Nomisec Exploits

22,534 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-52881 NOMISEC HIGH
runc <1.4.0-rc.2 - Privilege Escalation
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
by jq6l43d1
15 stars
CVSS 7.5
CVE-2025-27591 NOMISEC MEDIUM
Below < 0.9.0 - Privilege Escalation via World-Writable Log Directory
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
by 0xDTC
1 stars
CVSS 6.8
CVE-2025-48507 NOMISEC HIGH
AMD Kria SOM Zynq UltraScale+ MPSoCs and RFSoCs - Improper Validation of Specified Quantity in Input
The security state of the calling processor into Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SOC.
by jdbonfils
1 stars
CVE-2025-26686 NOMISEC HIGH
Windows TCP/IP < - Memory Corruption
Sensitive data storage in improperly locked memory in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
by cyghtinc
CVSS 7.5
CVE-2025-63667 NOMISEC HIGH
SIMICAM KEVIEW ASECAM IP Camera Firmware - Unauthenticated Sensitive API Endpoint Access
Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication.
by Remenis
CVSS 7.5
CVE-2025-39964 NOMISEC LOW
Linux Kernel - Denial of Service via Concurrent af_alg Socket Writes
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.
by n1k0oowang
1 stars
CVSS 3.3
CVE-2025-64459 NOMISEC CRITICAL
Django 4.2-4.2.25 5.1-5.1.13 5.2a1-5.2.7 - SQL Injection via QuerySet Dictionary Expansion
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
by nunpa
1 stars
CVSS 9.1
CVE-2008-4250 NOMISEC CRITICAL
Microsoft Windows Server Service - Remote Code Execution via Crafted RPC Request
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
by BinRacer
CVSS 9.8
CVE-2008-4250 NOMISEC CRITICAL
Microsoft Windows Server Service - Remote Code Execution via Crafted RPC Request
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
by BinRacer
1 stars
CVSS 9.8
CVE-2025-63892 NOMISEC MEDIUM
SourceCodester Student Grades Management System 1.0 - XSS
A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting.
by minhajultaivin
CVSS 6.8
CVE-2025-9816 NOMISEC HIGH
WP Statistics - WordPress <14.5.4 - XSS
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
by monzaviman
CVSS 7.2
CVE-2024-0044 NOMISEC MEDIUM
PackageInstallerService - Privilege Escalation
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
by HoyoenKim
CVSS 6.7
CVE-2025-11492 NOMISEC CRITICAL
ConnectWise Automate < 2025.9 - Cleartext Transmission of Sensitive Information via HTTP
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
by synap5e
1 stars
CVSS 9.6
CVE-2024-47167 NOMISEC CRITICAL
Gradio < 5.0 queue/join - Server-Side Request Forgery
Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.
by alexan011
CVSS 9.8
CVE-2025-20260 NOMISEC CRITICAL
ClamAV < 1.0.9 - Heap-based Buffer Overflow in PDF Scanner
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
by keyuraghao
CVSS 9.8
CVE-2025-12101 NOMISEC MEDIUM
NetScaler ADC/NetScaler Gateway - XSS
Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
by 6h4ack
3 stars
CVE-2023-22515 NOMISEC CRITICAL
Atlassian Confluence Unauthenticated Remote Code Execution
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
by Chocapikk
148 stars
CVSS 9.8
CVE-2020-9802 NOMISEC HIGH
iCloud < 7.19 - Remote Code Execution
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to arbitrary code execution.
by Billy-Ellis
7 stars
CVSS 8.8
CVE-2023-36802 NOMISEC HIGH
Microsoft Streaming Service Proxy - Privilege Escalation
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
by rahul0xkr
CVSS 7.8
CVE-2024-48910 NOMISEC CRITICAL
DOMPurify < 2.4.2 - Prototype Pollution
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
by Alex-Acero-Security
CVSS 9.1
CVE-2024-4890 NOMISEC MEDIUM
litellm 1.27.14 - Blind SQL Injection via User ID Parameter
A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.
by nekr0ff
CVSS 4.9
CVE-2025-63830 NOMISEC MEDIUM
CKFinder 1.4.3 - Stored Cross-Site Scripting via SVG File Upload
CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content.
by Shubham03007
CVSS 6.1
CVE-2025-31133 NOMISEC HIGH
runc < 1.2.8, 1.3.0-rc.1-1.3.1, 1.4.0-rc.1-1.4.0-rc.2 - Arbitrary Mount Gadget via Insufficient Bind-Mount Verification
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
by skynet-f-nvidia
2 stars
CVSS 7.8
CVE-2020-0192 NOMISEC MEDIUM
Android 10 - Out-of-bounds Read in ih264d_decode_slice_thread
In ih264d_decode_slice_thread of ih264d_thread_parse_decode.c, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-144687080
by himanshu67111
CVSS 6.5
CVE-2025-56503 NOMISEC MEDIUM
Sublime Text 4 4200 - Privilege Escalation
An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder. NOTE: this is disputed by the Supplier because replacing the uninstall file requires administrator permissions, i.e., there is no privilege escalation.
by secxplorers
CVSS 6.5