Bucket
MediumA web application backed by a locally exposed S3-compatible bucket allows unauthenticated file uploads; uploading a PHP web shell through the bucket …
RedPanda
EasyA Spring Boot search page reflects user input into a Server-Side Template Injection sink, giving RCE as woodenk; a root-owned log-parser cron is then …
Resource
HardA zip-upload feature on an SSH key management web app is exploited via a PHP pearcmd LFI-to-RCE trick to land a webshell as www-data; uploaded zip …
Sea
EasyA WonderCMS site’s contact form SSRF is weaponized to deliver CVE-2023-41425, landing a shell as www-data; a password hash found in the CMS …
Deputy
MediumA exposed .git directory leaks Terraform IAM ARNs; a case-sensitivity bug in the event-role API lets those ARNs cross account boundaries, eventually …
TemplTrap
EasyA Langflow AI server exposed on port 80 is exploited via CVE-2026-0770 (SSTI RCE) for an initial shell as karen; screen 5.0.0 setuid-root logging …
Interpreter
MediumMirth Connect 4.4.0 is vulnerable to CVE-2023-43208 (unauthenticated RCE); database credentials in mirth.properties lead to a PBKDF2-hashed password …
BloodFlow
Very EasyA publicly exposed n8n workflow automation instance is vulnerable to CVE-2026-21858, an unauthenticated arbitrary file read to RCE chain, yielding a …
Data
EasyAn unauthenticated Grafana path-traversal (CVE-2021-43798) exposes the SQLite database, leaking PBKDF2 password hashes that crack to yield SSH access; …
WingData
EasyWing FTP Server 7.4.3 exposes an unauthenticated RCE endpoint; cracking the salted password hashes from its XML config yields SSH access as a system …
Facts
EasyA Ruby on Rails app running Camaleon CMS 2.9.0 is compromised via mass-assignment privilege escalation to admin, then an LFI in the admin …
ReactOOPS
Very EasyA vulnerable React application is exploited via CVE-2025-55182 (react2shell), yielding unauthenticated remote code execution and a shell that reads …
Broker
EasyA default-credentialed Apache ActiveMQ 5.15.15 console reveals a version vulnerable to CVE-2023-46604 (OpenWire deserialization RCE); a sudo-allowed …
Lantern
HardA Skipper proxy CVE-2022-38580 SSRF exposes an internal Blazor WebAssembly app whose DLL contains base64-encoded admin credentials; those credentials …