Publicly Disclosed
PoC Exploits
🔴 Alway take caution when working with PoC Exploits 🔴
Discovered just now...
PoC for CVE-2026-63030
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthoriz...
PoC for CVE-2026-63030
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthoriz...
PoC for CVE-2026-43074
A use-after-free vulnerability exists in the Linux kernel related to the eventpoll functionality, specifically during the execution of the ep_free() function in eventpoll.c. This flaw allows for the struct eventpoll to be deallocated while still being accessed by another thread, leading to potent...
Discovered 1 hour ago
PoC for CVE-2026-16083
A security flaw exists in the Sipeed PicoClaw up to version 0.2.9, specifically within the webhook.ParseRequest function located in pkg/channels/line/line.go. This vulnerability allows remote attackers to exploit the authentication mechanism through capture-replay techniques, potentially unlockin...
PoC for CVE-2026-63030
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthoriz...
PoC for CVE-2026-16082
A vulnerability exists in the Sipeed PicoClaw up to version 0.2.9, specifically within the ExecTool.executeRun function in the file pkg/agent/pipeline_execute.go. This flaw arises from improper handling of the argument 'cwe' which can lead to a time-of-check time-of-use condition. The exploit mus...
Discovered 2 hours ago
PoC for CVE-2026-63030
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthoriz...
PoC for CVE-2026-16081
A vulnerability exists in Sipeed PicoClaw (up to version 0.2.9) that can be exploited via a maliciously crafted request, allowing attackers to perform unauthorized actions on behalf of authenticated users. This is due to an issue in the `web/backend/api/auth.go` file, making the affected system v...
Discovered 3 hours ago
PoC for CVE-2026-16077
AstrBot by AstrBotDevs is susceptible to an improper link resolution vulnerability in the _normalize_rw_path function within the Filesystem Computer-Use Tool component. This flaw allows attackers with local access to manipulate the tool, leveraging link following capabilities to access unauthoriz...
Discovered 4 hours ago
PoC for CVE-2026-16076
A vulnerability exists in the AstrBot API, specifically within the OpenApiRoute.chat_send function. By manipulating the Username parameter, an attacker can bypass authentication, enabling unauthorized access to the system. This flaw is remotely exploitable, posing a significant risk to users. Des...
PoC for CVE-2026-63030
A confusion issue in the REST API batch endpoint of WordPress versions 6.9.x prior to 6.9.5 and 7.0.x prior to 7.0.2 could facilitate an exploit. This vulnerability, when combined with an existing SQL Injection flaw in the author__not_in WP_Query feature, can allow attackers to execute unauthoriz...
Discovered 6 hours ago
PoC for CVE-2026-16075
A significant security flaw has been identified in AstrBot by AstrBotDevs, specifically affecting the session-listing endpoint of the OpenApiRoute.get_chat_sessions function. This vulnerability stems from improper handling of the 'Username' argument within the open_api.py file, allowing unauthori...
Discovered 9 hours ago
PoC for CVE-2026-48205
An input validation flaw in Apache Camel's DNS component enables attackers to exploit an SSRF vulnerability. This weakness permits manipulation of DNS operation parameters through Headers that lack proper filtering, allowing attackers to direct requests to malicious DNS servers. The vulnerability...
Discovered 11 hours ago
PoC for CVE-2025-8110
The vulnerability in the PutContents API of Gogs arises from improper handling of symbolic links, potentially allowing local execution of arbitrary code. This misconfiguration may expose sensitive data and facilitate unauthorized access to critical systems. Users and administrators are urged to u...
Discovered 12 hours ago
PoC for CVE-2026-48204
A vulnerability exists in Apache Camel's Mongodb GridFS component due to improper input validation and access control. This issue arises when the producer selects GridFS operations based on unvalidated headers when not explicitly set. An attacker can exploit this by injecting crafted headers, all...
PoC for CVE-2026-50416
An information disclosure vulnerability in Windows Win32K allows authorized attackers to access sensitive information locally. This security flaw could enable an unauthorized actor to obtain confidential data, leading to potential exploitation in compromised systems. Users are urged to apply avai...
Discovered 13 hours ago
PoC for CVE-2007-2447
The MS-RPC functionality within the Samba server allows attackers to execute arbitrary commands remotely due to improper handling of shell metacharacters. When the 'username map script' configuration option is enabled, a malicious user can exploit the SamrChangePassword function to inject command...
PoC for CVE-2026-16074
A vulnerability identified in the AstrBotDevs AstrBot version 4.25.2 affects the Plugin Update Handler component, specifically within the update_plugin/update_all_plugins function located in the file astrbot/dashboard/routes/plugin.py. This flaw allows for manipulation of the download_url/downloa...
Discovered 14 hours ago
PoC for CVE-2026-48203
A vulnerability exists in the Apache Camel Solr component that allows an attacker to exploit improper input validation and header handling. Specifically, malicious users can manipulate Exchange message headers intended for Solr requests, potentially leading to server-side request forgery (SSRF) a...
Discovered 15 hours ago
PoC for CVE-2026-16073
A security vulnerability has been identified in the AstrBotDevs AstrBot application, specifically within the T2I Feature which utilizes the NetworkRenderStrategy. The flaw resides in the 'Star.text_to_image' function located in the 'astrbot/core/star/base.py' file. This vulnerability allows an at...
Discovered 17 hours ago
PoC for CVE-2026-47323
The implementations of HeaderFilterStrategy in Apache Camel, specifically CxfRsHeaderFilterStrategy and KnativeHttpHeaderFilterStrategy, fail to appropriately filter inbound headers, allowing unauthenticated attackers to inject internal Camel headers through HTTP requests. This vulnerability can ...
PoC for CVE-2026-63308
Helm versions up to 4.2.3 contain a vulnerability in the Files.Lines template helper that can lead to a denial of service. An attacker can exploit this flaw by including zero-length byte slices in chart files, causing the Helm engine to panic and resulting in deterministic render failures. This i...
Discovered 18 hours ago
PoC for CVE-2026-63101
Open Event Server versions up to 1.19.1 are susceptible to a missing authentication flaw which permits unauthorized access to sensitive user information. This vulnerability enables attackers to export the complete member roster of any group via the CSV export endpoint without needing to authentic...
PoC for CVE-2026-63100
A missing authorization vulnerability in the Maybe product allows authenticated users with low privileges to exploit global hosting settings. By leveraging unprotected actions in the Settings::HostingsController, these users can modify critical configurations, access the operator's Synth API key ...
PoC for CVE-2026-63099
TheHive version 4.1.24 contains a broken object-level authorization vulnerability that affects its attachment download functionality. This flaw enables authenticated users to access attachments meant for other organizations. Attackers can exploit this security gap by supplying a content-hash iden...
PoC for CVE-2026-63098
TheHive version 4.1.24 is vulnerable to an unauthenticated information disclosure that permits attackers to access sensitive configuration details simply by sending a GET request to the /api/status endpoint. This endpoint inadequately enforces authentication checks, enabling potential attackers t...
PoC for CVE-2026-63097
An improper access control issue has been identified in Dendrite versions up to 0.13.8, specifically affecting the syncapi /context endpoint. This vulnerability allows authenticated local users, particularly those who have exited a room, to exploit a flawed membership evaluation. The vulnerabilit...
PoC for CVE-2026-63096
Dendrite, up to version 0.13.8, is vulnerable to a server-side request forgery (SSRF) that enables unauthenticated attackers to manipulate the server into establishing outbound TLS connections to arbitrary hosts and ports. This vulnerability arises from the lack of validation on the serverName pa...
PoC for CVE-2026-63095
Dendrite versions up to 0.13.8 exhibit an improper authorization vulnerability within the Matrix Client-Server API, allowing an authenticated user to delete third-party identifier bindings of other users. By exploiting the flawed Forget3PID handler, attackers can submit arbitrary addresses and me...
Discovered 19 hours ago
PoC for CVE-2024-53104
A vulnerability within the Linux kernel's UVC video support can be exploited due to inadequate handling of undefined video frame types. Specifically, when parsing video formats, the omission of UVC_VS_UNDEFINED frames can result in calculating incorrect buffer sizes, potentially leading to unsafe...
PoC for CVE-2026-63093
Cursor for Windows version 3.2.16 is susceptible to a binary planting vulnerability that endangers user systems by enabling remote attackers to execute arbitrary code. This occurs when a malicious git.exe file is placed in the repository root directory. When developers clone and open such a craft...
PoC for CVE-2026-63094
The vulnerability in SigNoz through version 0.133.0 allows attackers to leverage an open redirect in the SSO authentication process. Unauthenticated attackers can exploit this flaw to steal session tokens from users utilizing Google OAuth, SAML, or OIDC. By manipulating the authentication flow, a...
PoC for CVE-2026-16017
A vulnerability has been identified in the mosaxiv clawlet Chat Tool, specifically within the 'list/remove' function located in the 'tools/tool_cron.go' file. This issue allows for unauthorized manipulation due to a lack of proper authorization checks. The vulnerability can be exploited remotely,...
Discovered 20 hours ago
PoC for CVE-2026-16016
A vulnerability exists in poco-ai's poco-claw software, specifically in the run_task function located in executor/app/api/v1/task.py. This security issue is associated with the manipulation of the callback_url argument, which may lead to server-side request forgery. Attackers can exploit this vul...
PoC for CVE-2026-16016
A vulnerability exists in poco-ai's poco-claw software, specifically in the run_task function located in executor/app/api/v1/task.py. This security issue is associated with the manipulation of the callback_url argument, which may lead to server-side request forgery. Attackers can exploit this vul...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
PoC for CVE-2026-16015
A vulnerability has been identified in the poco-ai poco-claw's executor_manager API, specifically in the create_task function located in executor_manager/app/api/v1/tasks.py. This flaw allows for missing authentication, potentially enabling unauthorized access to critical operations. The issue ha...
Discovered 21 hours ago
PoC for CVE-2026-16014
The Hospital Bed Management System version 1.0 has a significant SQL injection vulnerability discovered in its login form component. By manipulating the Username argument, attackers can execute unauthorized SQL commands, allowing for remote exploitation. This vulnerability has been publicly discl...
Discovered 22 hours ago
PoC for CVE-2026-16013
A vulnerability exists in the liftoff-sr CIPster, specifically in the CipAppPath::deserialize_symbolic function located within source/src/cip/cipepath.cc. This issue allows manipulation that results in an out-of-bounds read, which could potentially be exploited remotely. The vulnerability affects...
PoC for CVE-2026-16009
A SQL injection vulnerability has been identified in the itsourcecode Hospital Management System version 1.0. The issue arises from an undisclosed function within the file /prescriptionorderdetail.php, where improper handling of the 'delid' argument creates an opportunity for attackers to execute...
Discovered 1 day ago
PoC for CVE-2026-12393
The WPS Bookings for WooCommerce plugin prior to version 3.11.7 lacks proper checks to confirm if a booking order is associated with the user making the request. This flaw enables any authenticated user, including Subscribers and Customers, to cancel and void bookings made by other users, leading...
PoC for CVE-2026-11966
The User Registration & Membership plugin for WordPress prior to version 5.2.3 has a security flaw that allows unauthenticated attackers to perform unauthorized actions. This weakness occurs due to the absence of capability checks for certain membership payment actions, which permits these attack...
PoC for CVE-2026-11961
The User Registration & Membership plugin for WordPress, prior to version 5.2.3, lacks proper validation of membership tiers during public registration. This oversight permits unauthenticated users to register for any available membership tier and receive its corresponding user role automatically...
PoC for CVE-2026-9810
The AI Copilot WordPress plugin versions prior to 1.5.4 feature a critical OAuth access token vulnerability. This issue arises from the plugin's failure to correctly bind OAuth access tokens to individual WordPress users, resulting in the capability for unauthenticated attackers to exploit the pu...
PoC for CVE-2026-13402
The Royal Addons for Elementor plugin prior to version 1.7.1063 fails to validate the post status of menu items and associated templates in its REST endpoints. This oversight allows unauthenticated users to access the rendered HTML content of private or draft Elementor templates linked to non-pub...
PoC for CVE-2026-10525
The NEX-Forms plugin for WordPress, prior to version 9.2.3, is vulnerable due to inadequate sanitization and escaping of submitted form data. This weakness can allow an attacker to inject malicious scripts that are stored and executed in the admin dashboard when high-privileged users, such as adm...
PoC for CVE-2026-11575
The PhonePe Payment Solutions WordPress plugin versions prior to 3.1.0 fails to adequately verify the authenticity of incoming payment callbacks. This vulnerability arises when sites are configured through the current setup flow, leading to an empty secret for validating callback signatures. Cons...