Exploit Database

146,950 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-23643 WRITEUP MEDIUM
jizhicms 1.7.1 - Cross-Site Scripting via Wechat Controller
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php.
CVSS 6.1
CVE-2020-21228 WRITEUP MEDIUM
JIZHICMS 1.5.1 - Cross-Site Scripting in /user/release.html
JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie.
CVSS 6.1
CVE-2019-17593 WRITEUP HIGH
jizhicms 1.5.1 - Cross-Site Request Forgery via Admin Addition
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVSS 8.8
CVE-2025-62718 WRITEUP CRITICAL
Axios <1.15.0 and <0.31.0 NO_PROXY - Server-Side Request Forgery
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
CVSS 9.9
CVE-2025-63238 WRITEUP MEDIUM
LimeSurvey < 6.15.12 - Reflected Cross-Site Scripting via gid Parameter in getInstance()
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS 6.1
CVE-2025-63238 WRITEUP MEDIUM
LimeSurvey < 6.15.12 - Reflected Cross-Site Scripting via gid Parameter in getInstance()
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS 6.1
CVE-2025-70364 WRITEUP HIGH
Kiamo < 8.4 - Authenticated PHP Code Execution
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.
CVSS 8.8
CVE-2025-70365 WRITEUP MEDIUM
Kiamo < 8.4 - Authenticated Stored Cross-Site Scripting in Administrative Interfaces
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. NOTE: the Supplier's position is that a fix for this had already been released for the 8.3.1 branch before the CVE Record was published.
CVSS 5.4
CVE-2025-70797 WRITEUP MEDIUM
LimeSurvey 6.15.20+251021 - Cross-Site Scripting via Box Title and URL Parameters
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
CVSS 6.1
CVE-2025-70810 WRITEUP HIGH
phpBB 3.3.15 - Cross-Site Request Forgery via Login Function
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
CVSS 8.8
CVE-2026-30478 WRITEUP HIGH
GatewayGeo MapServer for Windows 5 - Privilege Escalation via DLL Injection
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable.
CVSS 8.8
CVE-2026-30479 WRITEUP CRITICAL
OSGeo Project MapServer <8.0 - DLL Injection
A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable.
CVSS 9.1
CVE-2026-34578 WRITEUP HIGH
OPNsense <26.1.6 WebGUI Login Username - LDAP Injection
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
CVSS 8.2
CVE-2026-34757 WRITEUP MEDIUM
libpng 1.0.9-1.6.56 Chunk Setters - Use-After-Free
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
CVSS 5.1
CVE-2026-35040 WRITEUP MEDIUM
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
CVSS 5.3
CVE-2026-35041 WRITEUP MEDIUM
ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
CVSS 4.2
CVE-2026-35204 WRITEUP HIGH
Helm 4.0.0-4.1.3 Plugin Metadata - Arbitrary File Write
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
CVSS 8.6
CVE-2026-35205 WRITEUP HIGH
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
CVSS 7.8
CVE-2026-39853 WRITEUP HIGH
osslsigncode <2.12 Signature Verification - Stack Buffer Overflow
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
CVSS 7.8
CVE-2026-39855 WRITEUP MEDIUM
osslsigncode <2.13 PE Page Hashing - Out-of-Bounds Read
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the function subtracts hdrsize from pagesize without first validating that pagesize >= hdrsize. If a malicious PE file sets SizeOfHeaders (hdrsize) larger than SectionAlignment (pagesize), the subtraction underflows and produces a very large unsigned length. The code allocates a zero-filled buffer of pagesize bytes and then attempts to hash pagesize - hdrsize bytes from that buffer. After the underflow, this results in an out-of-bounds read from the heap and can crash the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
CVSS 5.5
CVE-2026-39856 WRITEUP MEDIUM
osslsigncode <2.13 PE Section Bounds - Out-of-Bounds Read
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses PointerToRawData and SizeOfRawData values from section headers without validating that the referenced region lies within the mapped file. An attacker can craft a PE file with section headers that point beyond the end of the file. When osslsigncode computes page hashes for such a file, it may attempt to hash data from an invalid memory region, causing an out-of-bounds read and potentially crashing the process. The vulnerability can be triggered while signing a malicious PE file with page hashing enabled (-ph), or while verifying a malicious signed PE file that already contains page hashes. Verification of an already signed file does not require the verifier to pass -ph. This vulnerability is fixed in 2.13.
CVSS 5.5
CVE-2026-39941 WRITEUP MEDIUM
ChurchCRM <7.1.0 EditEventAttendees.php - Cross-Site Scripting
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.
CVSS 6.1
CVE-2026-39957 WRITEUP MEDIUM
Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
CVSS 4.3
CVE-2026-39958 WRITEUP CRITICAL
oma-topic: name Field in Topic Manifests (topic.json) May Allow CRLF Injection
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
CVSS 9.1
CVE-2026-39961 WRITEUP MEDIUM
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0.
CVSS 6.8