Nomisec Exploits

22,612 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-31630 NOMISEC HIGH
OpenPLC Webserver v3 - Remote Code Execution via Hardware Layer Code Box
Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
by machevalia
3 stars
CVSS 8.8
CVE-2022-1257 NOMISEC MEDIUM
McAfee Agent < 5.7.6 - Insecure Storage of Sensitive Information in ma.db
Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.
by kayes817
CVSS 6.1
CVE-2015-6967 NOMISEC
Nibbleblog < 4.0.4 - Remote Code Execution via My Image Plugin File Upload
Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.
by cuerv0x
CVE-2025-49132 NOMISEC CRITICAL
Pterodactyl Panel < 1.11.11 - Unauthenticated Remote Code Execution via Locale Endpoint
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
by 63square
5 stars
CVSS 10.0
CVE-2025-0054 NOMISEC MEDIUM
SAP NetWeaver Application Server Java - XSS
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.
by z3usx01
CVSS 5.4
CVE-2020-1048 NOMISEC HIGH
Microsoft Spooler Local Privilege Elevation Vulnerability
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1070.
by talsim
1 stars
CVSS 7.8
CVE-2023-33538 NOMISEC HIGH
TP-Link TL-WR940N TL-WR841N TL-WR740N - OS Command Injection via WlanNetworkRpm Endpoint
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
by mrowkoob
CVSS 8.8
CVE-2025-45467 NOMISEC HIGH
Unitree Go1 <= Go1_2022_05_11 - Insecure Firmware Update Permissions via MD5 Checksum
Unitree Go1 <= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity validation.
by zgsnj123
1 stars
CVSS 7.1
CVE-2025-45466 NOMISEC HIGH
Unitree Go1 <= Go1_2022_05_11 - Incorrect Access Control via Hard-coded Credentials
Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext.
by zgsnj123
1 stars
CVSS 8.8
CVE-2025-0133 NOMISEC LOW
PAN-OS 10.1.0-11.2.7 - Reflected Cross-Site Scripting in GlobalProtect Captive Portal
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
by INTELEON404
9 stars
CVE-2022-25581 NOMISEC HIGH
classcms < 2.5 - Arbitrary File Upload and Remote Code Execution via Crafted .txt File
Classcms v2.5 and below contains an arbitrary file upload via the component \class\classupload. This vulnerability allows attackers to execute code injection via a crafted .txt file.
by wooluo
CVSS 7.8
CVE-2025-48461 NOMISEC MEDIUM
Advantech WISE-4060LAN/4050LAN/4010LAN Firmware - Unauthenticated Account Takeover via Predictable Session Cookies
Successful exploitation of the vulnerability could allow an unauthenticated attacker to conduct brute force guessing and account takeover as the session cookies are predictable, potentially allowing the attackers to gain root, admin or user access and reset passwords.
by joelczk
CVSS 5.0
CVE-2025-6019 NOMISEC HIGH
Red Hat Enterprise Linux - Local Privilege Escalation via libblockdev XFS Image Resizing
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
by And-oss
4 stars
CVSS 7.0
CVE-2025-4322 NOMISEC CRITICAL
Motors WordPress <5.6.67 - Privilege Escalation
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
by gmh5225
CVSS 9.8
CVE-2025-49132 NOMISEC CRITICAL
Pterodactyl Panel < 1.11.11 - Unauthenticated Remote Code Execution via Locale Endpoint
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
by qiaojojo
4 stars
CVSS 10.0
CVE-2025-26466 NOMISEC MEDIUM
OpenSSH - Denial of Service via Ping Packet Memory Exhaustion
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
by mrowkoob
CVSS 5.9
CVE-2025-3248 NOMISEC CRITICAL
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
by dennisec
2 stars
CVSS 9.8
CVE-2025-3248 NOMISEC CRITICAL
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
by dennisec
CVSS 9.8
CVE-2024-4577 NOMISEC CRITICAL
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
by byteReaper77
2 stars
CVSS 9.8
CVE-2025-48976 NOMISEC HIGH
Apache Commons FileUpload <1.6-2.0.0-M4 - DoS
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
by nankuo
2 stars
CVSS 7.5
CVE-2025-3248 NOMISEC CRITICAL
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
by 0-d3y
7 stars
CVSS 9.8
CVE-2025-24514 NOMISEC HIGH
ingress-nginx < 1.11.5 and 1.12.0 - Remote Code Execution via auth-url Annotation Injection
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
by KimJuhyeong95
CVSS 8.8
CVE-2025-3515 NOMISEC HIGH
Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
by Professor6T9
CVSS 8.1
CVE-2023-33538 NOMISEC HIGH
TP-Link TL-WR940N TL-WR841N TL-WR740N - OS Command Injection via WlanNetworkRpm Endpoint
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
by explxx
1 stars
CVSS 8.8
CVE-2025-49113 NOMISEC CRITICAL
Roundcube Webmail < 1.5.10 and 1.6.x < 1.6.11 - Authenticated Remote Code Execution via PHP Object Deserialization
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
by punitdarji
CVSS 9.9