CVE-2025-47577

None

Github link:
https://github.com/Yucaerin/CVE-2025-47577

CVE-2025-30397

None

Github link:
https://github.com/mbanyamer/CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free-

CVE-2025-4631

None

Github link:
https://github.com/Nxploited/CVE-2025-4631

CVE-2025-5287

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Github link:
https://github.com/wiseep/CVE-2025-5287

CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

Github link:
https://github.com/wiseep/CVE-2025-48827

CVE-2025-3248

Langflow versions prior to 1.3.0 are susceptible to code injection in
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.

Github link:
https://github.com/tiemio/RCE-CVE-2025-3248

CVE-2025-12654

None

Github link:
https://github.com/Quelvara/Anydesk-Exploit-CVE-2025-12654-RCE-Builder

CVE-2024-9264

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Github link:
https://github.com/Cythonic1/CVE-2024-9264

CVE-2011-0762

The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.

Github link:
https://github.com/AndreyFreitass/CVE-2011-0762

CVE-2023-25690

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.




Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:




RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/


Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.




Github link:
https://github.com/oOCyginXOo/CVE-2023-25690-POC

CVE-2018-9995

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

Github link:
https://github.com/its-anya/DVR_Credential_Scanner

CVE-2025-44148

None

Github link:
https://github.com/barisbaydur/CVE-2025-44148

CVE-2024-39924

None

Github link:
https://github.com/l4rm4nd/PoC-CVE-2024-39924

CVE-2024-28784

None

Github link:
https://github.com/CainSoulless/CVE-2024-28784

CVE-2008-4250

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Github link:
https://github.com/NoTrustedx/Exploit_MS08-067

CVE-2014-4688

None

Github link:
https://github.com/fenix0499/CVE-2014-4688-NodeJs-Exploit

CVE-2025-32873

None

Github link:
https://github.com/Apollo-R3bot/django-vulnerability-CVE-2025-32873

CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.

Github link:
https://github.com/valeriot30/cve-2024-3094

CVE-2025-3102

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Github link:
https://github.com/0xgh057r3c0n/CVE-2025-3102

CVE-2025-2945

None

Github link:
https://github.com/abrewer251/CVE-2025-2945_PoC