Python Exploits
5,729 exploits tracked across all sources.
WordPress Debug Tool <2.3 - RCE
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution. CVE-2024-52416 may be a duplicate of this issue.
by Boshe99
CVSS 9.8
Pubnews theme <1.0.7 - Privilege Escalation
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities.
by Boshe99
CVSS 8.8
Vayu Blocks - Unauthorized Plugin Installation
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.
by Boshe99
CVSS 9.8
Eventon < 2.2.7 - Missing Authorization
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
by Boshe99
CVSS 5.3
Meowapps AI Engine < 1.9.99 - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
by Boshe99
CVSS 10.0
Liquidweb Restrict Content < 3.2.7 - Information Disclosure
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions.
by Boshe99
CVSS 5.3
WPvivid <0.9.35 - RCE
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJAX actions that allows low-level authenticated attackers to upload zip files that can be subsequently extracted. This affects versions up to, and including 0.9.35.
by Boshe99
CVSS 8.8
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by Security-Phoenix-demo
5 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by shyambhanushali
10 stars
Backdrop CMS <1.28.5-1.29.3 - XSS
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.
by moften
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by imbas007
1 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by C00LN3T
2 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by cybertechajju
22 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by lincemorado97
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by arashiyans
1 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by sumanrox
38 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by StillSoul
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by nehkark
5 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by onlylovetx
2 stars
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by heiheishushu
7 stars
Django < 4.2.26 - SQL Injection
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
by Wafcontrol Security Team
CVSS 9.1
Liquidlabs Magicai - XSS
MagicProject AI version 9.1 is affected by a Cross-Site Scripting (XSS) vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a multipart/form-data POST request. Due to insufficient input sanitization, attackers can inject HTML-based JavaScript payloads. This payload is stored and rendered unsanitized in subsequent views, leading to execution in other users' browsers when they access affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not implement a Content Security Policy (CSP) or adequate input filtering to prevent such attacks. A fix should include proper sanitization, output encoding, and strong CSP enforcement to mitigate exploitation.
by xchg-rax-rax
CVSS 4.8
Avtech Dgm1104 Firmware - XSS
A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field.
by xchg-rax-rax
CVSS 6.1
Avtech Dgm1104 Firmware - Command Injection
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
by xchg-rax-rax
CVSS 8.8
Avtech Dgm1104 Firmware - Command Injection
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
by xchg-rax-rax
CVSS 6.5
By Source