Publicly Disclosed
PoC Exploits

A remote code execution vulnerability found in React Server Components allows attackers to exploit improperly handled payloads. This issue affects versions 19.0.0 through 19.2.0, compromising server function endpoints through unsafe deserialization of HTTP request payloads. As a result, this flaw...

A command injection vulnerability exists in D-Link DCS-933L firmware versions up to 1.14.11 due to improper handling of parameters in the '/setSystemAdmin' functionality of the alphapd component. This flaw allows an attacker to remotely execute arbitrary commands by manipulating the AdminID argum...

Camaleon CMS, a robust content management system built on Ruby on Rails, has a path traversal vulnerability in the MediaController's download_private_file method. This flaw permits authenticated users to potentially download any file stored on the web server, depending on file permissions configu...

A security flaw has been identified in version 1.0 of the itsourcecode Event Management System, specifically within the /admin/manage_user.php file. The vulnerability arises due to improper handling of user input in an unknown function, allowing an attacker to manipulate the ID argument. This res...

A vulnerability has been identified in the WeRSS we-mp-rss plugin versions up to 1.4.8. The flaw resides in the function download_export_file located in apis/tools.py, where improper validation of the filename argument can enable attackers to perform path traversal. This can lead to unauthorized ...

A vulnerability has been identified in the rachelos WeRSS we-mp-rss component, particularly regarding the JWT Handler in the core/auth.py file. An attacker can manipulate the SECRET_KEY argument, leading to the use of a default cryptographic key. This scenario poses significant risks as it allows...

A vulnerability has been discovered in the Code-Projects Plugin specifically within the AdminAddAlbum.php file. This weakness allows attackers to manipulate the txtalbum argument, leading to potential cross site scripting attacks. Exploitation of this vulnerability could be executed remotely, pos...

A security flaw has been identified in the Code-Projects Online Music Site 1.0, specifically within the functionality of the file located at /Administrator/PHP/AdminAddAlbum.php. The vulnerability allows for an unrestricted file upload due to improper handling of the argument 'txtimage'. This fla...

A vulnerability exists in the Online Music Site 1.0 developed by Code-Projects, specifically within the file /Administrator/PHP/AdminEditCategory.php. This flaw enables an SQL injection attack via manipulation of the argument ID, allowing remote attackers to execute unauthorized SQL commands. The...

A security vulnerability exists in Code-Projects' Online Music Site version 1.0, specifically within the /Administrator/PHP/AdminDeleteCategory.php file. An attacker can manipulate the ID argument, resulting in a SQL injection. This vulnerability allows for unauthorized access and manipulation of...

A vulnerability exists in the D-Link DIR-823X router that allows remote attackers to exploit the 'set_filtering' function. By manipulating specific parameters, an attacker can execute arbitrary operating system commands, potentially leading to unauthorized access and control over the affected dev...

A vulnerability exists in the Tenda AC8 router's Embedded Httpd Service, specifically within the /goform/fast_setting_wifi_set function. This flaw arises when manipulating the 'timeZone' argument, leading to a buffer overflow. Such a vulnerability can allow remote attackers to exploit the flaw, p...

A buffer overflow vulnerability exists in the Tenda AC8 router, specifically in the 'fromSetWifiGusetBasic' function of the '/goform/WifiGuestSet' component. The flaw is triggered by improper handling of the 'shareSpeed' argument, which allows an attacker to execute arbitrary code remotely. The e...

A security vulnerability has been identified in the ZeroWdd StudentManager, specifically within the addLeave function of LeaveController.java. This vulnerability allows for cross-site scripting (XSS) attacks through improper handling of the 'Reason for Leave' input, potentially enabling remote at...

A weakness has been discovered in heyewei JFinalCMS 5.0.0, specifically in the API Endpoint's save function located at /admin/admin/save. This vulnerability allows attackers to perform cross-site scripting (XSS) attacks, which can be executed remotely. Publicly available exploit vectors have been...

A security flaw exists in the Code-Projects Online Reviewer System 1.0, specifically affecting the user deletion functionality located in the file /reviewer/system/system/admins/manage/users/user-delete.php. An unauthenticated attacker can exploit this flaw by manipulating the 'ID' parameter, lea...

A vulnerability exists in the Online Reviewer System 1.0 from Code-Projects, specifically within the file /system/system/admins/assessments/pretest/loaddata.php. This flaw, stemming from the manipulation of the 'difficulty_id' parameter, allows for SQL injection attacks. Attackers can exploit thi...

A security flaw has been identified in the Online Reviewer System 1.0 by Code-Projects, located in the admin assessment interface. This vulnerability enables an attacker to manipulate the argument ID within the questions-view.php file, leading to potential SQL injection attacks. This exploit can ...

A security flaw has been identified in the D-Link DI-7100G C1 router, specifically within the start_proxy_client_email function. This vulnerability allows an attacker to execute commands on the device remotely, potentially compromising its security. Exploitation can be carried out without physica...

A security vulnerability affecting the Tenda AC9 router has been identified, specifically in its function formGetRebootTimer. By manipulating arguments like sys.schedulereboot.start_time and sys.schedulereboot.end_time, an attacker can induce a stack-based buffer overflow. This vulnerability can ...

A vulnerability in the Tenda AC9 router has been identified, specifically in the function formGetDdosDefenceList. This flaw allows for the manipulation of the argument security.ddos.map, leading to a stack-based buffer overflow. This weakness can be exploited remotely, presenting significant secu...

A security flaw has been identified in the itsourcecode School Management System version 1.0, which affects the processing of user input in the controller.php file. This vulnerability allows remote attackers to exploit an unvalidated argument ID, leading to SQL injection attacks. By manipulating ...

A critical SQL injection vulnerability has been discovered in the itsourcecode School Management System version 1.0. This flaw is located in the file /ramonsys/report/index.php, where improper handling of a user-supplied argument, 'ay', allows an attacker to execute arbitrary SQL queries against ...

A notable security vulnerability has been identified in UTT 进取 521G version 3.1.1-190816, specifically within the function sub_446B18 of the file /goform/formPdbUpConfig. This vulnerability allows an attacker to manipulate the argument 'policyNames', potentially leading to remote OS command injec...

Pterodactyl, a widely used free and open-source game server management panel, has a significant vulnerability that allows unauthorized remote code execution. This occurs through the /locales/locale.json endpoint when specific query parameters are manipulated. Attackers exploiting this flaw can ex...

A stack-based buffer overflow vulnerability exists in the Tenda RX3 router, specifically within the set_qosMib_list function of the /goform/formSetQosBand file. This weakness allows an attacker to manipulate the argument list, potentially leading to unauthorized remote code execution. Given that ...

The Tenda RX3 router suffers from a stack-based buffer overflow vulnerability in the fromSetIpMacBind function located in the /goform/SetIpMacBind file. This flaw allows attackers to manipulate the argument list remotely, potentially leading to arbitrary code execution. The public disclosure of t...

A security flaw has been identified in the Tenda RX3 router, specifically in the MAC Filtering Configuration Endpoint. The vulnerability lies in the function set_device_name located in the /goform/setBlackRule file, where improper handling of the devName/mac argument leads to a stack-based buffer...

A security weakness has been discovered in the UTT 进取 521G, specifically within the doSystem function of the /goform/setSysAdm file. Manipulating the argument 'passwd1' can allow an attacker to perform command injection, leading to potential unauthorized execution of commands. This vulnerability ...

A security vulnerability has been identified in the Tenda RX3 router, specifically in the '/goform/openSchedWifi' file. This flaw allows for a stack-based buffer overflow when the arguments 'schedStartTime' and 'schedEndTime' are manipulated. The issue can be exploited remotely, posing significan...

A vulnerability in Tenda RX3 firmware version 16.03.13.11 has been discovered, leading to a stack-based buffer overflow due to unauthorized manipulation of the ssid_5g parameter in the /goform/fast_setting_wifi_set function. This issue can be exploited remotely, posing a significant risk as the e...

A vulnerability has been identified in the PHPGurukul Hospital Management System 4.0, specifically within the /admin/manage-users.php file. This issue arises from improper handling of the ID argument, allowing attackers to execute SQL injection attacks. As a consequence, malicious actors could po...

A vulnerability has been identified in the PHPGurukul Hospital Management System 4.0, specifically within the /admin/manage-users.php file. This issue arises from improper handling of the ID argument, allowing attackers to execute SQL injection attacks. As a consequence, malicious actors could po...

A command injection vulnerability exists in the registerXcodeTools function of the r-huijts xcode-mcp-server, which affects versions prior to f3419f00117aa9949e326f78cc940166c88f18cb. When manipulating the 'args' argument, an attacker can exploit this vulnerability to execute arbitrary commands r...

A session fixation vulnerability has been identified in the Login component of SourceCodester's Prison Management System version 1.0. This weakness allows attackers to manipulate session identifiers, potentially compromising user sessions. The vulnerability can be exploited remotely, making it ur...

A security weakness has been discovered in the D-Link DIR-823X router, specifically within the sub_420618 function of the /goform/set_upnp file. This vulnerability allows attackers to manipulate the upnp_enable argument, potentially leading to OS command injection. The remote exploit is publicly ...

A command injection vulnerability exists in the D-Link DWR-M921 router version 1.1.50. This flaw affects a specific function within the file /boafrm/formLtefotaUpgradeFibocom, allowing an attacker to manipulate the 'fota_url' argument. Exploiting this vulnerability enables unauthorized users to e...

A command injection flaw exists in the D-Link DWR-M921 router, specifically within the sub_419920 function found in the /boafrm/formLtefotaUpgradeQuectel file. This vulnerability allows attackers to manipulate the fota_url argument, enabling remote execution of arbitrary commands. Given that an e...

An OS command injection vulnerability has been identified in the Totolink WA300 router, specifically within the setAPNetwork function located in /cgi-bin/cstecgi.cgi. This flaw allows an attacker to manipulate the Ipaddr argument, leading to the execution of arbitrary operating system commands. T...

A critical security flaw exists in the Online Reviewer System 1.0 developed by Code-Projects, related to SQL injection vulnerabilities within the login functionality found in the /login/index.php file. Malicious actors can manipulate the username and password fields to execute arbitrary SQL comma...

A vulnerability has been detected in Detronetdip E-commerce 1.0.0, specifically within the account creation endpoint located at /Admin/assets/backend/seller/add_seller.php. This issue arises when the email argument is improperly handled, resulting in missing authentication protections. This flaw ...

A security flaw has been identified in detronetdip E-commerce version 1.0.0, specifically affecting the processing of the /seller/assets/backend/profile/addadhar.php file. This vulnerability enables attackers to exploit argument manipulation in the File parameter, leading to an unrestricted file ...

A command injection vulnerability exists in the D-Link DIR-600 router affecting versions up to 2.15WWb02. This flaw is found in the ssdp.cgi file, where improper handling of arguments such as HTTP_ST, REMOTE_ADDR, REMOTE_PORT, and SERVER_ID can allow an attacker to execute arbitrary commands remo...

A vulnerability exists in the itsourcecode News Portal Project 1.0 within the /admin/aboutus.php file. This weakness arises from improper handling of the 'pagetitle' argument, leading to a potential SQL injection attack. Remote attackers can exploit this vulnerability to manipulate queries execut...

A security flaw exists in the itsourcecode Directory Management System version 1.0, specifically in the /admin/forget-password.php file. This vulnerability allows an attacker to exploit the email parameter, leading to SQL injection attacks. Given that the vulnerability can be triggered remotely, ...

A vulnerability exists in the SourceCodester Simple Responsive Tourism Website version 1.0, specifically affecting the save_package function located in /tourism/classes/Master.php. This vulnerability enables an attacker to exploit the argument 'Title' to execute arbitrary scripts in the context o...

A vulnerability has been identified in the SourceCodester Simple Responsive Tourism Website 1.0 affecting an unknown function in the Master.php file associated with the registration component. By manipulating the arguments such as firstname, lastname, or username, an attacker can execute cross si...

A security vulnerability has been identified in the D-Link DIR-823X 250416, specifically within the sub_4175CC function in the file /goform/set_static_route_table. This vulnerability allows for OS command injection when manipulating parameters such as interface, destip, netmask, gateway, and metr...

A vulnerability exists within the Online Student Management System 1.0, specifically in the Announcement Management Module's handling of user input. The affected file, located at /admin/announcement/index.php?view=add, is susceptible to cross-site scripting attacks. Attackers can exploit this vul...

A security flaw has been identified in the D-Link DIR-823X router, specifically within the sub_4208A0 function of the Configuration Handler component. This vulnerability allows remote attackers to manipulate the 'dmz_host' and 'dmz_enable' parameters, leading to potential OS command injection. Th...