Nomisec Exploits

22,490 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-24061 NOMISEC CRITICAL
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by LucasPDiniz
CVSS 9.8
CVE-2024-11467 NOMISEC HIGH
Omnissa Horizon Client - Privilege Escalation
Omnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a logic flaw. Successful exploitation of this issue may allow attackers with user privileges to escalate their privileges to root on the system where the Horizon Client for macOS is installed.
by null-event
CVSS 7.8
CVE-2026-25253 NOMISEC HIGH
OpenClaw <2026.1.29 - Info Disclosure
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
by ethiack
72 stars
CVSS 8.8
CVE-2011-2523 NOMISEC CRITICAL
vsftpd 2.3.4 - Backdoor Command Execution
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
by tshaq17
CVSS 9.8
CVE-2022-25012 NOMISEC MEDIUM
Argus Surveillance DVR 4.0 - Inadequate Encryption Strength
Argus Surveillance DVR v4.0 employs weak password encryption.
by XK3NF4
2 stars
CVSS 5.5
CVE-2025-54574 NOMISEC CRITICAL
Squid < 6.4 - Heap-based Buffer Overflow via URN Processing
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.
by starrynightsecurity
CVSS 9.3
CVE-2025-24893 NOMISEC CRITICAL
XWiki Platform - Remote Code Execution
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
by Retro023
CVSS 9.8
CVE-2025-27237 NOMISEC HIGH
Zabbix Agent/Agent 2 <Windows> - Privilege Escalation
In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.
by HackingLZ
19 stars
CVE-2018-25031 NOMISEC MEDIUM
Swagger UI < 4.1.3 - Server-Side Request Forgery via OpenAPI Definition URL
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
by rasinfosec
CVSS 4.3
CVE-2025-1094 NOMISEC HIGH
PostgreSQL < 17.3, 16.7, 15.11, 14.16, 13.19 - SQL Injection via libpq Quoting Functions
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
by Nguyen-Van-Gia-Binh
1 stars
CVSS 8.1
CVE-2025-65264 NOMISEC MEDIUM
CPUID CPU-Z < 2.17 - Information Disclosure via IOCTL Interface
The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request.
by cwjchoi01
CVSS 5.5
CVE-2026-24061 NOMISEC CRITICAL
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by yanxinwu946
3 stars
CVSS 9.8
CVE-2025-24893 NOMISEC CRITICAL
XWiki Platform - Remote Code Execution
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
by nohack1212
CVSS 9.8
CVE-2022-47447 NOMISEC MEDIUM
WordPress WP-Advanced-Search <= 3.3.8 - Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WordPress WP-Advanced-Search plugin <= 3.3.8 versions.
by yup-Ivan
1 stars
CVSS 4.3
CVE-2024-6651 NOMISEC MEDIUM
WordPress File Upload <4.24.8 - XSS
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
by yup-Ivan
1 stars
CVSS 6.1
CVE-2026-24306 NOMISEC CRITICAL
Azure Front Door - Privilege Escalation
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
by ExploreUnknowed
CVSS 9.8
CVE-2026-21962 NOMISEC CRITICAL
Oracle HTTP Server & WebLogic Proxy Plug-in 12.2.1.4.0/14.1.1.0.0/14.1.2.0.0 - Unauthenticated Access Control
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
by ThumpBo
CVSS 10.0
CVE-2025-41243 NOMISEC CRITICAL
Spring Cloud Gateway Server Webflux - Info Disclosure
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.
by SFN233
CVSS 10.0
CVE-2025-14855 NOMISEC HIGH
SureForms <= 2.2.0 - Unauthenticated Stored XSS via Form Field Parameters
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
by ch4r0nn
1 stars
CVSS 7.2
CVE-2026-24061 NOMISEC CRITICAL
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by XsanFlip
CVSS 9.8
CVE-2009-3103 NOMISEC
Windows Vista and Server 2008 - Remote Code Execution via SMBv2 Negotiate Protocol Request
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
by afifudinmtop
CVE-2026-24061 NOMISEC CRITICAL
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by punitdarji
CVSS 9.8
CVE-2026-24061 NOMISEC CRITICAL
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by monstertsl
CVSS 9.8
CVE-2025-68921 NOMISEC HIGH
SteelSeries Nahimic 3 <1.10.7 - Path Traversal
SteelSeries Nahimic 3 1.10.7 allows Directory traversal.
by kikiuuw
CVSS 7.8
CVE-2023-38817 NOMISEC HIGH
Inspect Element Ltd Echo.ac <5.2.1.0 - Privilege Escalation
An issue in Inspect Element Ltd Echo.ac v.5.2.1.0 allows a local attacker to gain privileges via a crafted command to the echo_driver.sys component. NOTE: the vendor's position is that the reported ability for user-mode applications to execute code as NT AUTHORITY\SYSTEM was "deactivated by Microsoft itself."
by SecSecBurger
CVSS 7.8
By Source
All 22,490 Writeup 62,533 Exploitdb 50,076 Nomisec 22,490 Github 3,720 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 480 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,618 ruby 6,006 c 3,635 perl 2,849 html 2,076 php 1,334 bash 462 java 371 c++ 261 javascript 231 shell 137 go 73 postscript 25 typescript 25