Writeup Exploits

46,583 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-41359 WRITEUP HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
CVSS 7.1
CVE-2026-41360 WRITEUP MEDIUM
OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
CVSS 6.7
CVE-2026-6941 WRITEUP MEDIUM
radare2 < 6.1.4 Project Notes Path Traversal via Symlink
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
CVSS 6.6
CVE-2026-6942 WRITEUP CRITICAL
radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
CVSS 9.8
CVE-2026-39906 WRITEUP HIGH
Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.
CVE-2026-39907 WRITEUP HIGH
Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via WCF SOAP
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.
CVE-2025-50229 WRITEUP CRITICAL
Jizhicms 2.5.4 - SQL Injection
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
CVSS 9.8
CVE-2025-50229 WRITEUP CRITICAL
Jizhicms 2.5.4 - SQL Injection
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
CVSS 9.8
CVE-2025-50229 WRITEUP CRITICAL
Jizhicms 2.5.4 - SQL Injection
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
CVSS 9.8
CVE-2025-70994 WRITEUP HIGH
Yadea T5 Electric Bicycles 2024 - Auth Bypass
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.
CVSS 7.3
CVE-2025-70994 WRITEUP HIGH
Yadea T5 Electric Bicycles 2024 - Auth Bypass
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.
CVSS 7.3
CVE-2026-23751 WRITEUP CRITICAL
Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
CVSS 9.8
CVE-2026-31159 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31160 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31164 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31165 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31171 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31172 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31174 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31175 WRITEUP CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.
CVSS 9.8
CVE-2026-31176 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31177 WRITEUP CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.
CVSS 9.8
CVE-2026-31178 WRITEUP CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.
CVSS 9.8
CVE-2026-31179 WRITEUP MEDIUM
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.
CVSS 6.5
CVE-2026-31181 WRITEUP CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
CVSS 9.8
By Source
All 46,583 Exploitdb 50,123 Writeup 46,583 Nomisec 21,106 Metasploit 3,189 Github 2,211 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,723 c 3,550 perl 2,854 html 2,053 php 1,332 bash 459 java 359 javascript 256 c++ 245 shell 67 go 41 postscript 25 xml 24