Research & Vulnerability Disclosures

Remote Code Execution (RCE) & SQL Injection (SQLi)

High-impact vulnerabilities that can lead to full system compromise.

• Bruno IDE - Remote Code Execution (CVE-2024-48463)
• SeSuite - Remote Code Execution (CVE-2023-26877)
• Typesetter CMS - Remote Code Execution (CVE-2020-25790)
• Piwigo - SQL Injection (CVE-2023-26876)
  • Official module published in the Metasploit Framework.

Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF)

• LumisXP - Unauthenticated XSS (CVE-2024-33329, CVE-2024-33328, CVE-2024-33327)
• phpIPAM - CSRF to Stored XSS (CVE-2021-46426)
• LiquidFiles - Stored XSS (CVE-2021-30140)
• Wordpress (Envira Gallery) - Stored XSS (CVE-2020-35581)
• Gila CMS - Reflected XSS (CVE-2019-20803) & CSRF (CVE-2019-20804)
• Piwigo - Stored XSS (CVE-2019-13364) & CSRF (CVE-2019-13363)

Other Vulnerabilities

• LumisXP - Information Disclosure & IDOR (CVE-2024-33326)
• Wordpress (WPvivid Backup) - Path Traversal (CVE-2022-2863)