mbiesiad/vulnerability-research

Releases0

This repository contains information about the public CVEs I found.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-29856 ↗	Mar 18, 2026Wednesday, 18 March 2026, 18:16	7.5 HIGH	—
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
CVE-2026-29859 ↗	Mar 18, 2026Wednesday, 18 March 2026, 18:16	9.8 CRITICAL	—
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2026-29858 ↗	Mar 18, 2026Wednesday, 18 March 2026, 18:16	7.5 HIGH	—
A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.
CVE-2025-67163 ↗	Dec 18, 2025Thursday, 18 December 2025, 20:16	6.1 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter.
CVE-2025-67174 ↗	Dec 17, 2025Wednesday, 17 December 2025, 19:16	7.5 HIGH	—
A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in the admin.php component
CVE-2025-67170 ↗	Dec 17, 2025Wednesday, 17 December 2025, 19:16	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
CVE-2025-67171 ↗	Dec 17, 2025Wednesday, 17 December 2025, 19:16	7.5 HIGH	—
Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.
CVE-2025-67173 ↗	Dec 17, 2025Wednesday, 17 December 2025, 19:16	6.8 MEDIUM	—
A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request.
CVE-2025-67168 ↗	Dec 17, 2025Wednesday, 17 December 2025, 19:16	5.3 MEDIUM	—
RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.
CVE-2025-67172 ↗	Dec 17, 2025Wednesday, 17 December 2025, 18:15	7.2 HIGH	—
RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.
CVE-2025-67165 ↗	Dec 17, 2025Wednesday, 17 December 2025, 17:15	9.8 CRITICAL	—
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
CVE-2025-67164 ↗	Dec 17, 2025Wednesday, 17 December 2025, 17:15	9.9 CRITICAL	—
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2025-61514 ↗	Oct 16, 2025Thursday, 16 October 2025, 19:15	6.5 MEDIUM	—
An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file.