2 stars
CVSS 10.0
CVE-2025-11700 GITHUB HIGH go WORKING POC
N-able N-Central Authentication Bypass and XXE Scanner
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
CVSS 7.5
CVE-2025-9316 NOMISEC MEDIUM WORKING POC
N-central <2025.4 - Info Disclosure
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
CVE-2021-34523 PATCHAPALOOZA CRITICAL WORKING POC
Microsoft Exchange Server - Privilege Escalation
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVSS 9.0
CVE-2021-31207 PATCHAPALOOZA MEDIUM WORKING POC
Microsoft Exchange Server - Security Feature Bypass via Unrestricted File Upload
Microsoft Exchange Server Security Feature Bypass Vulnerability
CVSS 6.6
CVE-2024-57727 METASPLOIT HIGH ruby WORKING POC
SimpleHelp Path Traversal Vulnerability CVE-2024-57727
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
CVSS 7.5
CVE-2022-47966 METASPLOIT CRITICAL ruby WORKING POC
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
CVSS 9.8
CVE-2022-47966 METASPLOIT CRITICAL ruby WORKING POC
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
CVSS 9.8
CVE-2022-47966 METASPLOIT CRITICAL ruby WORKING POC
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
CVSS 9.8