Github Exploits

2,236 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-10578 GITHUB HIGH python
Pubnews theme <1.0.7 - Privilege Escalation
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities.
by Boshe99
CVSS 8.8
CVE-2024-10124 GITHUB CRITICAL python
Vayu Blocks - Unauthorized Plugin Installation
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.
by Boshe99
CVSS 9.8
CVE-2024-0235 GITHUB MEDIUM python
Eventon < 2.2.7 - Missing Authorization
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
by Boshe99
CVSS 5.3
CVE-2023-51409 GITHUB CRITICAL python
Meowapps AI Engine < 1.9.99 - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
by Boshe99
CVSS 10.0
CVE-2023-47668 GITHUB MEDIUM python
Liquidweb Restrict Content < 3.2.7 - Information Disclosure
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions.
by Boshe99
CVSS 5.3
CVE-2020-36842 GITHUB HIGH python
WPvivid <0.9.35 - RCE
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJAX actions that allows low-level authenticated attackers to upload zip files that can be subsequently extracted. This affects versions up to, and including 0.9.35.
by Boshe99
CVSS 8.8
CVE-2025-66478 GITHUB python
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by Security-Phoenix-demo
5 stars
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by anuththara2007-W
3 stars
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by l4rm4nd
79 stars
CVE-2025-66478 GITHUB go
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by pyroxenites
128 stars
CVE-2025-66478 GITHUB python
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by shyambhanushali
10 stars
CVE-2025-25063 GITHUB MEDIUM python
Backdrop CMS <1.28.5-1.29.3 - XSS
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within &lt;img&gt; tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.
by moften
6 stars
CVSS 4.4
CVE-2021-41184 GITHUB MEDIUM
jQuery-UI <1.13.0 - Code Injection
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
by CoderDias
CVSS 6.5
CVE-2020-11023 GITHUB MEDIUM
jQuery <3.5.0 - XSS
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by CoderDias
CVSS 6.9
CVE-2020-11022 GITHUB MEDIUM
jQuery <3.5.0 - XSS
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
by CoderDias
CVSS 6.9
CVE-2025-55182 GITHUB CRITICAL javascript
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
CVE-2025-55182 GITHUB CRITICAL javascript
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
CVE-2025-55182 GITHUB CRITICAL javascript
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by react2shell-repo-menagerie
CVSS 10.0
CVE-2025-66478 GITHUB typescript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
CVE-2025-66478 GITHUB javascript
Rejected
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
by react2shell-repo-menagerie
By Source
All 2,236 Exploitdb 50,121 Writeup 46,657 Nomisec 21,134 Metasploit 3,189 Github 2,236 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,730 c 3,550 perl 2,854 html 2,054 php 1,334 bash 459 java 359 javascript 260 c++ 246 shell 68 go 41 postscript 25 xml 24