Nomisec Exploits

22,532 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-56803 NOMISEC HIGH
Figma Desktop 125.6.5 - OS Command Injection via Plugin Manifest Build Field
Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.
by shinyColumn
1 stars
CVSS 8.4
CVE-2025-57199 NOMISEC HIGH
AVTECH DGM1104 FullImg-1015-1004-1006-1003 - Authenticated Command Injection via NetFailDetectD Binary
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
by xchg-rax-rax
CVSS 8.8
CVE-2018-5764 NOMISEC HIGH
rsync < 3.1.3 - Argument Sanitization Bypass via Multiple --protect-args Uses
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
by waleedadam360-web
CVSS 7.5
CVE-2025-49132 NOMISEC CRITICAL
Pterodactyl Panel < 1.11.11 - Unauthenticated Remote Code Execution via Locale Endpoint
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
by 0xf3d0rq
CVSS 10.0
CVE-2025-57833 NOMISEC HIGH
Django 4.2-4.2.23, 5.1-5.1.11, 5.2-5.2.5 - SQL Injection via FilteredRelation Column Aliases
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
by sw0rd1ight
2 stars
CVSS 7.1
CVE-2023-35813 NOMISEC CRITICAL
Sitecore Experience Manager, Experience Platform, Experience Commerce < 10.3 - Remote Code Execution
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
by Rezy-Dev
CVSS 9.8
CVE-2025-6018 NOMISEC HIGH
pam-config - Local Privilege Escalation via Polkit Bypass
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
by euxem
CVSS 7.8
CVE-2025-32433 NOMISEC CRITICAL
Erlang OTP Pre-Auth RCE Scanner and Exploit
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
by soltanali0
CVSS 10.0
CVE-2025-29927 NOMISEC CRITICAL
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
by Bongni
1 stars
CVSS 9.1
CVE-2025-55315 NOMISEC CRITICAL
ASP.NET Core 2.3.0-2.3.5 - HTTP Request Smuggling via Inconsistent Request Interpretation
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
by MartinFabianIonut
1 stars
CVSS 9.9
CVE-2024-21413 NOMISEC CRITICAL
Microsoft 365 Apps and Office 2016-2019 - Remote Code Execution via Moniker Link
Microsoft Outlook Remote Code Execution Vulnerability
by mmathivanan17
11 stars
CVSS 9.8
CVE-2021-23394 NOMISEC HIGH
elFinder < 2.1.58 - Remote Code Execution via .phar File Upload
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
by 0xnemian
CVSS 8.1
CVE-2025-43504 NOMISEC MEDIUM
Xcode < 26.1 - Denial of Service via Buffer Overflow
A buffer overflow was addressed with improved bounds checking. This issue is fixed in Xcode 26.1. A user in a privileged network position may be able to cause a denial-of-service.
by calysteon
CVSS 4.9
CVE-2025-24893 NOMISEC CRITICAL
XWiki Platform - Remote Code Execution
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
by torjan0
2 stars
CVSS 9.8
CVE-2023-46136 NOMISEC HIGH
Werkzeug < 2.3.8 and 3.0.0 - Denial of Service via Crafted Multipart Data
Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1 and 2.3.8.
by JawadPy
CVSS 8.0
CVE-2025-6440 NOMISEC CRITICAL
WooCommerce Designer Pro <1.9.26 - RCE
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
by m2hcz
1 stars
CVSS 9.8
CVE-2025-32463 NOMISEC CRITICAL
Sudo <1.9.17p1 - Privilege Escalation
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
by Nowafen
13 stars
CVSS 9.3
CVE-2025-8088 NOMISEC HIGH
WinRAR < 7.13 - Path Traversal and Arbitrary Code Execution via Malicious Archive
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
by xi0onamdev
CVSS 8.8
CVE-2018-10933 NOMISEC CRITICAL
libssh Authentication Bypass Scanner
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
by opsifiz
CVSS 9.1
CVE-2025-1716 NOMISEC CRITICAL
picklescan <0.0.21 - Code Injection
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
by 0xDaeras
CVSS 9.8
CVE-2020-14343 NOMISEC CRITICAL
PyYAML < 5.4 - Remote Code Execution via Python Object Constructor
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
by Kairo-one
CVSS 9.8
CVE-2025-21202 NOMISEC MEDIUM
Windows Recovery Environment Agent - Elevation of Privilege
Windows Recovery Environment Agent Elevation of Privilege Vulnerability
by 7amzahard
8 stars
CVSS 6.1
CVE-2018-17254 NOMISEC CRITICAL
JCK Editor 6.4.4 - SQL Injection via jtreelink Parent Parameter
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
by 7amzahard
1 stars
CVSS 9.8
CVE-2020-24186 NOMISEC CRITICAL
wpDiscuz 7.0-7.0.4 - Unauthenticated Remote Code Execution via File Upload
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
by sec-dojo-com
CVSS 10.0
CVE-2025-63419 NOMISEC MEDIUM
CrushFTP < 11.3.7_60 - Cross-Site Scripting via File Share Email Body
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
by MMAKINGDOM
2 stars
CVSS 6.1