Writeup Exploits

60,509 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-30140 WRITEUP HIGH
Tenda W15E V02.03.01.26_cn - Info Disclosure
An incorrect access control vulnerability exists in Tenda W15E V02.03.01.26_cn. An unauthenticated attacker can access the /cgi-bin/DownloadCfg/RouterCfm.jpg endpoint to download the configuration file containing plaintext administrator credentials, leading to sensitive information disclosure and potential remote administrative access.
CVSS 7.5
CVE-2025-70040 WRITEUP MEDIUM
jimeng-web-mcp 2.1.2 - Info Disclosure
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
CVSS 5.3
CVE-2025-70040 WRITEUP MEDIUM
jimeng-web-mcp 2.1.2 - Info Disclosure
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
CVSS 5.3
CVE-2025-70042 WRITEUP CRITICAL
ThermaKube - Server-Side Request Forgery
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
CVSS 9.8
CVE-2025-70042 WRITEUP CRITICAL
ThermaKube - Server-Side Request Forgery
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
CVSS 9.8
CVE-2025-70046 WRITEUP CRITICAL
Miazzy oa-front-service master - Code Injection
An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
CVSS 9.8
CVE-2025-70046 WRITEUP CRITICAL
Miazzy oa-front-service master - Code Injection
An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
CVSS 9.8
CVE-2025-70047 WRITEUP HIGH
Nexusoft NexusInterface 3.2.0-beta.2 - DoS
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
CVSS 7.5
CVE-2025-70048 WRITEUP HIGH
Nexusoft NexusInterface 3.2.0-beta.2 - Info Disclosure
An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
CVSS 7.5
CVE-2025-70048 WRITEUP HIGH
Nexusoft NexusInterface 3.2.0-beta.2 - Info Disclosure
An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
CVSS 7.5
CVE-2025-70047 WRITEUP HIGH
Nexusoft NexusInterface 3.2.0-beta.2 - DoS
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
CVSS 7.5
CVE-2025-70050 WRITEUP MEDIUM
lesspass v9.6.9 - Cleartext Storage of Sensitive Information
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
CVSS 6.5
CVE-2025-70050 WRITEUP MEDIUM
lesspass v9.6.9 - Cleartext Storage of Sensitive Information
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
CVSS 6.5
CVE-2025-70059 WRITEUP HIGH
YMFE yapi 1.12.0 - Denial of Service via Uncontrolled Resource Consumption
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in YMFE yapi v1.12.0 and allows attackers to cause a denial of service.
CVSS 7.5
CVE-2025-70060 WRITEUP MEDIUM
YMFE yapi 1.12.0 - Cross-Site Scripting
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
CVSS 5.4
CVE-2025-70060 WRITEUP MEDIUM
YMFE yapi 1.12.0 - Cross-Site Scripting
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
CVSS 5.4
CVE-2025-70059 WRITEUP HIGH
YMFE yapi 1.12.0 - Denial of Service via Uncontrolled Resource Consumption
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in YMFE yapi v1.12.0 and allows attackers to cause a denial of service.
CVSS 7.5
CVE-2025-70238 WRITEUP HIGH
D-Link DIR-513 v1.10 - Buffer Overflow
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard52.
CVSS 7.5
CVE-2025-70243 WRITEUP HIGH
D-Link DIR-513 v1.10 - Buffer Overflow
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard534.
CVSS 7.5
CVE-2025-70250 WRITEUP HIGH
D-Link DIR-513 v1.10 - Buffer Overflow
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formdumpeasysetup.
CVSS 7.5
CVE-2026-3089 WRITEUP MEDIUM
Actual Sync Server <26.3.0 - Path Traversal
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
CVSS 6.5
CVE-2026-3089 WRITEUP MEDIUM
Actual Sync Server <26.3.0 - Path Traversal
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
CVSS 6.5
CVE-2026-27638 WRITEUP HIGH
Actual sync-server < 26.2.1 - Authenticated Missing Authorization in Sync API Endpoints
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
CVSS 7.1
CVE-2026-27638 WRITEUP HIGH
Actual sync-server < 26.2.1 - Authenticated Missing Authorization in Sync API Endpoints
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
CVSS 7.1
CVE-2026-27584 WRITEUP HIGH
ActualBudget <26.2.1 - Info Disclosure
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
CVSS 7.5
By Source
All 60,509 Writeup 60,509 Exploitdb 50,014 Nomisec 21,957 Metasploit 3,232 Github 2,978 Vulncheck_xdb 909 Inthewild 514 Gitlab 443 Gitee 415 Patchapalooza 312
By Language
text 31,346 python 6,226 ruby 5,922 c 3,592 perl 2,849 html 2,056 php 1,327 bash 460 java 364 c++ 252 javascript 220 shell 101 go 64 postscript 25 xml 24