Writeup Exploits

63,662 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-2329 WRITEUP CRITICAL
Grandstream GXP16xx - Buffer Overflow
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
CVSS 9.8
CVE-2025-37164 WRITEUP CRITICAL
HPE OneView unauthenticated RCE
A remote code execution issue exists in HPE OneView.
CVSS 10.0
CVE-2025-34077 WRITEUP CRITICAL
WordPress Pie Register <3.7.1.4 - Auth Bypass
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
CVE-2025-2611 WRITEUP CRITICAL
ICTBroadcast - Command Injection
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
CVE-2024-51978 WRITEUP CRITICAL
Brother/Konica/Toshiba Printers - Default Admin Password Generation
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.
CVSS 9.8
CVE-2024-4577 WRITEUP CRITICAL
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS 9.8
CVE-2024-23692 WRITEUP CRITICAL
Rejetto HTTP File Server - Template injection
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
CVSS 9.8
CVE-2024-1709 WRITEUP CRITICAL
ConnectWise ScreenConnect < 23.9.8 - Authentication Bypass
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
CVSS 10.0
CVE-2024-11680 WRITEUP CRITICAL
ProjectSend < r1720 - Unauthenticated Configuration Modification via options.php
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
CVSS 9.8
CVE-2023-0669 WRITEUP HIGH
Fortra GoAnywhere MFT Unsafe Deserialization RCE
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVSS 7.2
CVE-2022-37393 WRITEUP HIGH
Zimbra zmslapd arbitrary module load
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.
CVSS 7.8
CVE-2022-3569 WRITEUP HIGH
Zimbra Collaboration Suite <9.0.0 - Privilege Escalation
Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.
CVSS 7.8
CVE-2022-34878 WRITEUP MEDIUM
VICIdial - SQL Injection via User Stats file_download Parameter
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
CVSS 5.5
CVE-2022-34877 WRITEUP MEDIUM
VICIdial < 2.14b0.5-3555 - SQL Injection via AST Agent Time Sheet Agent Parameter
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
CVSS 6.4
CVE-2022-34876 WRITEUP MEDIUM
VICIdial < 2.14b0.5-3555 - SQL Injection via admin.php Parameters
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
CVSS 5.5
CVE-2022-3365 WRITEUP CRITICAL
Remote Mouse Server <4.110 - Command Injection
Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control protocol. A Metasploit module was written and tested against version 4.110, the current version when this CVE was reserved.
CVSS 9.8
CVE-2022-3229 WRITEUP CRITICAL
Unified Remote < 3.11.0.2483 - Unauthenticated Remote Code Execution via Web Management Interface
Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unified Remote protocol, and leverage this now-unauthenticated access to run code of the attacker's choosing.
CVSS 9.8
CVE-2022-3218 WRITEUP CRITICAL
Necta WiFi Mouse Server - Remote Code Execution via Client-Side Authentication Bypass
Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution.
CVSS 9.8
CVE-2022-28810 WRITEUP MEDIUM
ManageEngine ADSelfService Plus Custom Script Execution
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
CVSS 6.8
CVE-2022-23227 WRITEUP CRITICAL
NUUO NVRmini2 < 3.11.0 - Unauthenticated Arbitrary User Creation via handle_import_user.php
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
CVSS 9.8
CVE-2021-43258 WRITEUP HIGH
ChurchInfo 1.2.13-1.3.0 - Authenticated Remote Code Execution via Email Attachment Upload
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.
CVSS 8.8
CVE-2021-42840 WRITEUP HIGH
SuiteCRM < 7.11.19 - Remote Code Execution via Log File Name Setting
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
CVSS 8.8
CVE-2021-29133 WRITEUP MEDIUM
Alpine Linux Configuration Framework <0.9.36 - Info Disclosure
Lack of verification in haserl, a component of Alpine Linux Configuration Framework, before 0.9.36 allows local users to read the contents of any file on the filesystem.
CVSS 5.5
CVE-2021-29133 WRITEUP MEDIUM
Alpine Linux Configuration Framework <0.9.36 - Info Disclosure
Lack of verification in haserl, a component of Alpine Linux Configuration Framework, before 0.9.36 allows local users to read the contents of any file on the filesystem.
CVSS 5.5
CVE-2020-7385 WRITEUP HIGH
Metasploit Framework < 4.19.0 - Remote Code Execution via DRb Deserialization
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a "hack-back" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically.
CVSS 8.1