Metasploit Exploits
3,294 exploits tracked across all sources.
Meteocontrol Web'log Basic 100 - Security Feature Bypass
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
CVSS 9.4
Majordomo <20110131 - Path Traversal
Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
by Nikolas Sotiriu
JBoss JMX Console Deployer Upload and Execute
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
by Tyler Krpata, Zach Grace <@ztgrace>
CVSS 5.3
JBoss Enterprise Application Platform < 4.2.0.CP03 and 4.3.0 < 4.3.0.CP01 - Information Disclosure via Status Servlet
JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2.0.CP03, and 4.3.0 before 4.3.0.CP01, allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string.
by Tyler Krpata, Zach Grace <@ztgrace>
Red Hat JBoss EAP/JBEAP <4.2.0.CP09-4.3.0.CP08 - Info Disclosure
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
by Tyler Krpata, Zach Grace <@ztgrace>
CVSS 7.5
Jboss Application Server - Code Injection
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
by Tyler Krpata, Zach Grace <@ztgrace>
CVSS 9.8
Red Hat JBoss EAP <4.2.0.CP09 and <4.3.0.CP08 - Info Disclosure
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
Drupal 7.x < 7.34 and Secure Password Hashes 6.x-2.x < 6.x-2.1 - Denial of Service via Password Hashing API
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
by Javier Nieto Arevalo, Andres Rojas Guerrero, rastating
WordPress < 4.5.5 - Cross-Site Request Forgery via Late check_ajax_referer Call
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
by Yorick Koster, CryptisStudents
CVSS 6.5
Squid Proxy Range Header DoS
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.
by Joshua Rogers
CVSS 6.5
Apache Tomcat < 5.5.35, 6.x < 6.0.35, 7.x < 7.0.23 - Denial of Service via Hash Collision in Form Parameters
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer
Oracle Glassfish < 3.1.1 - Denial of Service via Predictable Hash Collisions
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer
Apache Geronimo < 2.2.1 - Denial of Service via Predictable Hash Collisions
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer
Telerik Report Server Auth Bypass and Deserialization RCE
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
by SinSinology, Soroush Dalili, Unknown, Spencer McIntyre
CVSS 9.8
Microsoft SharePoint Server - Remote Code Execution
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
by Viettel Cyber Security, sfewer-r7
CVSS 8.8
Microsoft SharePoint Server - Code Injection
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.
Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
by Viettel Cyber Security, sfewer-r7
CVSS 9.8
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
by Viettel Cyber Security, sfewer-r7
CVSS 6.5
CyberPanel Multi CVE Pre-auth RCE
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
by DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g)
CVSS 10.0
CyberPanel <2.3.5 - Command Injection
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
by DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g)
CVSS 10.0
SureTriggers - All-in-One Automation Platform < 1.0.78 - Authentication Bypass
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
by Michael Mazzolini (mikemyers), Denver Jackson, Khaled Alenazi (Nxploited), Valentin Lobstein
CVSS 8.1
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by Maksim Rogov
CVSS 10.0
Ivanti Endpoint Manager Mobile <= 12.5.0.0 - Unauthenticated Authentication Bypass via API
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
by CERT-EU, Sonny Macdonald, Piotr Bazydlo, remmons-r7
CVSS 5.3
Apache OFBiz forgotPassword/ProgramExport RCE
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
by Mr-xn, jheysel-r7
CVSS 9.8
pyload-ng v0.5.0b3.dev85 - Remote Code Execution via Crafted HTTP Request
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.
by Marven11, Spencer McIntyre, jheysel-r7
CVSS 9.8
WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
by abrahack, Valentin Lobstein, Achref Ben Thameur a.k.a achrefthameur
CVSS 10.0
By Source