Nomisec Exploits

22,621 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-4389 NOMISEC CRITICAL
Crawlomatic Multipage Scraper Post Generator <2.6.8.1 - File Upload
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
by Yucaerin
CVSS 9.8
CVE-2025-27363 NOMISEC HIGH
FreeType < 2.13.0 - Out-of-bounds Write in TrueType GX Subglyph Parsing
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
by ov3rf1ow
3 stars
CVSS 8.1
CVE-2025-5196 NOMISEC MEDIUM
Wing FTP Server <7.4.3 - Privilege Escalation
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."
by Nouvexr
1 stars
CVSS 6.6
CVE-2024-55591 NOMISEC CRITICAL
FortiProxy 7.0.0-7.0.19 and 7.2.0-7.2.12 - Authentication Bypass via Node.js Websocket Module
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
by UMChacker
2 stars
CVSS 9.8
CVE-2025-29927 NOMISEC CRITICAL
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
by sagsooz
CVSS 9.1
CVE-2025-46173 NOMISEC MEDIUM
Online Exam Mastering System 1.0 - Stored Cross-Site Scripting via Feedback Form Name Field
code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) via the name field in the feedback form.
by pruthuraut
CVSS 6.1
CVE-2025-2907 NOMISEC CRITICAL
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.
by Yucaerin
CVSS 9.8
CVE-2024-42008 NOMISEC CRITICAL
Roundcube Webmail < 1.5.8 - Cross-Site Scripting via Malicious Email Attachment Content-Type Header
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
by Foxer131
CVSS 9.3
CVE-2024-55591 NOMISEC CRITICAL
FortiProxy 7.0.0-7.0.19 and 7.2.0-7.2.12 - Authentication Bypass via Node.js Websocket Module
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
by exfil0
12 stars
CVSS 9.8
CVE-2020-11097 NOMISEC LOW
FreeRDP < 2.1.2 - Out-of-bounds Read in PRIMARY_DRAWING_ORDER_FIELD_BYTES
In FreeRDP before version 2.1.2, an out of bounds read occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.
by SpiralBL0CK
CVSS 3.5
CVE-2025-22457 NOMISEC CRITICAL
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
by TRone-ux
1 stars
CVSS 9.0
CVE-2020-24913 NOMISEC CRITICAL
qcubed < 3.1.1 and >=0 < 3.2 - Unauthenticated SQL Injection via profile.php strQuery Parameter
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
by shpaw415
CVSS 9.8
CVE-2022-1388 NOMISEC CRITICAL
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
by PsychoSec2
14 stars
CVSS 9.8
CVE-2020-13398 NOMISEC HIGH
FreeRDP < 2.1.1 - Out-of-bounds Write in crypto_rsa_common
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c.
by SpiralBL0CK
1 stars
CVSS 8.3
CVE-2025-24203 NOMISEC MEDIUM
iPadOS < 17.7.6 - Arbitrary File System Modification
The issue was addressed with improved checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to modify protected parts of the file system.
by pxx917144686
22 stars
CVSS 5.0
CVE-2025-24813 NOMISEC CRITICAL
Tomcat Partial PUT Java Deserialization
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
by mbanyamer
19 stars
CVSS 9.8
CVE-2025-0868 NOMISEC CRITICAL
DocsGPT 0.8.1-0.12.0 - Remote Code Execution via /api/remote Endpoint
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0.
by aidana-gift
CVE-2025-48708 NOMISEC MEDIUM
Artifex Ghostscript <10.05.1 - Info Disclosure
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext.
by B1tBreaker
5 stars
CVSS 4.0
CVE-2023-20963 NOMISEC HIGH
Android - Local Privilege Escalation via WorkSource Parcel Mismatch
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
by black7024
2 stars
CVSS 7.8
CVE-2021-24086 NOMISEC HIGH
Windows - Denial of Service via TCP/IP
Windows TCP/IP Denial of Service Vulnerability
by personnumber3377
CVSS 7.5
CVE-2023-4226 NOMISEC HIGH
Chamilo LMS <= 1.11.24 - Authenticated Remote Code Execution via PHP File Upload
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
by SkyW4r33x
1 stars
CVSS 8.8
CVE-2023-50564 NOMISEC HIGH
Pluck-CMS 4.7.18 - Arbitrary File Upload via ZIP File in Modules Install
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.
by glynzr
CVSS 8.8
CVE-2023-23397 NOMISEC CRITICAL
Microsoft Outlook - Privilege Escalation
Microsoft Outlook Elevation of Privilege Vulnerability
by Gilospy
CVSS 9.8
CVE-2025-5154 NOMISEC LOW
PhonePe App 25.03.21.0 - Info Disclosure
A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the component SQLite Database. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
by honestcorrupt
1 stars
CVSS 2.3
CVE-2025-0288 NOMISEC HIGH
Paragon Software - Memory Corruption
Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.
by barhen12
1 stars
CVSS 7.8