Publicly Disclosed
PoC Exploits

🔴 Alway take caution when working with PoC Exploits 🔴

Discovered just now...

PoC for CVE-2025-59528

FlowiseaiFlowise🟣 EPSS 85%10CRITICAL
Remote Code Execution Vulnerability in Flowise by FlowiseAI

Flowise, a user-friendly platform for creating customized large language model flows, has a significant vulnerability in version 3.0.5 that allows for remote code execution. The flaw lies within the CustomMCP node, where user input is inadequately sanitized. Specifically, the mcpServerConfig stri...

Discovered 3 hours ago

PoC for CVE-2026-8981

WordPressCustom Block Builder
Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to i...

PoC for CVE-2026-4986

WordPressWPforms
WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

Discovered 5 hours ago

PoC for CVE-2026-11623

Tmux2LOW
tmux image.c image_free use after free

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be di...

Discovered 6 hours ago

PoC for CVE-2026-11621

Dcat-admin5.1MEDIUM
Dcat-Admin User Setting upload editorMDUpload unrestricted upload

A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated re...

PoC for CVE-2026-11620

TotolinkEx2006.9MEDIUM
TOTOLINK EX200 vsftpd vsftpd.conf least privilege violation

A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the publi...

PoC for CVE-2026-11618

DtstackTaier6.9MEDIUM
DTStack Taier Source Connection Test Endpoint LoginInterceptor.java...

A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java of the component Source Connection Test Endpoint. Executing a manipulation can lead ...

Discovered 8 hours ago

PoC for CVE-2026-24061

GnuInetutils🟣 EPSS 92%9.8CRITICAL
Remote Authentication Bypass in GNU Inetutils Telnetd

The GNU Inetutils telnet daemon (telnetd) is vulnerable to a remote authentication bypass that can occur when an attacker manipulates the USER environment variable by specifying a '-f root' value. This flaw allows unauthorized users to gain access without proper authentication. Affected users sho...

Discovered 9 hours ago

PoC for CVE-2026-49975

ApacheApache Http Server
Apache HTTP Server: mod_http2 denial of service

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

Discovered 10 hours ago

PoC for CVE-2026-50751

CheckpointQuantum Security Gateway9.3CRITICAL
User Authentication Bypass in VPN Remote Access and Mobile Access

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Discovered 11 hours ago

PoC for CVE-2026-27886

StrapiStrapi9.2CRITICAL
Sanitization Flaws in Strapi Headless CMS Affecting Multiple Versions

Strapi, an open-source headless content management system, has a vulnerability in versions ranging from 4.0.0 to 5.36.0 that stems from inadequate sanitization of query parameters during content filtering. This flaw allows unauthenticated attackers to exploit the `where` query parameter on public...

Discovered 13 hours ago

PoC for CVE-2026-11585

CodeastroStudent Attendance Man...5.3MEDIUM
CodeAstro Student Attendance Management System createClassArms.php ...

A vulnerability was determined in CodeAstro Student Attendance Management System 1.0. Affected is an unknown function of the file /attendance-php/Admin/createClassArms.php. This manipulation of the argument classId causes sql injection. The attack can be initiated remotely. The exploit has been p...

PoC for CVE-2026-11584

CodeastroStudent Attendance Man...5.3MEDIUM
CodeAstro Student Attendance Management System createClass.php edit...

A vulnerability was found in CodeAstro Student Attendance Management System 1.0. This impacts an unknown function of the file /attendance-php/Admin/createClass.php?action=edit. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit ...

PoC for CVE-2025-43537

AppleiOS And iPad OS3.5LOW
Path Handling Issue in Apple iOS and iPadOS Products

A path handling flaw in Apple's iOS and iPadOS products may allow attackers to manipulate and modify protected system files by restoring a maliciously crafted backup file. This vulnerability has been addressed through enhanced validation measures in the updated versions of iOS and iPadOS. Users a...

PoC for CVE-2025-57819

FreepbxEndpoint🟣 EPSS 77%10CRITICAL
Unauthenticated Access Vulnerability in FreePBX by Sangoma Technolo...

FreePBX, an open-source web-based GUI, suffers from a vulnerability that permits unauthenticated users to gain access to the FreePBX Administrator interface. This is primarily due to insufficient sanitization of user-provided data. The flaw can lead to unauthorized database manipulation and may a...

PoC for CVE-2026-11583

CodeastroStudent Attendance Man...5.3MEDIUM
CodeAstro Student Attendance Management System createClass.php sql ...

A vulnerability has been found in CodeAstro Student Attendance Management System 1.0. This affects an unknown function of the file /attendance-php/Admin/createClass.php. The manipulation of the argument className leads to sql injection. It is possible to initiate the attack remotely. The exploit ...

Discovered 14 hours ago

PoC for CVE-2026-11582

CodeastroStudent Attendance Man...6.9MEDIUM
CodeAstro Student Attendance Management System index.php sql injection

A flaw has been found in CodeAstro Student Attendance Management System 1.0. The impacted element is an unknown function of the file /attendance-php/index.php. Executing a manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has bee...

PoC for CVE-2026-11559

CodeastroPayroll System5.3MEDIUM
CodeAstro Payroll System view_account.php sql injection

A vulnerability was detected in CodeAstro Payroll System 1.0. This affects an unknown function of the file /view_account.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

PoC for CVE-2026-11558

CodeastroPayroll System5.3MEDIUM
CodeAstro Payroll System home_salary.php sql injection

A security vulnerability has been detected in CodeAstro Payroll System 1.0. The impacted element is an unknown function of the file /home_salary.php. The manipulation of the argument rate/salary_rate leads to sql injection. The attack is possible to be carried out remotely. The exploit has been d...

PoC for CVE-2026-11557

TendaF4518.7HIGH
Tenda F451 Web Management Natlimit fromNatlimit stack-based overflow

A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed...

Discovered 15 hours ago

PoC for CVE-2026-11556

TendaF4518.7HIGH
Tenda F451 Web Management WriteFacMac formWriteFacMac os command in...

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

PoC for CVE-2026-11555

D-linkDgs-1100-08pd6.3MEDIUM
D-Link DGS-1100-08PD Web boa.conf least privilege violation

A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a high level of comp...

PoC for CVE-2026-11554

TotolinkCp4505.3MEDIUM
TOTOLINK CP450 vsftpd vsftpd.conf least privilege violation

A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be ...

PoC for CVE-2026-11553

TendaHg7hg98.7HIGH
Tenda HG7HG9/HG10 formPPPEdit stack-based overflow

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public a...

Discovered 16 hours ago

PoC for CVE-2026-39908

OpenbulletOpenbullet27.1HIGH
OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application...

PoC for CVE-2026-11534

Imvks786Student Management System5.1MEDIUM
imvks786 student_management_system add.php cross site scripting

A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to laun...

PoC for CVE-2026-11533

Imvks786Student Management System5.3MEDIUM
imvks786 student_management_system Student Deletion Endpoint see.ph...

A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads t...

PoC for CVE-2026-11532

Imvks786Student Management System5.3MEDIUM
imvks786 student_management_system Student Record add.php access co...

A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be perfo...

Discovered 17 hours ago

PoC for CVE-2026-11531

Imvks786Student Management System6.9MEDIUM
imvks786 student_management_system Administrator Login Endpoint adm...

A security flaw has been discovered in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/admin_login.php of the component Administrator Login Endpoint. Performing a manipulation of the argument a_usr/a_pwd results...

PoC for CVE-2026-11530

Imvks786Student Management System6.9MEDIUM
imvks786 student_management_system Login index.ph sql injection

A vulnerability was identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This affects an unknown function of the file /index.ph of the component Login. Such manipulation of the argument usr/pwd leads to sql injection. The attack can be executed remotely...

PoC for CVE-2026-11529

DesigncomputerMysql-mcp-server5.3MEDIUM
designcomputer mysql-mcp-server mysql URI server.py read_resource s...

A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of t...

PoC for CVE-2026-11528

TendaAc188.7HIGH
Tenda AC18 Web Management getRebootStatus sub_45304 stack-based ove...

A vulnerability was found in Tenda AC18 15.03.05.05. The affected element is the function sub_45304 of the file /goform/getRebootStatus of the component Web Management Interface. The manipulation of the argument callback results in stack-based buffer overflow. The attack may be launched remotely....

Discovered 18 hours ago

PoC for CVE-2026-11524

TendaW20e8.7HIGH
Tenda W20E Web Management modifyWifiFilterRules stack-based overflow

A vulnerability has been found in Tenda W20E 15.11.0.6. Impacted is the function modifyWifiFilterRules of the file /goform/modifyWifiFilterRules of the component Web Management Interface. The manipulation of the argument wifiFilterListRemark leads to stack-based buffer overflow. The attack may be...

PoC for CVE-2026-11523

TendaW20e8.7HIGH
Tenda W20E Web Management PortalAuth formPortalAuth stack-based ove...

A flaw has been found in Tenda W20E 15.11.0.6. This issue affects the function formPortalAuth of the file /goform/PortalAuth of the component Web Management Interface. Executing a manipulation of the argument gotoUrl can lead to stack-based buffer overflow. The attack can be launched remotely. Th...

PoC for CVE-2026-11522

TendaW20e8.7HIGH
Tenda W20E setPortMirror formSetPortMirror stack-based overflow

A vulnerability was detected in Tenda W20E 15.11.0.6. This vulnerability affects the function formSetPortMirror of the file /goform/setPortMirror. Performing a manipulation of the argument portMirrorMirroredPorts results in stack-based buffer overflow. The attack can be initiated remotely. The ex...

PoC for CVE-2026-11521

Mohammed-eid35Bank-management-system...5.3MEDIUM
Mohammed-eid35 bank-management-system-springboot Transaction Endpoi...

A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the component Transaction...

Discovered 19 hours ago

PoC for CVE-2026-25558

QloappsQloapps4.8MEDIUM
QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded throu...

PoC for CVE-2026-11518

SourcecodesterInventory System5.3MEDIUM
SourceCodester Inventory System User Management users.php cross sit...

A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely....

PoC for CVE-2026-11517

UttHiper 2610g8.7HIGH
UTT HiPER 2610G formConfigDnsFilterGlobal strcpy buffer overflow

A vulnerability was determined in UTT HiPER 2610G up to 3.0.0-171107. This impacts the function strcpy of the file /goform/formConfigDnsFilterGlobal. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly ...

Discovered 20 hours ago

PoC for CVE-2026-11516

UttHiper 2610g5.1MEDIUM
UTT HiPER 2610G formNatStaticMap strcpy buffer overflow

A vulnerability was found in UTT HiPER 2610G up to 3.0.0-171107. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBinds results in buffer overflow. The exploit has been made public and could be used.

PoC for CVE-2026-11514

ItsourcecodeHospital Management Sy...5.3MEDIUM
itsourcecode Hospital Management System addpatient.php sql injection

A flaw has been found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /addpatient.php. This manipulation of the argument admissiontme causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

PoC for CVE-2026-11513

ItsourcecodeHospital Management Sy...5.3MEDIUM
itsourcecode Hospital Management System adminaccount.php sql injection

A vulnerability was detected in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminaccount.php. The manipulation of the argument Date results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

Discovered 21 hours ago

PoC for CVE-2026-11512

ItsourcecodeHospital Management Sy...5.3MEDIUM
itsourcecode Hospital Management System billing.php cross site scri...

A security vulnerability has been detected in itsourcecode Hospital Management System 1.0. This issue affects some unknown processing of the file /billing.php. The manipulation of the argument patientid leads to cross site scripting. The attack can be initiated remotely. The exploit has been disc...

PoC for CVE-2026-11510

CodeastroLeave Management System5.3MEDIUM
CodeAstro Leave Management System add_leave.php sql injection

A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been relea...

Discovered 22 hours ago

PoC for CVE-2026-11508

CodeastroLeave Management System5.3MEDIUM
CodeAstro Leave Management System search_staff_to_assign_pc.php sql...

A vulnerability was determined in CodeAstro Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search_staff_to_assign_pc.php. This manipulation of the argument Name causes sql injection. The attack is possible to be carried out remotely. The...

PoC for CVE-2026-11507

CodeastroLeave Management System5.3MEDIUM
CodeAstro Leave Management System delete_leave_type.php sql injection

A vulnerability was found in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /admin/delete_leave_type.php. The manipulation of the argument leave_type results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

PoC for CVE-2026-11506

CodeastroLeave Management System5.3MEDIUM
CodeAstro Leave Management System search_staff_for_deletion.php sql...

A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/search_staff_for_deletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed t...

Discovered 23 hours ago

PoC for CVE-2026-11504

TendaCx12l8.7HIGH
Tenda CX12L Wi-Fi Schedule Configuration Endpoint openSchedWifi set...

A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer ...

PoC for CVE-2026-11503

TendaCx12l8.7HIGH
Tenda CX12L Wi-Fi Configuration Endpoint fast_setting_wifi_set form...

A security vulnerability has been detected in Tenda CX12L 16.03.53.12. The affected element is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set of the component Wi-Fi Configuration Endpoint. Such manipulation of the argument ssid leads to stack-based buffer overfl...

PoC for CVE-2026-11502

Jeecgboot2.3LOW
JeecgBoot Third-Party Login ThirdLoginController.java HttpServletRe...

A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of ...