Publicly Disclosed
PoC Exploits
π΄ Alway take caution when working with PoC Exploits π΄
Discovered just now...
PoC for CVE-2026-46588
An improper input validation vulnerability has been identified in Apache Camel. This flaw allows attackers to submit invalid input data, potentially leading to unexpected behavior in applications using vulnerable versions of the software. It is crucial for users to promptly update to secure versi...
PoC for CVE-2026-46587
An improper input validation vulnerability in Apache Camel has been identified, impacting versions up to 4.14.7, from 4.15.0 to 4.18.2, and from 4.19.0 to 4.20.0. This flaw can lead to potential exploitation if untrusted input is processed. It is strongly advised for users to upgrade to Apache Ca...
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
Discovered 1 hour ago
PoC for CVE-2026-59827
Metabase, an open-source business intelligence and embedded analytics tool, suffers from a deserialization vulnerability in versions prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. When configured with an H2 database connection, including the default sample database, this flaw permits authenti...
Discovered 2 hours ago
PoC for CVE-2026-46585
The Apache Camel Lucene Component is susceptible to an improper input validation and authorization bypass vulnerability. This flaw occurs when the camel-lucene producer processes input headers that are not properly filtered due to missing Camel prefix checks, allowing any HTTP client to manipulat...
Discovered 3 hours ago
PoC for CVE-2026-27483
MindsDB, a data-driven AI platform, has a vulnerability in its /api/files interface that allows authenticated attackers to exploit path traversal in the 'Upload File' module. This weakness is due to insufficient validation of file paths, permitting attackers to incorporate '../' sequences in the ...
Discovered 4 hours ago
PoC for CVE-2026-27944
Nginx UI, a web interface for the Nginx web server, has a critical security flaw where the /api/backup endpoint is accessible without authentication. This vulnerability allows unauthenticated attackers to retrieve a complete system backup that includes sensitive information such as user credentia...
Discovered 5 hours ago
PoC for CVE-2025-27591
A privilege escalation vulnerability was identified in the Below service prior to version 0.9.0. This vulnerability arises from the creation of a world-writable directory located at /var/log/below. As a result, local unprivileged users can exploit this flaw through symlink attacks, potentially ma...
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
Discovered 7 hours ago
PoC for CVE-2026-15410
A vulnerability has been identified in the SMA1000 Appliance Management Console that allows a post-authentication improper control of code generation. Under specific conditions, an authenticated remote attacker could exploit this flaw to execute arbitrary operating system commands. This vulnerabi...
PoC for CVE-2026-15409
A Server-side Request Forgery (SSRF) vulnerability has been identified within the Work Place interface of the SMA1000 Appliance. This security flaw allows a remote attacker, without authentication, to exploit the appliance, enabling it to make requests to unintended and potentially malicious loca...
Discovered 12 hours ago
PoC for CVE-2026-11580
The Kali Forms β Contact Form & Drag-and-Drop Builder WordPress plugin prior to version 2.4.17 is susceptible to an insufficient access control vulnerability. This flaw allows users with Contributor-level access or higher to duplicate any post, circumventing ownership restrictions. As a result, t...
PoC for CVE-2026-12512
The Quotes Llama WordPress plugin prior to version 3.1.6 is susceptible to SQL injection due to improper sanitization and escaping of user-supplied parameters in SQL queries. This vulnerability enables unauthenticated attackers to manipulate the database, potentially allowing them to retrieve sen...
PoC for CVE-2026-11579
The Kali Forms plugin for WordPress, specifically versions before 2.4.17, contains a significant vulnerability where it fails to verify if a file upload is associated with an existing form that has a file-upload field. This oversight allows unauthorized users to upload files directly to the WordP...
PoC for CVE-2026-12281
The Shibboleth plugin for WordPress before version 2.5.4 is vulnerable to an authentication bypass due to a flaw in its HTTP header identity mode. When this mode is activated without an anti-spoofing key, the plugin erroneously authenticates any request carrying identity headers without proper ve...
Discovered 15 hours ago
PoC for CVE-2026-23744
MCPJam Inspector, designed for local-first development on MCP servers, has a vulnerability allowing remote code execution (RCE) due to improper binding settings. In versions 1.4.2 and earlier, the platform listens on 0.0.0.0 by default, enabling attackers to exploit this configuration through cra...
Discovered 17 hours ago
PoC for CVE-2026-46584
An improper input validation vulnerability in the Apache Camel Mail Component allows for the potential exposure of sensitive information due to untrusted input being processed without proper filtering. Specifically, the MailProducer may construct JavaMail sessions with headers from untrusted sour...
Discovered 18 hours ago
PoC for CVE-2026-0740
The Ninja Forms - File Uploads plugin for WordPress contains a vulnerability allowing unauthenticated attackers to upload arbitrary files due to inadequate file type validation in the upload handling function. This oversight affects all versions upto and including 3.3.26, potentially enabling att...
Discovered 19 hours ago
PoC for CVE-2026-43499
A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vu...
Discovered 20 hours ago
PoC for CVE-2026-15752
A vulnerability exists in the Zhininboke Xianyu-Auto-Reply system, specifically within the user management functionality of the Backend User Endpoint. This flaw allows an attacker to bypass authorization checks, potentially leading to unauthorized access to sensitive user data. The exploit can be...
PoC for CVE-2026-15751
A security vulnerability has been discovered in the Mastergo Design Magic MCP tool, particularly affecting the function execute in the component mcp__getComponentGenerator located in mastergo/component-workflow.md. This vulnerability allows unauthorized access to file paths due to improper handli...
Discovered 21 hours ago
PoC for CVE-2026-15750
A vulnerability exists in the Mastergo Magic MCP component, specifically in its z.string function located in src/tools/get-component-link.ts. This flaw allows an attacker to manipulate the URL argument, potentially leading to server-side request forgery (SSRF). With SSRF, an attacker can send req...
PoC for CVE-2026-15749
A security flaw has been identified in the Magic MCP tool by Mastergo Design, specifically affecting version 0.2.0. The vulnerability arises from improper handling of the argument 'filePath' in the 'execute' function of the 'src/tools/get-c2d.ts' file, allowing for path traversal attacks. This co...
Discovered 23 hours ago
PoC for CVE-2026-46457
An improper input validation issue exists in the NATS component of Apache Camel, affecting versions 4.0.0 to 4.14.7, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.9. This flaw allows clients capable of publishing to specific NATS subjects to inject arbitrary Camel control headers, which can manipulate the...
Discovered 1 day ago
PoC for CVE-2026-15715
A cross-site scripting vulnerability exists in the SourceCodester Class and Exam Timetabling System 1.0, specifically within the /exam.php file. By exploiting improper handling of the 'day' argument, attackers can perform remote code execution, leading to unauthorized access to sensitive user dat...
PoC for CVE-2026-15703
A SQL injection vulnerability exists in the Simple and Nice Shopping Cart Script version 1.0, specifically within the /admin/userproductdeletequery.php file. This vulnerability arises when an attacker manipulates the user_id argument, enabling the execution of malicious SQL queries. This flaw all...
PoC for CVE-2026-15701
A weakness has been identified in the Totolink NR1800X router, specifically in the lighttpd component's Form_Logout function located in the file /formLogout.htm. This vulnerability allows for a stack-based buffer overflow due to improper handling of the Host argument, which can be exploited by at...
PoC for CVE-1999-0524
The vulnerability allows arbitrary hosts to send ICMP requests that reveal sensitive information, including netmask and timestamp data. This exposure can assist attackers in conducting reconnaissance and facilitate further attacks on the network. Proper configuration and monitoring are essential ...
PoC for CVE-2026-15700
A security flaw has been identified in DedeCMS version 5.7.118, specifically within the ExtractFile function of the include/zip.class.php component related to the Album Publishing feature. This vulnerability permits path traversal, allowing attackers to manipulate the filename argument, which may...
PoC for CVE-2026-15699
A vulnerability affecting spencermountainβs Public Root API was identified in versions up to 14.15.1, specifically in the function nlp.extend located in the file src/API/extend.js. This vulnerability allows for unauthorized manipulation of the argument plugin, which could lead to uncontrolled mod...
PoC for CVE-2026-15696
A significant vulnerability exists in the Tenda BE12 Pro, specifically within the fromVirtualSer function of the /goform/VirtualSer component. This vulnerability allows for manipulation of the input parameters, potentially leading to a stack-based buffer overflow. As a result, attackers can execu...
PoC for CVE-2026-58479
The Sustainable Irrigation Platform (SIP) versions up to 5.2.16 are vulnerable to command injection through the optional cli_control plugin. This weakness enables unauthenticated attackers to exploit the platform by submitting a malicious payload via the plugin's HTTP endpoint. Once an attack is ...
PoC for CVE-2026-58478
The Sustainable Irrigation Platform versions up to 5.2.16 expose a Server-Side Request Forgery (SSRF) vulnerability that can be exploited by unauthenticated attackers using a malicious callback URL when the optional Node-RED plugin is enabled. This flaw allows attackers to circumvent destination ...
PoC for CVE-2026-58477
The Sustainable Irrigation Platform (SIP) version 5.2.16 and earlier is susceptible to a mass assignment vulnerability. This flaw enables unauthenticated attackers to overwrite sensitive configuration settings by supplying arbitrary parameter names within HTTP requests. Vulnerable configurations ...
PoC for CVE-2026-60114
The Sustainable Irrigation Platform (SIP) through version 5.2.16 is vulnerable to a path traversal issue that can be exploited by attackers who gain access to the restore functionality. By uploading specially crafted JSON backup files that include unvalidated keys, attackers can write files to ar...
PoC for CVE-2026-15695
A critical flaw in Tenda BE12 Pro routers (version 16.03.66.23) allows for a stack-based buffer overflow through the 'fromDhcpListClient' function in the '/goform/DhcpListClient' file. This vulnerability can be exploited remotely, posing a significant risk to device integrity and security. Attack...
PoC for CVE-2026-58476
The Sustainable Irrigation Platform (SIP) through version 5.2.16 is susceptible to a cross-site request forgery (CSRF) vulnerability. This flaw allows remote attackers to execute state-changing administrative actions by enticing a logged-in administrator to visit a malicious webpage. The absence ...
PoC for CVE-2026-58475
The Sustainable Irrigation Platform, up to version 5.2.16, is vulnerable to a stored cross-site scripting (XSS) flaw, enabling unauthorized attackers to inject malicious JavaScript payloads. This vulnerability arises from improper output encoding within program names submitted via HTTP requests, ...
PoC for CVE-2026-15694
A stack-based buffer overflow vulnerability exists in the Tenda BE12 Pro router due to improper handling in the fromSetIpBind function, specifically in the /goform/SetIpBind file. By manipulating the 'page' argument, an attacker can exploit this weakness to execute arbitrary code remotely. The ex...
PoC for CVE-2021-44228
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log messag...
PoC for CVE-2023-38646
Metabase, both the open-source and enterprise versions prior to specified updates, contains a vulnerability that allows malicious actors to execute arbitrary commands at the server's privilege level without requiring authentication. This weakness can lead to significant security breaches, includi...
PoC for CVE-2025-21293
This vulnerability in Active Directory Domain Services allows attackers to gain elevated privileges within the system, potentially leading to unauthorized access and control over sensitive resources. By exploiting this flaw, an attacker could perform actions that exceed their intended access righ...
PoC for CVE-2026-15693
A critical security vulnerability has been identified in the Tenda BE12 Pro router, specifically in the 'fromSafeMacFilter' function located in the '/goform/SafeMacFilter' file. This vulnerability allows for a stack-based buffer overflow due to improper handling of input arguments, which can be e...
PoC for CVE-2014-7169
The vulnerability in GNU Bash through version 4.3 allows attackers to exploit malformed function definitions in environment variables. This can lead to unauthorized writing to files or other impacts, particularly through methods that involve privilege boundaries. Notable examples of exploitation ...
PoC for CVE-2026-15692
A vulnerability has been discovered in the Tenda BE12 Pro router version 16.03.66.23, specifically in the fromSafeUrlFilter function located in the /goform/SafeUrlFilter file. This weakness can be exploited by manipulating the 'page' argument leading to a stack-based buffer overflow. The exploit ...
PoC for CVE-2026-15691
A security flaw has been identified in the Tenda BE12 Pro router, particularly in the fromSafeClientFilter function located in the /goform/SafeClientFilter file. This vulnerability can be exploited by manipulating the argument page, leading to a stack-based buffer overflow. Given its remote explo...
PoC for CVE-2026-15690
A vulnerability exists in the open62541 Shared Client Library, specifically within the responseReadNamespacesArray function of the file src/client/ua_client_connect.c. This flaw allows for a null pointer dereference, which can be caused by improper handling of the Server_NamespaceArray argument. ...
PoC for CVE-2026-43724
A vulnerability has been identified in Apple's iOS, iPadOS, and macOS that could potentially allow an application to lead to unexpected system termination or unauthorized access to kernel memory. This vulnerability results from insufficient input sanitization, which may be exploited by malicious ...
PoC for CVE-2026-38526
An authenticated arbitrary file upload vulnerability exists in the /admin/tinymce/upload endpoint of Webkul Krayin CRM version 2.2.x. This flaw enables attackers to upload crafted PHP files, which can subsequently lead to the execution of arbitrary code on the server. Such vulnerabilities can be ...