PoC-in-GitHub RSS

CVE-2025-55182 (2025-12-03) kaxm23/rust-cve-2025-55182-scanner

Fri, 10 Apr 2026 20:49:46 +0900

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
[GitHub]powerfull rust cve-2025-55182-scanner used for ctf & ethical purpose only

CVE-2025-5548 (2025-06-04) CryptoMachio/CVE-2025-5548

Fri, 10 Apr 2026 20:19:44 +0900

A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component NOOP Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
[GitHub]Estudio técnico de la vulnerabilidad CVE-2025-5548

CVE-2025-55182 (2025-12-03) kaxm23/CVE-2025-55182-Auto-Scanner

Fri, 10 Apr 2026 20:07:12 +0900

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
[GitHub]CVE-2025-55182 Auto Scanner - Improved Version For authorized CTF/testing purposes only

CVE-2021-22911 (2021-05-27) roshanrajbanshi/rocketcat-cve-2021-22911-exploit

Fri, 10 Apr 2026 18:16:26 +0900

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
[GitHub]CVE-2021-22911 Rocket.Chat NoSQL Injection RCE Exploit - Educational Purpose

CVE-2026-23869 (2026-04-08) yohannslm/CVE-2026-23869

Fri, 10 Apr 2026 15:34:17 +0900

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
[GitHub]POC for CVE-2026-23869

CVE-2026-23744 (2026-01-16) luiskrnr/exploit-CVE-2026-23744

Fri, 10 Apr 2026 14:52:49 +0900

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.
[GitHub]MCPJam Inspector is a local-first development platform for MCP servers. In versions 1.4.2 (and earlier), a RCE flaw lets attackers send crafted HTTP request that installs an MCP server and runs code remotely, because the service listens on 0.0.0.0 (instead of 127.0.0.1) by default.

CVE-2026-39376 (2026-04-07) redyank/CVE-2026-39376

Fri, 10 Apr 2026 14:39:38 +0900

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
[GitHub]CVE-2026-39376(Infinite redirect loop DoS via meta-refresh chain)

CVE-2021-44228 (2021-12-10) joaovicdev/EXPLOIT-CVE-2021-44228

Fri, 10 Apr 2026 14:24:43 +0900

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
[GitHub]PoC of CVE-2021-44228

CVE-2026-35584 (2026-04-07) LeonardoNovais7/CVE-2026-35584

Fri, 10 Apr 2026 13:49:07 +0900

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
[GitHub]POC - CVE-2026-35584

CVE-2026-5530 (2026-04-05) davidrxchester/CVE-2026-5530

Fri, 10 Apr 2026 12:52:57 +0900

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
[GitHub]POC for CVE-2026-5530 - SSRF via Ollama Pull/Push API