Publicly Disclosed
PoC Exploits
🔴 Alway take caution when working with PoC Exploits 🔴
Discovered just now...
PoC for CVE-2026-48205
An input validation flaw in Apache Camel's DNS component enables attackers to exploit an SSRF vulnerability. This weakness permits manipulation of DNS operation parameters through Headers that lack proper filtering, allowing attackers to direct requests to malicious DNS servers. The vulnerability...
PoC for CVE-2025-8110
The vulnerability in the PutContents API of Gogs arises from improper handling of symbolic links, potentially allowing local execution of arbitrary code. This misconfiguration may expose sensitive data and facilitate unauthorized access to critical systems. Users and administrators are urged to u...
PoC for CVE-2026-48204
A vulnerability exists in Apache Camel's Mongodb GridFS component due to improper input validation and access control. This issue arises when the producer selects GridFS operations based on unvalidated headers when not explicitly set. An attacker can exploit this by injecting crafted headers, all...
Discovered 9 minutes ago
PoC for CVE-2026-50416
An information disclosure vulnerability in Windows Win32K allows authorized attackers to access sensitive information locally. This security flaw could enable an unauthorized actor to obtain confidential data, leading to potential exploitation in compromised systems. Users are urged to apply avai...
Discovered 1 hour ago
PoC for CVE-2007-2447
The MS-RPC functionality within the Samba server allows attackers to execute arbitrary commands remotely due to improper handling of shell metacharacters. When the 'username map script' configuration option is enabled, a malicious user can exploit the SamrChangePassword function to inject command...
Discovered 2 hours ago
PoC for CVE-2026-48203
A vulnerability exists in the Apache Camel Solr component that allows an attacker to exploit improper input validation and header handling. Specifically, malicious users can manipulate Exchange message headers intended for Solr requests, potentially leading to server-side request forgery (SSRF) a...
Discovered 3 hours ago
PoC for CVE-2026-16073
A security vulnerability has been identified in the AstrBotDevs AstrBot application, specifically within the T2I Feature which utilizes the NetworkRenderStrategy. The flaw resides in the 'Star.text_to_image' function located in the 'astrbot/core/star/base.py' file. This vulnerability allows an at...
Discovered 4 hours ago
PoC for CVE-2026-47323
The implementations of HeaderFilterStrategy in Apache Camel, specifically CxfRsHeaderFilterStrategy and KnativeHttpHeaderFilterStrategy, fail to appropriately filter inbound headers, allowing unauthenticated attackers to inject internal Camel headers through HTTP requests. This vulnerability can ...
Discovered 5 hours ago
PoC for CVE-2026-63308
Helm versions up to 4.2.3 contain a vulnerability in the Files.Lines template helper that can lead to a denial of service. An attacker can exploit this flaw by including zero-length byte slices in chart files, causing the Helm engine to panic and resulting in deterministic render failures. This i...
Discovered 6 hours ago
PoC for CVE-2026-63101
Open Event Server versions up to 1.19.1 are susceptible to a missing authentication flaw which permits unauthorized access to sensitive user information. This vulnerability enables attackers to export the complete member roster of any group via the CSV export endpoint without needing to authentic...
PoC for CVE-2026-63100
A missing authorization vulnerability in the Maybe product allows authenticated users with low privileges to exploit global hosting settings. By leveraging unprotected actions in the Settings::HostingsController, these users can modify critical configurations, access the operator's Synth API key ...
PoC for CVE-2026-63099
TheHive version 4.1.24 contains a broken object-level authorization vulnerability that affects its attachment download functionality. This flaw enables authenticated users to access attachments meant for other organizations. Attackers can exploit this security gap by supplying a content-hash iden...
PoC for CVE-2026-63098
TheHive version 4.1.24 is vulnerable to an unauthenticated information disclosure that permits attackers to access sensitive configuration details simply by sending a GET request to the /api/status endpoint. This endpoint inadequately enforces authentication checks, enabling potential attackers t...
PoC for CVE-2026-63097
An improper access control issue has been identified in Dendrite versions up to 0.13.8, specifically affecting the syncapi /context endpoint. This vulnerability allows authenticated local users, particularly those who have exited a room, to exploit a flawed membership evaluation. The vulnerabilit...
PoC for CVE-2026-63096
Dendrite, up to version 0.13.8, is vulnerable to a server-side request forgery (SSRF) that enables unauthenticated attackers to manipulate the server into establishing outbound TLS connections to arbitrary hosts and ports. This vulnerability arises from the lack of validation on the serverName pa...
PoC for CVE-2026-63095
Dendrite versions up to 0.13.8 exhibit an improper authorization vulnerability within the Matrix Client-Server API, allowing an authenticated user to delete third-party identifier bindings of other users. By exploiting the flawed Forget3PID handler, attackers can submit arbitrary addresses and me...
PoC for CVE-2024-53104
A vulnerability within the Linux kernel's UVC video support can be exploited due to inadequate handling of undefined video frame types. Specifically, when parsing video formats, the omission of UVC_VS_UNDEFINED frames can result in calculating incorrect buffer sizes, potentially leading to unsafe...
Discovered 7 hours ago
PoC for CVE-2026-63093
Cursor for Windows version 3.2.16 is susceptible to a binary planting vulnerability that endangers user systems by enabling remote attackers to execute arbitrary code. This occurs when a malicious git.exe file is placed in the repository root directory. When developers clone and open such a craft...
PoC for CVE-2026-63094
The vulnerability in SigNoz through version 0.133.0 allows attackers to leverage an open redirect in the SSO authentication process. Unauthenticated attackers can exploit this flaw to steal session tokens from users utilizing Google OAuth, SAML, or OIDC. By manipulating the authentication flow, a...
PoC for CVE-2026-16017
A vulnerability has been identified in the mosaxiv clawlet Chat Tool, specifically within the 'list/remove' function located in the 'tools/tool_cron.go' file. This issue allows for unauthorized manipulation due to a lack of proper authorization checks. The vulnerability can be exploited remotely,...
Discovered 8 hours ago
PoC for CVE-2026-16016
A vulnerability exists in poco-ai's poco-claw software, specifically in the run_task function located in executor/app/api/v1/task.py. This security issue is associated with the manipulation of the callback_url argument, which may lead to server-side request forgery. Attackers can exploit this vul...
PoC for CVE-2026-16016
A vulnerability exists in poco-ai's poco-claw software, specifically in the run_task function located in executor/app/api/v1/task.py. This security issue is associated with the manipulation of the callback_url argument, which may lead to server-side request forgery. Attackers can exploit this vul...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
Discovered 9 hours ago
PoC for CVE-2026-16014
The Hospital Bed Management System version 1.0 has a significant SQL injection vulnerability discovered in its login form component. By manipulating the Username argument, attackers can execute unauthorized SQL commands, allowing for remote exploitation. This vulnerability has been publicly discl...
Discovered 10 hours ago
PoC for CVE-2026-16013
A vulnerability exists in the liftoff-sr CIPster, specifically in the CipAppPath::deserialize_symbolic function located within source/src/cip/cipepath.cc. This issue allows manipulation that results in an out-of-bounds read, which could potentially be exploited remotely. The vulnerability affects...
PoC for CVE-2026-16009
A SQL injection vulnerability has been identified in the itsourcecode Hospital Management System version 1.0. The issue arises from an undisclosed function within the file /prescriptionorderdetail.php, where improper handling of the 'delid' argument creates an opportunity for attackers to execute...
Discovered 15 hours ago
PoC for CVE-2026-11966
The User Registration & Membership plugin for WordPress prior to version 5.2.3 has a security flaw that allows unauthenticated attackers to perform unauthorized actions. This weakness occurs due to the absence of capability checks for certain membership payment actions, which permits these attack...
PoC for CVE-2026-12393
The WPS Bookings for WooCommerce plugin prior to version 3.11.7 lacks proper checks to confirm if a booking order is associated with the user making the request. This flaw enables any authenticated user, including Subscribers and Customers, to cancel and void bookings made by other users, leading...
PoC for CVE-2026-13402
The Royal Addons for Elementor plugin prior to version 1.7.1063 fails to validate the post status of menu items and associated templates in its REST endpoints. This oversight allows unauthenticated users to access the rendered HTML content of private or draft Elementor templates linked to non-pub...
PoC for CVE-2026-9810
The AI Copilot WordPress plugin versions prior to 1.5.4 feature a critical OAuth access token vulnerability. This issue arises from the plugin's failure to correctly bind OAuth access tokens to individual WordPress users, resulting in the capability for unauthenticated attackers to exploit the pu...
PoC for CVE-2026-11961
The User Registration & Membership plugin for WordPress, prior to version 5.2.3, lacks proper validation of membership tiers during public registration. This oversight permits unauthenticated users to register for any available membership tier and receive its corresponding user role automatically...
PoC for CVE-2026-11575
The PhonePe Payment Solutions WordPress plugin versions prior to 3.1.0 fails to adequately verify the authenticity of incoming payment callbacks. This vulnerability arises when sites are configured through the current setup flow, leading to an empty secret for validating callback signatures. Cons...
PoC for CVE-2026-10525
The NEX-Forms plugin for WordPress, prior to version 9.2.3, is vulnerable due to inadequate sanitization and escaping of submitted form data. This weakness can allow an attacker to inject malicious scripts that are stored and executed in the admin dashboard when high-privileged users, such as adm...
Discovered 16 hours ago
PoC for CVE-2024-25600
The vulnerability in Bricks Builder, developed by Codeer Limited, allows for improper control of code generation, leading to code injection risks. This condition is particularly critical in versions ranging from n/a to 1.9.6. Attackers may exploit this weakness to execute arbitrary code on the se...
Discovered 21 hours ago
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
Discovered 22 hours ago
PoC for CVE-2026-34197
Apache ActiveMQ Broker is prone to a code injection vulnerability due to improper input validation in the Jolokia JMX-HTTP bridge. By default, this bridge exposes a web console that allows the execution of operations on all ActiveMQ MBeans. An authenticated attacker can exploit this vulnerability...
Discovered 23 hours ago
PoC for CVE-2026-20896
The Gitea Docker image is susceptible to a security issue where the configuration REVERSE_PROXY_TRUSTED_PROXIES is set to '*' by default. This improper configuration allows any source IP address to impersonate a user when reverse-proxy authentication headers, such as X-WEBAUTH-USER, are enabled. ...
Discovered 1 day ago
PoC for CVE-2026-46726
A vulnerability in the Vertx Websocket component of Apache Camel allows for improper input validation and exposes sensitive information to unauthorized actors. The issue arises when inbound WebSocket parameters are incorrectly mapped to the Camel Exchange header map without applying necessary hea...
PoC for CVE-2026-3180
The Contest Gallery plugin for WordPress is exposed to a blind SQL injection vulnerability through the 'cgLostPasswordEmail' and 'cgl_mail' parameters in all versions up to and including 28.1.4. This vulnerability arises due to insufficient escaping of user-supplied input and a lack of proper san...
PoC for CVE-2026-54992
A heap-based buffer overflow vulnerability in Windows Message Queuing Queue Manager can allow an unauthorized attacker to execute arbitrary code locally. This flaw can potentially compromise the integrity and availability of the affected system, posing significant risks if not addressed. Timely u...
PoC for CVE-2026-46592
The vulnerability in Apache Camel CXF SOAP component stems from improper input validation, where the camel-cxf producer can be manipulated to invoke unintended SOAP operations based on the operationName and operationNamespace headers. An attacker can exploit this flaw by sending crafted HTTP requ...
PoC for CVE-2025-55182
A remote code execution vulnerability found in React Server Components allows attackers to exploit improperly handled payloads. This issue affects versions 19.0.0 through 19.2.0, compromising server function endpoints through unsafe deserialization of HTTP request payloads. As a result, this flaw...
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
PoC for CVE-2026-63087
Grafana OnCall up to version 1.16.11 is susceptible to an unauthenticated access vulnerability that enables remote attackers to retrieve a valid PluginAuthToken. By exploiting a flaw in the internal plugin install endpoint and using hardcoded default stack_id and org_id values, attackers can gain...
PoC for CVE-2026-63085
The Axelor Open Platform versions 8.x before 8.2.2 contain a vulnerability that allows authenticated non-admin users to exploit an authorization bypass. This security flaw allows users to escalate their privileges by taking advantage of unenforced field restrictions during nested relational save ...
PoC for CVE-2022-25477
The vulnerability affects the Realtek RtsPer and RtsUer drivers used in PCIe and USB card readers, respectively. It allows an attacker to leak driver logs that may expose kernel mode object addresses. The leakage of these addresses can compromise Kernel Address Space Layout Randomization (KASLR),...