Suggest Exploit

Explore Vulnerabilities


Explore all Exploits:

Ladder v0.0.21 – Server-side Request Forgery (SSRF)

Ladder version v0.0.21 is vulnerable to Server-side Request Forgery (SSRF) due to inadequate restrictions on destination addresses. This allows an attacker to send GET requests to addresses that are usually inaccessible externally. Attackers can exploit this to reach private address ranges, locally hosted services, and cloud instance metadata APIs.

Akaunting <= 3.1.3 Remote Code Execution

Akaunting version 3.1.3 and below are vulnerable to Remote Code Execution (RCE) allowing an attacker to execute arbitrary commands on the target system. By injecting malicious commands through a crafted request to the 'companies' endpoint, an attacker can exploit this vulnerability. CVE-2024-22836 has been assigned to this issue.

Electrolink FM/DAB/TV Transmitter Remote Authentication Bypass

An attacker can bypass authentication on Electrolink FM/DAB/TV Transmitter devices due to a lack of proper authentication mechanisms. This vulnerability affects various models and versions of Electrolink transmitters, allowing unauthorized access to the devices.

WordPress Augmented-Reality – Remote Code Execution Unauthenticated

The exploit allows remote attackers to execute arbitrary code on the target system without authentication. By leveraging a vulnerability in Wordpress Augmented-Reality plugin, an attacker can upload and execute malicious PHP code.

Windows Defender Backdoor Detection Mitigation Bypass

In 2022, a proof of concept was released to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender. Although the initial method was mitigated, a new approach involves adding a simple JavaScript try-catch error statement and evaluating the hex string to execute the bypass successfully.

WordPress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)

The Wordpress Canto plugin before 3.0.5 is vulnerable to Remote File Inclusion (RFI) through the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary remote code on the server if allow_url_include is enabled. The issue arises from the improper handling of the 'wp_abspath' variable in the 'download.php' code.

GLiNet Router Authentication Bypass Vulnerability

CVE-2023-46453 is a remote authentication bypass vulnerability in GLiNet routers with firmware versions 4.x and above. The vulnerability allows an attacker to bypass authentication and access the router's web interface by exploiting a lack of proper authentication checks in the /usr/sbin/gl-ngx-session file.

Petrol Pump Management Software v1.0 – ‘Address’ Stored Cross Site Scripting

A Cross Site Scripting (XSS) vulnerability in Petrol Pump Management Software v1.0 allows attackers to execute malicious code by inserting a specially crafted payload into the 'Address' parameter in the add_invoices.php component.

Recent Exploits: