Github Exploits
98 exploits tracked across all sources.
Kubio AI Page Builder <2.5.1 - Local File Inclusion
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
by AikidoSec
NPM Crud-query-parser < 0.1.0 - SQL Injection
The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. This vulnerability is fixed in 0.1.0.
by AikidoSec
6 stars
axios <1.8.2 - SSRF
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
by AikidoSec
Canvg < 3.0.11 - Prototype Pollution
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
by AikidoSec
Jonschlinkert Parse-git-config - Information Disclosure
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function
by AikidoSec
Nodejs Node.js < 18.20.6 - Path Traversal
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of `path.join` API.
by AikidoSec
Mongoose <8.8.3 - SQL Injection
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
by AikidoSec
Axios < 1.7.4 - SSRF
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
by AikidoSec
libuv - Info Disclosure
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
by AikidoSec
FUXA <= 1.1.12 - SQL Injection
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
by AikidoSec
dot-prop <4.2.1, <5.1.1 - Prototype Pollution
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
by AikidoSec
@firebase/util <0.3.4 - Code Injection
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
by AikidoSec
Fast-http - Path Traversal
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
by AikidoSec
ssh2 <1.4.0 - Command Injection
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
by AikidoSec
Node-df - Code Injection
A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.
by AikidoSec
Sequelize <2.0.0-rc7 - SQL Injection
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
by AikidoSec
6 stars
Nodejs Node.js < 0.2.4 - Path Traversal
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
by AikidoSec
Apache Commons IO <2.14.0 - DoS
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.
This issue affects Apache Commons IO: from 2.0 before 2.14.0.
Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
by PawelMurdzek
CVSS 4.3
(pending title)
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by anuththara2007-W
3 stars
(pending title)
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by l4rm4nd
79 stars
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
(pending title)
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
(pending title)
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
By Source