xchg-rax-rax - Security Researcher - Exploit Intelligence Platform

CVE-2025-57200 GITHUB MEDIUM python WORKING POC

AVTECH DGM1104 Firmware FullImg-1015-1004-1006-1003 - Authenticated Command Injection via test_mail Function

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

CVSS 6.5

View Code

CVE-2025-57201 GITHUB HIGH python WORKING POC

AVTECH DGM1104 Firmware FullImg-1015-1004-1006-1003 - Authenticated Command Injection via SMB Server Function

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

CVSS 8.8

View Code

CVE-2025-57202 GITHUB MEDIUM python WORKING POC

AVTECH DGM1104 FullImg-1015-1004-1006-1003 - Stored Cross-Site Scripting via PwdGrp.cgi Username Field

A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field.

CVSS 6.1

View Code

CVE-2025-57203 GITHUB MEDIUM python WORKING POC

Liquidlabs Magicai - XSS

MagicProject AI version 9.1 is affected by a Cross-Site Scripting (XSS) vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a multipart/form-data POST request. Due to insufficient input sanitization, attackers can inject HTML-based JavaScript payloads. This payload is stored and rendered unsanitized in subsequent views, leading to execution in other users' browsers when they access affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not implement a Content Security Policy (CSP) or adequate input filtering to prevent such attacks. A fix should include proper sanitization, output encoding, and strong CSP enforcement to mitigate exploitation.

CVSS 4.8

View Code

CVE-2025-57199 NOMISEC HIGH WORKING POC

AVTECH DGM1104 FullImg-1015-1004-1006-1003 - Authenticated Command Injection via NetFailDetectD Binary

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

CVSS 8.8

View Code