Writeup Exploits

63,662 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-43455 WRITEUP HIGH
freelan 2.2 - Unquoted Service Path
An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via a specially crafted file in the FreeLAN Service path.
CVSS 7.8
CVE-2021-43454 WRITEUP HIGH
AnyTXT Searcher <1.2.394 - Buffer Overflow
An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .
CVSS 7.8
CVE-2021-43469 WRITEUP HIGH
VINGA WR-N300U 77.102.1.4853 - OS Command Injection in goahead Component
VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.
CVSS 8.8
CVE-2021-43471 WRITEUP HIGH
Canon LBP223dw Firmware - Unauthenticated Denial of Service via System Manager Mode
In Canon LBP223 printers, the System Manager Mode login does not require an account password or PIN. An attacker can remotely shut down the device after entering the background, creating a denial of service vulnerability.
CVSS 7.5
CVE-2021-43579 WRITEUP HIGH
htmldoc <= 1.9.13 - Remote Code Execution via Crafted BMP File in image_load_bmp()
A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim converts an HTML document linking to a crafted BMP file.
CVSS 7.8
CVE-2021-43617 WRITEUP CRITICAL
Laravel Framework <8.70.2 - Code Injection
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
CVSS 9.8
CVE-2021-43657 WRITEUP MEDIUM
Simple Client Management System 1.0 - Stored Cross-Site Scripting via MAster.php
A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields.
CVSS 5.4
CVE-2026-39957 WRITEUP MEDIUM
Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
CVSS 4.3
CVE-2026-39957 WRITEUP MEDIUM
Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
CVSS 4.3
CVE-2026-33738 WRITEUP MEDIUM
Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
CVSS 5.4
CVE-2026-33738 WRITEUP MEDIUM
Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
CVSS 5.4
CVE-2026-33738 WRITEUP MEDIUM
Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
CVSS 5.4
CVE-2026-33644 WRITEUP MEDIUM
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
CVSS 4.3
CVE-2026-33537 WRITEUP MEDIUM
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
CVSS 5.0
CVE-2026-22784 WRITEUP MEDIUM
Lychee < 7.1.0 - Incorrect Authorization via Album Password Unlock
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
CVSS 4.3
CVE-2025-53018 WRITEUP LOW
Lychee < 6.6.13 - Server-Side Request Forgery via Photo::fromUrl Endpoint
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose. Consequently, internal network resources—such as localhost services or cloud-provider metadata endpoints—become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.
CVSS 3.0
CVE-2025-50202 WRITEUP HIGH
Lychee 6.6.6-6.6.9 - Path Traversal in SecurePathController
Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue has been patched in version 6.6.10.
CVSS 7.5
CVE-2023-52082 WRITEUP HIGH
Lychee 4.9.3-5.0.2 - SQL Injection via SQL EXPLAIN Logging
Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe. The patch is provided on version 5.0.2. To work around this issue, disable SQL EXPLAIN logging.
CVSS 8.8
CVE-2021-43675 WRITEUP MEDIUM
Lychee-v3 3.2.16 - Cross-Site Scripting in Guest Access Handler
Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The function exit will terminate the script and print the message to the user. The message will contain albumID which is controlled by the user.
CVSS 6.1
CVE-2021-43778 WRITEUP CRITICAL
GLPI Barcode Plugin 2.0-2.6.0 - Path Traversal via front/send.php
Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.
CVSS 9.1
CVE-2021-43778 WRITEUP CRITICAL
GLPI Barcode Plugin 2.0-2.6.0 - Path Traversal via front/send.php
Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.
CVSS 9.1
CVE-2021-43778 WRITEUP CRITICAL
GLPI Barcode Plugin 2.0-2.6.0 - Path Traversal via front/send.php
Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.
CVSS 9.1
CVE-2021-43784 WRITEUP MEDIUM
runc < 1.0.3 - Namespace Bypass via Netlink Integer Overflow
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
CVSS 6.0
CVE-2021-43785 WRITEUP HIGH
emoji-button < 4.6.2 - Cross-Site Scripting via Custom Emoji URL or i18n String
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code.
CVSS 7.6
CVE-2021-43793 WRITEUP MEDIUM
Discourse < 2.7.11 - Improper Privilege Management in Polls Feature
Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse
CVSS 4.3