Publicly Disclosed
PoC Exploits
🔴 Alway take caution when working with PoC Exploits 🔴
Discovered just now...
PoC for CVE-2020-3452
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerabili...
PoC for CVE-2025-20362
A security flaw in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance and Threat Defense Software permits unauthorized remote access to restricted URL endpoints. This vulnerability arises from inadequate validation of user-supplied input in HTTP(S) requests. Attackers can exp...
PoC for CVE-2025-20333
A vulnerability exists in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance and Threat Defense Software. This flaw permits an authenticated, remote attacker to execute arbitrary code on the implicated device due to improper validation of user-supplied input in HTTP...
PoC for CVE-2023-26360
CVE-2023-26360 is a critical vulnerability affecting Adobe ColdFusion 2018 Update 15 and earlier, as well as ColdFusion 2021 Update 5 and earlier. This improper access control vulnerability can be exploited remotely by unauthenticated attackers to achieve arbitrary code execution without user int...
Discovered 31 minutes ago
PoC for CVE-2021-33393
The backup routine in IPFire 2.25-core155 is vulnerable due to improper file ownership of the backup script located at /var/ipfire/backup/bin/backup.pl. This script could potentially be owned by an unprivileged user, allowing a malicious actor to inject a Trojan horse script. If executed, this co...
Discovered 33 minutes ago
PoC for CVE-2025-59528
Flowise, a user-friendly platform for creating customized large language model flows, has a significant vulnerability in version 3.0.5 that allows for remote code execution. The flaw lies within the CustomMCP node, where user input is inadequately sanitized. Specifically, the mcpServerConfig stri...
Discovered 2 hours ago
PoC for CVE-2023-23946
The vulnerability in Git enables attackers to exploit path traversal issues by supplying crafted input to the `git apply` command. This allows manipulation that results in the potential overwriting of files situated outside the intended working tree. Such operations can occur under the privileges...
PoC for CVE-2023-20052
A vulnerability in the DMG file parser of ClamAV allows unauthenticated remote attackers to exploit XML entity substitution. This flaw enables attackers to submit a crafted DMG file for scanning, potentially leading to the leakage of sensitive information from files accessed during the scanning p...
PoC for CVE-2022-38694
The vulnerability occurring in UNISOC's BootRom allows a possible unchecked write address, enabling local escalation of privilege without requiring additional execution privileges. This flaw poses a significant security risk, as it can be exploited by malicious actors to gain unauthorized access ...
Discovered 3 hours ago
PoC for CVE-2026-31431
A vulnerability has been identified in the Linux kernel's crypto subsystem, specifically within the algif_aead component. This issue arises from an unnecessary complexity in operating in-place, which has been reverted for improved security and performance. The change eliminates the need for in-pl...
Discovered 4 hours ago
PoC for CVE-2026-34473
An unauthenticated denial-of-service vulnerability exists in multiple models of ZTE routers, allowing an attacker to send an oversized application/x-www-form-urlencoded POST body to the management interface. This can render the device unresponsive until it is rebooted. Devices running firmware ve...
PoC for CVE-2026-42945
A vulnerability exists in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, triggered when a rewrite directive is followed by an if or set directive that includes a Perl-Compatible Regular Expression (PCRE) capture and a replacement string with a question mark. Attackers can exploi...
Discovered 6 hours ago
PoC for CVE-2024-0519
An out of bounds memory access vulnerability in the V8 JavaScript engine of Google Chrome allows potential exploitation by remote attackers. This security flaw can be triggered through specially crafted HTML pages, leading to possible heap corruption, which could compromise the integrity of the b...
Discovered 8 hours ago
PoC for CVE-2026-8181
The Burst Statistics plugin for WordPress contains a security flaw that allows unauthenticated attackers to exploit incorrect handling of return values in the authentication process. This leads to a vulnerability in the `is_mainwp_authenticated()` function, enabling attackers who know an administ...
PoC for CVE-2026-44578
The Next.js framework, utilized for building web applications, is exposed to a server-side request forgery vulnerability when using versions from 13.4.13 up to but not including 15.5.16 and 16.2.5. This flaw arises when self-hosted applications that employ the built-in Node.js server allow attack...
Discovered 9 hours ago
PoC for CVE-2026-6433
The Custom CSS-JS-PHP WordPress plugin prior to version 2.0.7 contains a vulnerability that allows attackers to inject malicious SQL code due to inadequate input sanitization. This flaw enables unauthenticated users to execute arbitrary PHP code on the server by passing unverified data to an eval...
Discovered 10 hours ago
PoC for CVE-2026-42945
A vulnerability exists in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, triggered when a rewrite directive is followed by an if or set directive that includes a Perl-Compatible Regular Expression (PCRE) capture and a replacement string with a question mark. Attackers can exploi...
Discovered 12 hours ago
PoC for CVE-2021-47978
ProcessMaker 3.5.4 is prone to a local file inclusion vulnerability that can be exploited by unauthenticated attackers to gain unauthorized access to sensitive files. This vulnerability arises from insufficient validation of path traversal sequences, allowing attackers to manipulate input and acc...
PoC for CVE-2021-47977
The Anti-Malware Security and Bruteforce Firewall plugin for WordPress, specifically version 4.20.59, is susceptible to a directory traversal vulnerability. This flaw enables unauthenticated attackers to manipulate the file parameter in requests sent to the duplicator_download action via admin-aj...
PoC for CVE-2021-47942
A path traversal vulnerability exists in Home Assistant Community Store (HACS) 1.10.0 that enables unauthenticated attackers to exploit the /hacsfiles/ endpoint. This flaw allows attackers to traverse directories and read sensitive files, such as the .storage/auth file, which contains user creden...
PoC for CVE-2020-37241
bloofoxCMS version 0.5.2.1 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows attackers to execute administrative actions by misleading authenticated users into accessing compromised URLs. By designing deceptive hidden forms that target critical endpoint functio...
PoC for CVE-2021-47981
Quick.CMS version 6.7 is susceptible to a cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject harmful scripts. This exploit is facilitated through the sliders form via the sDescription parameter, where attackers can submit crafted CSRF forms targeting the admin....
PoC for CVE-2021-47979
The Backup and Restore Plugin for WordPress version 1.0.3 is vulnerable to an arbitrary file deletion flaw. This vulnerability allows authenticated users to manipulate AJAX requests and delete files from the WordPress installation. By crafting specific POST requests to the admin-ajax.php endpoint...
PoC for CVE-2021-47980
Fuel CMS version 1.4.13 is susceptible to a blind SQL injection vulnerability that allows authenticated users to craft malicious SQL queries via the 'col' parameter in the Activity Log interface. Attackers can exploit this flaw by sending specially crafted requests to the logs endpoint, enabling ...
PoC for CVE-2021-47976
TextPattern CMS 4.9.0-dev has a vulnerability that enables authenticated attackers to exploit the plugin upload capability. By obtaining a CSRF token from the plugin event page, attackers can upload arbitrary PHP files to the 'textpattern/tmp/' directory, compromising server integrity and allowin...
PoC for CVE-2021-47975
WP Learn Manager version 1.1.2 is susceptible to a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject arbitrary JavaScript via the 'fieldtitle' parameter. By submitting crafted POST requests to the jslm_fieldordering page, attackers can execute malicious scr...
PoC for CVE-2021-47974
VX Search version 13.5.28 suffers from an unquoted service path vulnerability, affecting both the VX Search Server and VX Search Enterprise services. This flaw allows local attackers to escalate their privileges by placing malicious executables in unquoted path directories. When the affected serv...
PoC for CVE-2021-47973
The Sticky Notes Widget version 3.0.6 includes a denial of service vulnerability that can be exploited by an attacker to crash the application on iOS devices. By pasting excessively long character strings—up to 350,000 repeated characters—into the note field, the application can become unresponsi...
PoC for CVE-2021-47971
My Notes Safe version 5.3 is susceptible to a denial of service vulnerability that arises when excessively long character strings are pasted into note fields. Attackers can exploit this flaw by generating a payload consisting of 350,000 repeated characters and pasting it into a new note field twi...
PoC for CVE-2021-47972
The Sticky Notes & Color Widgets plugin version 1.4.2 has a denial of service vulnerability that can be exploited by attackers to crash the application. This is achieved by creating notes with excessively long character strings, where attackers may insert large payloads of repeated characters int...
PoC for CVE-2021-47970
Macaron Notes version 5.5 is susceptible to a denial of service vulnerability due to improper handling of input. Attackers can exploit this by creating notes that contain excessively long character strings, which can reach up to 350,000 repeated characters. This exploit results in the application...
PoC for CVE-2021-47969
Color Notes version 1.4 is susceptible to a denial of service attack. This vulnerability allows an attacker to crash the application by inputting excessively long character strings into note fields. By generating a payload of 350,000 repeated characters and pasting it into a new note twice, an at...
PoC for CVE-2021-47957
The Cookie Law Bar plugin version 1.2.1 for WordPress is vulnerable to stored cross-site scripting (XSS). This allows authenticated attackers to exploit the Bar Message field by injecting malicious scripts into the plugin settings page. Once these scripts are executed in the browsers of users vis...
PoC for CVE-2021-47956
EgavilanMedia PHPCRUD 1.0 is susceptible to an SQL injection flaw that permits unauthenticated attackers to manipulate database queries. By exploiting the firstname parameter through crafted POST requests to insert.php, attackers can inject malicious SQL code, potentially compromising sensitive d...
PoC for CVE-2021-47955
CouchCMS version 2.2.1 features a vulnerability that allows authenticated attackers to exploit the file upload functionality. By uploading malicious SVG files containing embedded JavaScript, attackers can execute arbitrary scripts within users' browsers when the files are accessed or previewed. T...
PoC for CVE-2021-47952
The remote code execution vulnerability in version 2.0.0 of Python jsonpickle arises when the library deserializes malicious JSON payloads. Attackers can exploit this flaw by crafting JSON strings that contain py/repr directives, leading to the invocation of the eval function on the server. This ...
PoC for CVE-2021-47954
LayerBB 1.1.4 features an SQL injection flaw that enables unauthenticated attackers to alter SQL queries through the 'search_query' parameter. By exploiting this vulnerability, attackers can send specially crafted POST requests to /search.php, utilizing CASE WHEN statements to gain access to sens...
PoC for CVE-2021-47934
The MyBB Timeline Plugin version 1.0 is susceptible to cross-site scripting (XSS) vulnerabilities, which permit attackers to inject harmful scripts via thread titles, post content, and profile fields such as Location and Bio. Additionally, a cross-site request forgery (CSRF) vulnerability allows ...
PoC for CVE-2020-37247
The Kite 4.2.0.1 U1 version contains an unquoted service path vulnerability in the KiteService Windows service. This flaw permits local attackers to escalate their privileges by exploiting the service’s binary path. By placing a malicious executable in the Program Files directory, attackers can e...
PoC for CVE-2020-37246
Supsystic Backup version 2.3.9 is susceptible to a local file inclusion vulnerability that enables attackers to read and potentially delete arbitrary files. This exploitation occurs through manipulation of the download path parameter in admin.php, utilizing directory traversal sequences. As a res...
PoC for CVE-2020-37245
Supsystic Digital Publications version 1.6.9 exhibits a severe path traversal vulnerability within the Folder input field, enabling attackers to manipulate directory traversal sequences to gain access to files outside the designated web root. In addition, the plugin has inadequate input field san...
PoC for CVE-2020-37244
The Supsystic Membership plugin version 1.4.7 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL commands. By manipulating 'search' and 'sidx' parameters through GET requests to the badges module, attackers can leverage techniques such as time-based blind ...
PoC for CVE-2020-37243
The Supsystic Pricing Table version 1.8.7 is exposed to an SQL injection vulnerability through the 'sidx' GET parameter, allowing unauthenticated individuals to execute arbitrary SQL queries via the getListForTbl action. Furthermore, it holds stored cross-site scripting vulnerabilities within the...
PoC for CVE-2020-37242
The Supsystic Ultimate Maps plugin version 1.1.12 is susceptible to an SQL injection vulnerability via the 'sidx' GET parameter. This flaw enables unauthenticated attackers to execute arbitrary SQL queries, potentially leading to the extraction of sensitive data from the database. By crafting spe...
PoC for CVE-2020-37240
Queue Management System version 4.0.0 contains a vulnerability that allows authenticated administrators to exploit stored cross-site scripting (XSS). This issue arises when malicious users can inject JavaScript code via the First Name, Last Name, and Email fields during the user creation process....
PoC for CVE-2020-37239
libbabl version 0.1.62 contains a significant vulnerability related to broken double free detection. By exploiting the flaw, attackers can manipulate memory safety checks through signature overwriting in freed chunks, enabling them to invoke the babl_free() function multiple times on the same poi...
PoC for CVE-2020-37238
CMS Made Simple 2.2.15 is susceptible to a stored cross-site scripting vulnerability. Authenticated users with Content Manager privileges can upload SVG files containing malicious scripts. Once these SVG files are uploaded, the embedded JavaScript executes when other authenticated users access th...
PoC for CVE-2020-37237
Composr CMS 10.0.34 is susceptible to a persistent cross-site scripting vulnerability that enables authenticated administrators to inject malicious scripts via the banner management interface. Attackers with admin access can manipulate the Description field when adding banners, resulting in the e...
PoC for CVE-2020-37235
The Wibar theme version 1.1.8 for WordPress is susceptible to a stored cross-site scripting vulnerability within the Brand component. This flaw enables authenticated users—specifically those with editor, administrator, contributor, or author roles—to inject malicious scripts by manipulating the L...
PoC for CVE-2020-37236
NewsLister, a product by NetArt Media, is susceptible to an authenticated persistent cross-site scripting (XSS) vulnerability. This flaw allows authenticated administrators to input malicious JavaScript payloads through the title parameter in the news addition interface. As a result, these inject...