Publicly Disclosed
PoC Exploits
π΄ Alway take caution when working with PoC Exploits π΄
Discovered 18 hours ago
PoC for CVE-2024-40711
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
PoC for CVE-2023-0297
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
Discovered 2 days ago
PoC for CVE-2024-8504
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Discovered 3 days ago
PoC for CVE-2023-33831
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
PoC for CVE-2024-29847
The vulnerability (CVE-2024-29847) affects the agent portal of Ivanti Endpoint Manager, allowing remote unauthenticated attackers to achieve remote code execution. Ivanti has released updates to fix this vulnerability, as well as 15 additional vulnerabilities, including critical SQL injection fla...
PoC for CVE-2024-36401
A remote code execution vulnerability (CVE-2024-36401) in GeoServer versions 2.23.6, 2.24.4, and 2.25.2 allows unauthenticated users to execute arbitrary code through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. T...
PoC for CVE-2023-28753
netconsd prior to v0.2 was vulnerable to an integer overflow in its parse_packet function. A malicious individual could leverage this overflow to create heap memory corruption with attacker controlled data.
Discovered 4 days ago
PoC for CVE-2022-1388
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End o...
Discovered 5 days ago
PoC for CVE-2024-37084
In Spring Cloud Data Flow versions prior to 2.11.4,Β Β a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
PoC for CVE-2024-0624
The Paid Memberships Pro β Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. T...
PoC for CVE-2024-0623
The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the...
PoC for CVE-2024-0590
The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and ...
PoC for CVE-2024-0588
The Paid Memberships Pro β Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmpro_lifter_save_streamline_option() function. Th...
PoC for CVE-2024-0379
The Custom Twitter Feeds β A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthent...
PoC for CVE-2024-0509
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βrequestβ parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
PoC for CVE-2019-0567
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568.
Discovered 6 days ago
PoC for CVE-2024-4577
The vulnerability, identified as CVE-2024-4577, affects PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. It allows unauthenticated attackers to bypass protections and execute arbitrary code on remote PHP servers through an arg...
PoC for CVE-2024-6624
The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin require...
PoC for CVE-2024-28000
The CVE-2024-28000 vulnerability is found in the widely-used LiteSpeed Cache Plugin for WordPress websites, allowing unauthenticated users to gain administrator-level access and create new user accounts with the administrator role. This critical privilege escalation vulnerability has a high CVSS ...
Discovered 1 week ago
PoC for CVE-2018-0834
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0835, CV...
PoC for CVE-2024-34831
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
PoC for CVE-2022-0944
Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
PoC for CVE-2024-38063
A critical remote code execution vulnerability, identified as CVE-2024-38063, has been discovered in the Windows TCP/IP stack by Microsoft. This vulnerability, rated with a CVSSv3 score of 9.8, can be exploited remotely by sending specially crafted IPv6 packets to the target, requiring no user in...
PoC for CVE-2024-44849
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
PoC for CVE-2024-8517
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Discovered 2 weeks ago
PoC for CVE-2024-6386
A critical vulnerability (CVE-2024-6386) in the popular WPML WordPress Multilingual plugin has been discovered, allowing for remote code execution. This vulnerability affects all versions up to 4.6.12, making it possible for attackers with Contributor-level access or above to execute code on the ...
PoC for CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
PoC for CVE-2024-28987
The vulnerability CVE-2024-28987 in SolarWinds Web Help Desk (WHD) allows remote unauthenticated users to access internal functionality and modify data on affected systems. The severity of the vulnerability is rated 9.1 on the CVSS scoring system, making it critical. It was discovered by security...
PoC for CVE-2017-5638
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or ...
PoC for CVE-2023-25355
CoreDial sipXcom up to and including 21.04 is vulnerable to Insecure Permissions. A user who has the ability to run commands as the `daemon` user on a sipXcom server can overwrite a service file, and escalate their privileges to `root`.
PoC for CVE-2023-6275
A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mobileredir/openApp.jsp of the component mobileredir. The manipulation of the argument redirectUrl/user with the input "><...
PoC for CVE-2023-4220
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
PoC for CVE-2023-26360
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
PoC for CVE-2024-45589
RapidIdentity LTS through 2023.0.2 and Cloud through 2024.08.0 improperly restricts excessive authentication attempts and allows a remote attacker to cause a denial of service via the username parameters.
PoC for CVE-2024-7029
The vulnerability with the title CVE-2024-7029 allows unauthenticated attackers to inject commands over the network in AVTECH IP cameras. This flaw has a high severity with a CVSS v4 score of 8.7 and impacts all AVTECH AVM1203 IP cameras running on specific firmware versions. Since these models a...
PoC for CVE-2023-45866
CVE-2023-45866 is a Bluetooth vulnerability affecting the BlueZ software, which can lead to the injection of HID messages by unauthenticated devices. This vulnerability could potentially impact Linux-based systems and Ubuntu 22.04LTS. Apple has released patches to fix 12 vulnerabilities on variou...
PoC for CVE-2024-38063
A critical remote code execution vulnerability, identified as CVE-2024-38063, has been discovered in the Windows TCP/IP stack by Microsoft. This vulnerability, rated with a CVSSv3 score of 9.8, can be exploited remotely by sending specially crafted IPv6 packets to the target, requiring no user in...
PoC for CVE-2020-24972
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
PoC for CVE-2024-38080
The Microsoft July update included patches for a total of 143 security flaws, with two actively exploited vulnerabilities. One of these is the CVE-2024-38080, a Windows Hyper-V Elevation of Privilege Vulnerability which enables a local, authenticated attacker to elevate privileges to SYSTEM level...
PoC for CVE-2024-38063
A critical remote code execution vulnerability, identified as CVE-2024-38063, has been discovered in the Windows TCP/IP stack by Microsoft. This vulnerability, rated with a CVSSv3 score of 9.8, can be exploited remotely by sending specially crafted IPv6 packets to the target, requiring no user in...
PoC for CVE-2023-29360
The Microsoft Streaming Service has a high-severity elevation of privilege vulnerability known as CVE-2023-29360, with a CVSS score of 8.4, that is currently being actively exploited in the wild by the Raspberry Robin malware. The vulnerability allows attackers to gain System privileges and impac...
PoC for CVE-2024-38063
A critical remote code execution vulnerability, identified as CVE-2024-38063, has been discovered in the Windows TCP/IP stack by Microsoft. This vulnerability, rated with a CVSSv3 score of 9.8, can be exploited remotely by sending specially crafted IPv6 packets to the target, requiring no user in...
PoC for CVE-2024-21413
A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-21413, affects Microsoft Outlook and has been exploited as a zero-day before being patched during this month's Patch Tuesday. The vulnerability allows for remote unauthenticated attackers to exploit the flaw, gaining high p...
PoC for CVE-2024-0195
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remot...
PoC for CVE-2024-7120
The vulnerability CVE-2024-7120 is a remote OS command injection vulnerability discovered in Raisecom web interface. It affects the MSG1200, MSG2100E, MSG2200, and MSG2300 3.90 and is classified as critical. The manipulation of the argument template leads to OS command injection, and the attack c...
PoC for CVE-2023-38831
A critical vulnerability, tracked as CVE-2023-38831, has been identified in WinRAR software, allowing attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. This vulnerability has been exploited in the wild from April through October 2023. The Bumbleb...
PoC for CVE-2024-20017
In wlan service, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation Patch ID: WCNCR00350938; Issue ID: MSV-1132.
PoC for CVE-2024-1071
The Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of suf...
Discovered 3 weeks ago
PoC for CVE-2024-7646
A critical vulnerability has been discovered in the widely used ingress-nginx Kubernetes controller, tracked as CVE-2024-7646. Attackers can bypass annotation validation to inject arbitrary commands and obtain the credentials of the controller, allowing access to all secrets in the cluster. The f...