r0otk3r

16 exploits Active since Oct 2021
CVE-2025-47812 NOMISEC CRITICAL WORKING POC
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
1 stars
CVSS 10.0
CVE-2025-3248 NOMISEC CRITICAL WORKING POC
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
1 stars
CVSS 9.8
CVE-2025-63353 NOMISEC CRITICAL WORKING POC
FiberHome GPON ONU HG6145F1 RP4423 - Info Disclosure
A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction.
CVSS 9.8
CVE-2025-31161 NOMISEC CRITICAL WORKING POC
CrushFTP - Authentication Bypass
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
CVSS 9.8
CVE-2025-4380 NOMISEC HIGH WORKING POC
Scripteo Ads Pro < 4.89 - Remote File Inclusion
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
CVSS 8.1
CVE-2025-2294 NOMISEC CRITICAL WORKING POC
Kubio AI Page Builder <2.5.1 - Local File Inclusion
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS 9.8
CVE-2025-41646 NOMISEC CRITICAL WORKING POC
Software Package - Auth Bypass
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
CVSS 9.8
CVE-2024-9014 NOMISEC CRITICAL SCANNER
Pgadmin 4 < 8.12 - Insufficiently Protected Credentials
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.
CVSS 9.9
CVE-2024-7954 NOMISEC CRITICAL WORKING POC
SPIP - RCE
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
CVSS 9.8
CVE-2024-27954 NOMISEC CRITICAL WORKING POC
WP Automatic <3.92.0 - Path Traversal
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.
CVSS 9.3
CVE-2024-4577 NOMISEC CRITICAL WORKING POC
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS 9.8
CVE-2024-25600 NOMISEC CRITICAL WORKING POC
Unauthenticated Remote Code Execution - Bricks <= 1.9.6
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
CVSS 10.0
CVE-2024-1212 NOMISEC CRITICAL WORKING POC
Progress Loadmaster < 7.2.48.10 - OS Command Injection
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
CVSS 10.0
CVE-2024-10915 NOMISEC HIGH WORKING POC
Dlink Dns-320 Firmware - Command Injection
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVSS 8.1
CVE-2022-1388 NOMISEC CRITICAL WORKING POC
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS 9.8
CVE-2021-41773 NOMISEC CRITICAL WORKING POC
Apache 2.4.49/2.4.50 Traversal RCE
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
CVSS 9.8