CVE-2024-53900

This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate the vulnerabilities and validate that the Aikido Zen Firewall blocks them.

This repository provides a functional PoC for CVE-2024-53900, demonstrating RCE in Mongoose < 8.8.3 via `populate().match` combined with `$where` injection. It includes a vulnerable Node.js app, automated exploit script, and Nuclei template for testing.

This repository contains a CTF challenge demonstrating CVE-2024-53900, a vulnerability in Mongoose that allows Remote Code Execution (RCE) due to improper use of the `$where` operator in MongoDB queries. The provided code includes a vulnerable Express.js server and a frontend for exploiting the vulnerability.