Exploit Database

145,169 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-57282 WRITEUP HIGH
ngrok 4.3.3/5.0.0-beta.2 - Command Injection
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.
CVSS 8.8
CVE-2026-29962 WRITEUP HIGH
HSC MailInspector 5.3.3-7 - Path Traversal
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
CVSS 7.5
CVE-2026-29963 WRITEUP HIGH
HSC MailInspector 5.3.3-7 - Path Traversal
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.
CVSS 7.5
CVE-2026-29964 WRITEUP MEDIUM
HSC MailInspector 5.3.3-7 - Cross-Site Scripting via /tap/tap.php Endpoint
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
CVSS 6.1
CVE-2026-29965 WRITEUP MEDIUM
HSC MailInspector 5.3.3-7 - Cross-Site Scripting in WarningUrlPage Endpoint
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
CVSS 6.1
CVE-2026-36438 WRITEUP MEDIUM
Intelbras VIP-1230-D-G4 V2.800.00IB00C.0.T - Info Disclosure
An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd
CVSS 5.3
CVE-2026-38719 WRITEUP MEDIUM
OpENer v2.3-558-g1e99582 - Out-of-Bounds Read
OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice
CVSS 6.2
CVE-2026-41940 METASPLOIT CRITICAL ruby
cPanel and WHM Authentication Bypass via Login Flow
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
by Sina Kheirkhah, Adam Kues, Shubham Shah, Crypto-Cat
CVSS 9.8
CVE-2025-55182 GITHUB CRITICAL python
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by ycseo-git
CVSS 10.0
CVE-2024-32019 GITHUB HIGH python
netdata 1.44.0-60-1.45.0-169 and 1.45.0-1.45.3 - Local Privilege Escalation via PATH Environment Variable Manipulation
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
by Akira07210
CVSS 8.8
CVE-2026-33825 GITHUB HIGH
Microsoft Defender Elevation of Privilege Vulnerability
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
by 0xBlackash
CVSS 7.8
CVE-2026-29965 GITHUB MEDIUM
HSC MailInspector 5.3.3-7 - Cross-Site Scripting in WarningUrlPage Endpoint
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
by sql3t0
CVSS 6.1
CVE-2026-29964 GITHUB MEDIUM
HSC MailInspector 5.3.3-7 - Cross-Site Scripting via /tap/tap.php Endpoint
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
by sql3t0
CVSS 6.1
CVE-2026-29963 GITHUB HIGH
HSC MailInspector 5.3.3-7 - Path Traversal
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.
by sql3t0
CVSS 7.5
CVE-2026-29962 GITHUB HIGH
HSC MailInspector 5.3.3-7 - Path Traversal
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
by sql3t0
CVSS 7.5
CVE-2023-24215 GITHUB CRITICAL
NOVUS AirGate 4G 1.1.16 - Info Disclosure
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.
by sql3t0
CVSS 9.1
CVE-2026-40369 GITHUB HIGH python
Microsoft Windows 11 Version 24H2 - Windows Kernel Elevation of Privilege Vulnerability
Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
by Hex0rc1st
2 stars
CVSS 7.8
CVE-2026-34197 GITHUB HIGH python
Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
by hnytgl
1 stars
CVSS 8.8
CVE-2026-42945 GITHUB HIGH python
NGINX Plus and NGINX Open Source - Heap-based Buffer Overflow in ngx_http_rewrite_module
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
by hnytgl
1 stars
CVSS 8.1
CVE-2026-33824 GITHUB CRITICAL c++
Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
by EpSiLoNPoInTOrI
CVSS 9.8
CVE-2024-27198 NOMISEC CRITICAL
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
by cmpnn-romain
CVSS 9.8
CVE-2020-17103 NOMISEC HIGH
Windows Cloud Files Mini Filter Driver - Privilege Escalation
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
by arch1m3d
CVSS 7.0
CVE-2026-43284 GITHUB HIGH shell
xfrm: esp: avoid in-place decrypt on shared skb frags
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
by ochebotar
9 stars
CVSS 8.8
CVE-2025-34291 NOMISEC HIGH
Langflow <= 1.6.9 - Account Takeover and Remote Code Execution via CORS Misconfiguration
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
by amnnrth
CVSS 8.8
CVE-2026-7304 WRITEUP CRITICAL
SGLang - Unauthenticated Remote Code Execution via Pickle Deserialization
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
CVSS 9.8