CVE-2025-49132
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Github link:
https://github.com/melonlonmeo/CVE-2025-49132
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Github link:
https://github.com/melonlonmeo/CVE-2025-49132
GitHub
GitHub - melonlonmeo/CVE-2025-49132: Poc - CVE-2025-49132
Poc - CVE-2025-49132. Contribute to melonlonmeo/CVE-2025-49132 development by creating an account on GitHub.
CVE-2025-47577
Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.
Github link:
https://github.com/sug4r-wr41th/CVE-2025-47577
Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.
Github link:
https://github.com/sug4r-wr41th/CVE-2025-47577
GitHub
GitHub - sug4r-wr41th/CVE-2025-47577: TI WooCommerce Wishlist (WordPress plugin) <= 2.9.2 CVE-2025-47577 PoC
TI WooCommerce Wishlist (WordPress plugin) <= 2.9.2 CVE-2025-47577 PoC - sug4r-wr41th/CVE-2025-47577
CVE-2016-5195
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
Github link:
https://github.com/Samuel-G3/Escalamiento-de-Privilegios-usando-el-Kernel-Exploit-Dirty-Cow
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
Github link:
https://github.com/Samuel-G3/Escalamiento-de-Privilegios-usando-el-Kernel-Exploit-Dirty-Cow
GitHub
GitHub - Samuel-G3/Escalamiento-de-Privilegios-usando-el-Kernel-Exploit-Dirty-Cow: Exploit para escalada de privilegios en Linux…
Exploit para escalada de privilegios en Linux basado en la vulnerabilidad Dirty Cow (CVE-2016-5195). Incluye binario, código fuente e instrucciones para su uso en entornos controlados. - Samuel-G3/...
CVE-2025-49144
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/TheTorjanCaptain/CVE-2025-49144_PoC
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/TheTorjanCaptain/CVE-2025-49144_PoC
GitHub
GitHub - TheTorjanCaptain/CVE-2025-49144_PoC: CVE-2025-49144 PoC for security researchers to test and try.
CVE-2025-49144 PoC for security researchers to test and try. - TheTorjanCaptain/CVE-2025-49144_PoC
CVE-2025-30208
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-30208
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-30208
GitHub
GitHub - B1ack4sh/Blackash-CVE-2025-30208: CVE-2025-30208
CVE-2025-30208. Contribute to B1ack4sh/Blackash-CVE-2025-30208 development by creating an account on GitHub.
CVE-2025-1974
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-1974
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-1974
GitHub
GitHub - B1ack4sh/Blackash-CVE-2025-1974: CVE-2025-1974
CVE-2025-1974. Contribute to B1ack4sh/Blackash-CVE-2025-1974 development by creating an account on GitHub.
CVE-2025-49144
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/assad12341/notepad-v8.8.1-LPE-CVE-
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/assad12341/notepad-v8.8.1-LPE-CVE-
GitHub
GitHub - assad12341/notepad-v8.8.1-LPE-CVE-: CVE-2025-49144 * Notepad++ v8.8.1 * SYSTEM-level POC
CVE-2025-49144 * Notepad++ v8.8.1 * SYSTEM-level POC - assad12341/notepad-v8.8.1-LPE-CVE-
CVE-2025-49144
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/tristanvandermeer/CVE-2025-49144-Test
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Github link:
https://github.com/tristanvandermeer/CVE-2025-49144-Test
GitHub
GitHub - tristanvandermeer/CVE-2025-49144-Test: A test attack for CVE-2025-49144
A test attack for CVE-2025-49144. Contribute to tristanvandermeer/CVE-2025-49144-Test development by creating an account on GitHub.