Exploit Database

145,119 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-21612 WRITEUP HIGH
TabberNeue 1.9.1-2.7.1 - Cross-Site Scripting in TabberTransclude.php
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
CVSS 8.6
CVE-2025-21617 WRITEUP MEDIUM
Guzzle OAuth Subscriber < 0.8.1 - Use of Cryptographically Weak PRNG in Nonce Generation
Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.
CVE-2025-21628 WRITEUP CRITICAL
Chatwoot 2.16.1-3.15.9 - Authenticated SQL Injection via Query Operator Parameter
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.
CVSS 9.1
CVE-2025-22131 WRITEUP MEDIUM
PhpSpreadsheet <1.29.8 and 3.0.0-3.7.9 - Cross-Site Scripting in XLSX to HTML Translation
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
CVSS 6.1
CVE-2025-22137 WRITEUP CRITICAL
Pingvin Share <1.4.0 - Code Injection
Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.
CVSS 9.8
CVE-2025-22150 WRITEUP MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVSS 6.8
CVE-2025-22381 WRITEUP HIGH
Aggie 2.6.1 - Unauthenticated Password Reset via Host Header Injection
Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
CVSS 8.2
CVE-2025-22381 WRITEUP HIGH
Aggie 2.6.1 - Unauthenticated Password Reset via Host Header Injection
Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
CVSS 8.2
CVE-2025-22604 WRITEUP CRITICAL
Cacti < 1.2.29 - Authenticated OS Command Injection via SNMP OID Parsing
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.
CVSS 9.1
CVE-2025-22911 WRITEUP MEDIUM
Edimax RE11S Firmware 1.11 - Stack-based Buffer Overflow via rootAPmac Parameter in formiNICbasicREP
RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function.
CVSS 5.6
CVE-2025-22912 WRITEUP CRITICAL
Edimax RE11S v1.11 - OS Command Injection via formAccept Component
RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.
CVSS 9.8
CVE-2025-22963 WRITEUP HIGH
Teedy <= 1.11 - Cross-Site Request Forgery via POST /api/user/admin
Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.
CVSS 7.5
CVE-2025-22968 WRITEUP CRITICAL
D-Link DWR-M972V 1.05SSG - Unauthenticated Remote Code Execution via SSH Root Access
An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions
CVSS 9.8
CVE-2025-23040 WRITEUP MEDIUM
GitHub Desktop < 3.4.12 - Credential Leak via Malicious Remote URL
GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
CVSS 6.6
CVE-2025-23061 WRITEUP CRITICAL
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVSS 9.0
CVE-2025-23203 WRITEUP MEDIUM
Icinga Director <1.10.4-1.11.4 - Info Disclosure
Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.4 and 1.11.4 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name is known. This makes it possible to change the configuration of these objects by those Icinga Director users restricted from accessing them. This results in further exploitation, data breaches and sensitive information disclosure. Affected endpoints include icingaweb2/director/service, if the host name is left out of the query; icingaweb2/directore/notification; icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime. In addition, the endpoint `icingaweb2/director/services?host=filteredHostName` returns a status code 200 even though the services for the host is filtered. This in turn lets the restricted user know that the host `filteredHostName` exists even though the user is restricted from accessing it. This could again result in further exploitation of this information and data breaches. Icinga Director has patches in versions 1.10.4 and 1.11.4. If upgrading is not feasible, disable the director module for the users other than admin role for the time being.
CVSS 5.5
CVE-2025-23206 WRITEUP HIGH
AWS Cloud Development Kit < 2.177.0 - Improper Certificate Validation in OIDC Custom Resource Provider
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22). Once upgraded, users should make sure the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`. There are no known workarounds for this vulnerability.
CVSS 8.1
CVE-2025-23215 WRITEUP CRITICAL
PMD and PMD Designer - Exposure of Sensitive Information via Release Signing Key Passphrase
PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.
CVE-2025-23221 WRITEUP MEDIUM
Fedify 1.0.13-1.0.13, 1.1.0-1.1.10, 1.2.0-1.2.10, 1.3.0-1.3.3 - Denial of Service via Webfinger Mechanism
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
CVSS 5.4
CVE-2026-1776 WRITEUP MEDIUM
Camaleon CMS 2.4.5.0-2.9.0 - Path Traversal
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
CVSS 6.5
CVE-2025-2304 WRITEUP CRITICAL
Camaleon CMS < 2.9.1 - Privilege Escalation via Mass Assignment in UsersController
A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.
CVE-2024-46987 WRITEUP HIGH
Camaleon CMS 2.8.0-2.8.1 - Authenticated Path Traversal via MediaController Download
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 7.7
CVE-2024-46986 WRITEUP CRITICAL
Camaleon CMS < 2.8.2 - Authenticated Arbitrary File Write via MediaController Upload
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 9.9
CVE-2023-53936 WRITEUP MEDIUM
Cameleon CMS 2.7.4 - Authenticated Stored Cross-Site Scripting via Post Title
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.
CVSS 4.8
CVE-2025-24011 WRITEUP MEDIUM
Umbraco CMS 14.0.0-14.3.1 - Unauthenticated User Enumeration via Management API Response Analysis
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.
CVSS 5.3