diff --git a/exploits/go/webapps/52281.html b/exploits/go/webapps/52281.html
new file mode 100644
index 000000000..eb12c4873
--- /dev/null
+++ b/exploits/go/webapps/52281.html
@@ -0,0 +1,39 @@
+# Exploit Title: Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
+# Application: Casdoor
+# Version: 1.901.0
+# Date: 03/07/2024
+# Exploit Author: Van Lam Nguyen
+# Vendor Homepage: https://casdoor.org/
+# Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v1.901.0.zip
+# Tested on: Windows
+# CVE : N/A
+
+Overview
+==================================================
+Casdoor v1.901.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
+This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
+
+Proof of Concept
+==================================================
+
+Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
+
+
+
+
+
+
+
+If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
+
+userOwner: built-in
+userName: admin
+newPassword: hacked
\ No newline at end of file
diff --git a/exploits/php/webapps/52282.txt b/exploits/php/webapps/52282.txt
new file mode 100644
index 000000000..a085e32b9
--- /dev/null
+++ b/exploits/php/webapps/52282.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)
+# Google Dork: N/A
+# Date: 2025-05-02
+# Exploit Author: Sn1p3r-H4ck3r (Siripong Jintung)
+# Vendor Homepage: https://snipeitapp.com
+# Software Link: https://github.com/grokability/snipe-it
+# Version: <= 8.0.4
+# Tested on: Ubuntu 22.04 LTS, Apache2 + MySQL + PHP 8.1
+# CVE: CVE-2025-47226
+
+# Vulnerability Description:
+Snipe-IT <= 8.0.4 contains an Insecure Direct Object Reference (IDOR) vulnerability in the
+`/locations//printassigned` endpoint. This flaw allows an authenticated user from one
+department to gain access to asset assignment data belonging to other departments by modifying
+the `location_id` in the URL.
+
+# Steps to Reproduce:
+1. Authenticate with a low-privileged account assigned to `location_id = 2`.
+2. Access the print preview page:
+ https:///locations/2/printassigned
+3. Modify the URL to:
+ https:///locations/1/printassigned
+4. The application will disclose inventory/assignment information for location ID 1,
+ even if the user should not have access.
+
+# Impact:
+- Unauthorized access to internal asset and inventory information.
+- Potential for lateral data exposure between departments in the same organization.
+- Disclosure of asset IDs, assignees, and location metadata.
+
+# Mitigation:
+Update to **Snipe-IT v8.1.0** or higher where access control validation has been corrected.
+
+# References:
+- Patch PR: https://github.com/grokability/snipe-it/pull/16672
+- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47226
+- Release Notes: https://github.com/grokability/snipe-it/releases/tag/v8.1.0
\ No newline at end of file
diff --git a/exploits/python/webapps/52283.txt b/exploits/python/webapps/52283.txt
new file mode 100644
index 000000000..0dc4d809a
--- /dev/null
+++ b/exploits/python/webapps/52283.txt
@@ -0,0 +1,87 @@
+# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
+# Google Dork: inurl:"/api/method/frappe"
+# Date: 2025-04-29
+# Exploit Author: Ahmed Thaiban (Thvt0ne)
+# Vendor Homepage: https://erpnext.com
+# Software Link: https://github.com/frappe/erpnext
+# Version: <= 14.82.1, 14.74.3 (Tested)
+# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
+# CVE : CVE-2025-28062
+# Category: WebApps
+
+# Description:
+A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
+
+Affected endpoints include:
+- /api/method/frappe.desk.reportview.delete_items
+- /api/method/frappe.desk.form.save.savedocs
+
+Impact:
+- Deletion of arbitrary users
+- Unauthorized role assignment
+- Account takeover via password change
+
+The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
+
+---
+
+# PoC 1: Delete a User
+
+
+
+ Delete User
+
+ Click Here
+
+
+
+
+---
+
+# PoC 2: Assign Role
+
+
+
+ Assign Role to User
+
+ Add Role
+
+
+
+
+---
+
+# PoC 3: Reset Password
+
+
+
+ Reset User Password
+
+ Reset Password
+
+
+
+
+---
+
+# Mitigation:
+- Enforce CSRF protection for all administrative endpoints
+- Require POST methods for state changes
+- Mark cookies as SameSite=Strict
+- Implement re-authentication for critical user changes
+
+---
+
+# Disclosure Timeline:
+- 2025-02-09: Vulnerability discovered
+- 2025-02-10: Reported to Frappe (no response)
+- 2025-04-29: Public disclosure via CVE + advisory
+
+---
+
+# Author Contact:
+LinkedIn: https://linkedin.com/in/ahmedth
+GitHub: https://github.com/Thvt0ne
+
+# References:
+- https://owasp.org/www-community/attacks/csrf
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 60be0aeed..d83dc5aa1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -2903,6 +2903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51976,exploits/go/remote/51976.txt,"MinIO < 2024-01-31T20-20-33Z - Privilege Escalation",2024-04-12,"Jenson Zhao",remote,go,,2024-04-12,2024-04-12,0,CVE-2024-24747,,,,,
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
+52281,exploits/go/webapps/52281.html,"Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)",2025-05-06,"Van Lam Nguyen",webapps,go,,2025-05-06,2025-05-06,0,CVE-n/a,,,,,
51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,,
51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
@@ -19645,6 +19646,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45795,exploits/php/webapps/45795.txt,"Grocery crud 1.6.1 - 'search_field' SQL Injection",2018-11-06,"Loading Kura Kura",webapps,php,80,2018-11-06,2018-11-07,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgrocery-crud-1.6.1.zip,
48792,exploits/php/webapps/48792.txt,"grocy 2.7.1 - Persistent Cross-Site Scripting",2020-09-07,"Mufaddal Masalawala",webapps,php,,2020-09-07,2020-09-07,0,,,,,,
51760,exploits/php/webapps/51760.txt,"Grocy <=4.0.2 - CSRF",2024-01-31,"Chance Proctor",webapps,php,,2024-01-31,2024-01-31,0,,,,,,
+52282,exploits/php/webapps/52282.txt,"Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)",2025-05-06,Sn1p3r-H4ck3r,webapps,php,,2025-05-06,2025-05-06,0,CVE-2025-47226,,,,,
51526,exploits/php/webapps/51526.txt,"Groomify v1.0 - SQL Injection",2023-06-19,"Ahmet Ümit BAYRAM",webapps,php,,2023-06-19,2023-06-19,0,,,,,,
7954,exploits/php/webapps/7954.txt,"groone glinks 2.1 - Remote File Inclusion",2009-02-03,"k3vin mitnick",webapps,php,,2009-02-02,,1,OSVDB-51821;CVE-2009-0463,,,,,
7878,exploits/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php?cat' SQL Injection",2009-01-26,nuclear,webapps,php,,2009-01-25,,1,OSVDB-51628;CVE-2009-0299,,,,,
@@ -35170,6 +35172,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
52145,exploits/python/webapps/52145.py,"DocsGPT 0.12.0 - Remote Code Execution",2025-04-09,"Shreyas Malhotra",webapps,python,,2025-04-09,2025-04-09,1,CVE-2025-0868,,,,,
+52283,exploits/python/webapps/52283.txt,"ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)",2025-05-06,"Ahmed Thaiban",webapps,python,,2025-05-06,2025-05-06,0,CVE-2025-28062,,,,,
51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,