Nomisec Exploits

22,614 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-17179 NOMISEC CRITICAL
OpenEMR < 5.0.1.7 - SQL Injection via taskman.php
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
by CyberQuestor-infosec
1 stars
CVSS 9.8
CVE-2025-24071 NOMISEC MEDIUM
Windows File Explorer - Exposure of Sensitive Information to an Unauthorized Actor
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
by ex-cal1bur
2 stars
CVSS 6.5
CVE-2022-22965 NOMISEC CRITICAL
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
by brunoh6
CVSS 9.8
CVE-2024-23346 NOMISEC CRITICAL
pymatgen < 2024.2.20 - Remote Code Execution via JonesFaithfulTransformation.from_transformation_str()
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
by MAWK0235
CVSS 9.3
CVE-2025-49113 NOMISEC CRITICAL
Roundcube Webmail < 1.5.10 and 1.6.x < 1.6.11 - Authenticated Remote Code Execution via PHP Object Deserialization
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
by BiiTts
6 stars
CVSS 9.9
CVE-2025-29927 NOMISEC CRITICAL
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
by lstudlo
1 stars
CVSS 9.1
CVE-2024-42049 NOMISEC CRITICAL
TightVNC Server for Windows < 2.8.84 - Unauthenticated Exposure of Sensitive Information via Control Pipe
TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection.
by zeved
CVSS 9.1
CVE-2025-4601 NOMISEC HIGH
RH - Real Estate WordPress Theme <4.4.0 - Privilege Escalation
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.
by Yucaerin
CVSS 8.8
CVE-2025-29972 NOMISEC CRITICAL
Azure Storage Resource Provider - SSRF
Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.
by ThemeHackers
2 stars
CVSS 9.9
CVE-2025-46178 NOMISEC MEDIUM
cloudclassroom-php_project - Stored Cross-Site Scripting via askquery.php eid Parameter
Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the eid parameter in the CloudClassroom PHP Project. This allows remote attackers to inject arbitrary JavaScript in the context of a victim s browser session by sending a crafted URL, leading to session hijacking or defacement.
by SacX-7
CVSS 6.1
CVE-2024-22371 NOMISEC LOW
Apache Camel <4.4.0 - Info Disclosure
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
by vishalborkar7
CVSS 2.9
CVE-2025-5961 NOMISEC HIGH
WPvivid Backup & Migration < 0.9.116 - Authenticated Arbitrary File Upload via wpvivid_upload_import_files
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
by d0n601
CVSS 7.2
CVE-2025-26892 NOMISEC CRITICAL
Celestial Aura < 2.2 - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
by Nxploited
CVSS 9.9
CVE-2025-32756 NOMISEC CRITICAL
Fortinet Fortimail < 7.0.9 - Out-of-Bounds Write
A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.
by becrevex
CVSS 9.8
CVE-2025-39507 NOMISEC HIGH
NasaTheme Nasa Core < 6.4.4 - PHP Local File Inclusion
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4.
by TheCyberFairy
CVSS 7.5
CVE-2025-2539 NOMISEC HIGH
File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
by Yucaerin
CVSS 7.5
CVE-2025-32756 NOMISEC CRITICAL
Fortinet Fortimail < 7.0.9 - Out-of-Bounds Write
A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.
by alm6no5
CVSS 9.8
CVE-2021-3156 NOMISEC HIGH
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
by TopskiyPavelQwertyGang
CVSS 7.8
CVE-2023-20198 NOMISEC CRITICAL
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
by Arshit01
CVSS 10.0
CVE-2025-24071 NOMISEC MEDIUM
Windows File Explorer - Exposure of Sensitive Information to an Unauthorized Actor
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
by zbs54
CVSS 6.5
CVE-2025-37899 NOMISEC HIGH
Linux Kernel 5.15-6.12.28, 6.1.0-6.1.159, 6.2.0-6.6.119, 6.7.0-6.12.28, 6.13.0-6.14.6 - Use-After-Free in Session Logoff
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.
by vett3x
CVSS 7.8
CVE-2025-24071 NOMISEC MEDIUM
Windows File Explorer - Exposure of Sensitive Information to an Unauthorized Actor
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
by TH-SecForge
4 stars
CVSS 6.5
CVE-2025-29972 NOMISEC CRITICAL
Azure Storage Resource Provider - SSRF
Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.
by TH-SecForge
1 stars
CVSS 9.9
CVE-2024-10914 NOMISEC HIGH
D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L - OS Command Injection via cgi_user_add name Parameter
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
by TH-SecForge
1 stars
CVSS 8.1
CVE-2024-10914 NOMISEC HIGH
D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L - OS Command Injection via cgi_user_add name Parameter
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
by ThemeHackers
9 stars
CVSS 8.1