Metasploit Exploits
3,228 exploits tracked across all sources.
Synacor Zimbra Collaboration Suite <8.7.11p10 - XXE
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
by An Trinh, Khanh Viet Pham, Jacob Robles
CVSS 9.8
Cayintech Cms-se Firmware - OS Command Injection
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.
by h00die, Gjoko Krstic (LiquidWorm) <[email protected]>
CVSS 9.6
Cisco Linksys Wrt110 Firmware - CSRF
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
by Craig Young, joev, juan vazquez
CVSS 8.8
ICTBroadcast - Command Injection
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.
Versions 7.4 and below are known to be vulnerable.
by Valentin Lobstein
MVPower CCTV DVR - RCE
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
by Paul Davies (UHF-Satcom), Andrew Tierney (Pen Test Partners), bcoles
CVSS 9.8
Vmware View Planner < 4.6 - Missing Authorization
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
by Mikhail Klyuchnikov, wvu, Grant Willcox
CVSS 9.8
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by remmons-r7, sfewer-r7
CVSS 10.0
Tp-link Nc200 Firmware - OS Command Injection
Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
CVSS 8.8
Apache Superset < 2.1.0 - Improper Input Validation
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
by h00die, paradoxis, Spencer McIntyre, Naveen Sunkavally
CVSS 3.8
Xstream < 1.4.18 - Missing Authentication
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
by h00die-gr3y, Sina Kheirkhah, Steven Seeley
CVSS 8.5
Fortinet Fortiproxy < 7.0.7 - Authentication Bypass
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
by Heyder Andrade <@HeyderAndrade>, Zach Hanley <@hacks_zach>
CVSS 9.8
PeerCast <0.1217 - RCE
Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp.
by MC
Vmware Identity Manager < 9.0 - Authentication Bypass
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
by mr_me, jheysel-r7
CVSS 9.8
Acronis Cyber Infrastructure <5.0.1-61, <5.1.1-71, <5.2.1-69, <5.3....
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
CVSS 9.8
Netgear routers <1.1.00.45 - Command Injection
An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN1000B model firmware versions 1.1.00.24 and 1.1.00.45) via the TimeToLive parameter in the setup.cgi endpoint. The vulnerability arises from improper input neutralization, enabling command injection through crafted POST requests. This flaw enables remote attackers to deploy payloads or manipulate system state post-authentication.
CVSS 7.2
Optergy Proton/Enterprise - RCE
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
CVSS 9.8
OP5 Monitor <7.1.9 - Command Injection
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0.
by h00die <[email protected]>, hyp3rlinx
NUUO <3.2.0 - RCE
handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.
CVSS 9.8
Cisco UCS Director - Auth Bypass/Path Traversal
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
by mr_me, wvu
CVSS 9.8
D-Link DIR-300 rev B & DIR-600 <2.13/2.14b01 - Command Injection
An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.
CVSS 9.8
Dnatools Dnalims - Authentication Bypass
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
by h00die <[email protected]>, flakey_biscuit <[email protected]>
CVSS 9.8
Grandstream UCM6200 <1.0.19.20 - SQL Injection
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
by jbaines-r7
CVSS 9.8
Selenium Grid < 4.0.0 - CSRF
Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
by randomstuff (Gabriel Corona), Wiz Research, Takahiro Yokoyama
CVSS 8.8
Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
by Nikita Abramov, Mikhail Klyuchnikov, wvu, jheysel-r7
CVSS 5.3
Netgear Dgn1000 Firmware < 1.1.00.48 - Missing Authentication
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.
by Mumbai, Robort Palerie <[email protected]>
CVSS 9.8
By Source