Templates
The table below lists the Nuclei vulnerability templates available for scans. The full set of tuned templates can be found in our nuclei-templates repository.
3,216
Templates
1,575
CVEs Covered
3
Scan Categories
3216 of 3216 templates
Loading templates…
.NET Framework - Leaking ObjRefs via HTTP .NET Remoting
runzero-match
service["http.head.server"] matches "(?i)ms .net remoting"Description
.NET Framework Information Disclosure Vulnerability
Impact
Attackers can exploit leaked ObjRefs to access remote objects via .NET Remoting, potentially gaining unauthorized access to application data.
Remediation
Apply security patches for .NET Framework addressing CVE-2024-29059.
1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure
Author: pussycat0xAdded: Feb 7, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/1-click-migration/"Description
1 Click WordPress Migration <= 2.2 contains an information disclosure caused by uncleared debug information, letting attackers retrieve embedded sensitive data, exploit requires no specific privileges.
Impact
Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
Remediation
Remove debug information and update to the latest version of 1 Click WordPress Migration.
1Password SCIM Bridge - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)1Password SCIM Bridge Login"})Description
1Password SCIM Bridge Login was detected.
3COM NJ2000 - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "ManageEngine Password"})Description
3COM NJ2000 contains a default login vulnerability. Default admin login password of 'password' was found. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
3CX Phone System Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Management Console panel was detected.
3CX Phone System Web Client Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Web Client Management Console panel was detected.
3Com Wireless 8760 Dual Radio - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3COM"})Description
3COM Wireless 8760 Dual Radio contains a default login vulnerability. Default admin login password 'password' was found.
3ware Controller 3DM2 - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3ware"})Description
The default password for logging in to the 3DM2 web interface of a 3ware controller is "3ware" for both the Administrator and User accounts.
74cms - ajax_common.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_common.php file.
74cms - ajax_officebuilding.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_officebuilding.php file.
74cms - ajax_street.php 'key' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 'key' parameter of ajax_street.php in 74cms.
74cms - ajax_street.php 'x' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the vendor-provided patch or update to the latest version of 74cms to mitigate the SQL Injection vulnerability.
AC Centralized Management System - Default password
Author: SleepingBag945Added: Sep 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)安网科技-智能路由系统"})Description
AC Centralized Management System default login credentials were discovered.
AC Smart II - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Doc/WebLogin\\.asp"Description
AC Smart II contains an authentication bypass caused by a hidden password reset form that can be manipulated to change the administrator password without verifying login or permissions, letting attackers change admin passwords without authorization.
Impact
Attackers can change the administrator password without authorization, leading to full system takeover.
Remediation
Update to the latest version that properly verifies login status and user permissions before password reset.
ACME Challenge Path - Reflected Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)acme-challenge"Description
Detects XSS vulnerabilities in ACME http-01 challenge implementations where hosting providers reflect the challenge key from the URL without proper sanitization
ACTi Video Monitoring Panel - Detection
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web Configurator"})AIC Intelligent Campus System - Password Exposure
Author: SleepingBag945Added: Sep 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AIC智能校园系统"})Description
Due to the design logic defects, the super password is leaked, which can kill more than 40 campus systems.<br>
AJ-Report < 1.4.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AJ-Report"})Description
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary Java code on the server through script engine injection, achieving complete system compromise and access to all application data.
Remediation
Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
AKHQ Panel - Detect
Author: DhiyaneshDKAdded: Apr 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "855432563"Description
AKHQ Panel was discovered.
AMD Pensando PSM - Default Login
Author: tpierruAdded: Aug 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1907840597"Description
The AMD Pensando Policy and Services Manager used a default password for the admin account.This allowed instances to be accessed using the default credentials.
AMR Printer Management Dashboard - Exposure
Author: ritikchaddhaAdded: Sep 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AMR Printer Management"})Description
Unauthorized access to the AMR Printer Management dashboard was possible, potentially exposing sensitive printer configuration and management interfaces without proper authentication.
APC Rack PDU Default Login
Author: tdiderichAdded: Aug 26, 2025
runzero-match
asset["hw"] matches `Schneider\s+Electric` || asset["os"] matches `Schneider\s+Electric\s+AOS` || any(each(service["html.titles"]), {# matches `APC \| Log On`})Description
APC Rack PDU with default administrator credentials discovered.
APsystems ECU-R Firmware - Command Injection
runzero-match
service["product"] matches "(?i)apsystems.ecu.firmware"Description
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Impact
Unauthenticated attackers can execute arbitrary commands with root privileges through the timezone parameter in the administration interface, potentially compromising the entire solar power management system and connected infrastructure.
Remediation
Upgrade APsystems ECU-R firmware to a patched version that properly sanitizes the timezone parameter and validates input to prevent command injection.
ARL Default Admin Login
runzero-match
service["http.url"] contains ":5003/" && service["http.body"] contains "Powered by TCC" && service["http.body"] contains "ARL"Description
An ARL default admin login was discovered.
ARRIS Touchstone Telephony Modem - Panel Detect
runzero-match
service["http.body"] matches "(?i)phy\\.htm"Description
ARRIS Touchstone Telephony Modem status panel was detected.
ASUS AiCloud Panel - Detect
Author: ritikchaddhaAdded: Jun 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AiCloud"})Description
ASUS AiCloud Panel was detected.
ASUS RT-N16 - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="RT-N16'})Description
ASUS RT-N16 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-500G - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# matches '(?i)realm="WL-500G'})Description
ASUS WL-500 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-520GU - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="WL-520GU'})Description
ASUS WL-520GU contains a default login vulnerability. The default admin login password 'admin' was found.
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ASUSTOR"Description
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the album_id parameter in the /photo-gallery/api/album/tree_lists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further compromise of the affected system.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire ASUSTOR ADM system and accessing stored data.
Remediation
Upgrade to a patched version of ASUSTOR ADM or apply vendor-provided security updates.
ATutor < 2.2.1 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)atutor"Description
ATutor < 2.2.1 was discovered with a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1 via token body parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Upgrade ATutor to version 2.2.2 or above to mitigate this vulnerability.
AVEVA Edge SCADA - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `content\s*=\s*"AVEVA Edge"`Description
AVEVA Edge SCADA web interface panel has been detected.
AVEVA InTouch Access Anywhere - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)InTouch Access Anywhere Server"Description
Detected AVEVA InTouch Access Anywhere was a secure gateway that provided browser-based remote access to InTouch HMI applications over the internet. It was widely used in industrial process control, utilities, and manufacturing environments. Exposed instances may have provided access to industrial HMI displays and SCADA interfaces.
AVM FRITZ!Box 7530 AX - Unauthorized Access
runzero-match
service["http.body"] matches "(?i)FRITZ!Box 7530"Description
An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.
Impact
Unauthenticated attackers can access sensitive device information including firmware version, serial numbers, and configuration details through the boxinfo XML endpoint.
Remediation
Update AVM FRITZ!Box 7530 AX to a version later than 7.59 that addresses the unauthorized access vulnerability.
AVTECH DVR - Login Verification Code Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code.
Impact
Attackers can bypass authentication mechanisms and gain unauthorized access to the DVR system, potentially viewing camera feeds, modifying settings, or compromising the device.
Remediation
Update to the latest firmware version or contact the vendor for a security patch.
AVTECH DVR - SSRF
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR device, Search.cgi can be accessed directly. Search.cgi is responsible for searching and accessing cameras in the local network. Search.cgi provides the cgi_query function.
AVTECH Room Alert Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Room Alert"})Description
AVTECH Room Alert login panel was detected.
AVTECH Video Surveillance Product - Authentication Bypass
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH Video Surveillance Products password disclosure through /cgi-bin/user/Config.cgi.
AVTECH Video Surveillance Product - Unauthenticated File Download
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH video surveillance products unauthenticated file download from web root through /cgi-bin/cgibox, Since the .cab string is verified by the strstr method, the file download can be realized by adding ?.cab at the end of the file name.
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
Author: pussycat0xAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "(?i)AVideo"Description
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
Impact
Unauthenticated attackers can execute arbitrary system commands, leading to full server compromise.
Remediation
Update to the version including commit c85d076375fab095a14170df7ddb27058134d38c or later.
AWS EC2 Auto Scaling Lab
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)AWS EC2 Auto Scaling Lab"AWS Elastic Beanstalk Dockerrun.aws.json - Exposure
runzero-match
service["http.body"] matches "(?i)AWSEBDockerrunVersion"Description
Detected AWS Elastic Beanstalk Dockerrun.aws.json configuration file was publicly accessible, potentially revealing Docker container definitions, image names, hostnames, port mappings, and infrastructure details.
AWStats < 6.95 - Open Redirect
runzero-match
service["product"] matches "(?i)laurent.destailleur.awstats"Description
An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Impact
Allows attackers to redirect users to malicious websites or phishing pages.
Remediation
Apply all relevant security patches and product upgrades.
AWStats <= 7.5 - Full Path Disclosure
runzero-match
service["product"] contains "Laurent Destailleur:AWStats"Description
AWStats 7.6 contains a full path disclosure caused by improper handling of framename and update parameters in awstats.pl, letting remote attackers determine server file paths, exploit requires sending crafted parameters.
Impact
Attackers can discover server file paths, aiding further exploitation or reconnaissance.
Remediation
Update to the latest version of AWStats or apply security patches addressing this issue.
Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-abandoned-cart/"Description
The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping.
Impact
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.
Remediation
Fixed in 5.2.0
Academy LMS 6.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)academy lms"Description
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive database information including user credentials and payment data.
Remediation
Update Academy LMS to version 6.3 or later which includes proper SQL injection prevention.
Accela Civic Platform <=21.1 - Cross-Site Scripting
runzero-match
service["product"] matches "(?i)accela.civic.platform"Description
Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via ssoAdapter/logoutAction.do successURL.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
Remediation
Upgrade to a patched version of Accela Civic Platform (version >21.1) that includes proper input validation and sanitization.
AceNet AceReporter Report Panel - Detect
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1595726841"Ackee Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1495233116"Description
self-hosted, node.js based analytics tool for those who care about privacy.
Acmailer - Improper Access Control to OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "ACMAILER4\\.0"})Description
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified vectors.
Impact
Attackers can execute arbitrary OS commands or escalate privileges, potentially leading to full system compromise and sensitive data exposure.
Remediation
Update to the latest version of acmailer and acmailer DB to address the issue.
Acrolinx Dashboard
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acrolinx Dashboard"})Description
An Acrolinx Analytics dashboard was detected.
Actifio Resource Center - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Actifio Resource Center"})Description
Actifio Resource Center was detected.
Activepieces Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Activepieces"})Description
Activepieces was detected. Activepieces was an open-source automation platform with AI and LLM integrations. Exposed instances may allow access to workflow automation configurations and connected integrations.
AcuToWeb server/10.5.0.7577c8b - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AcuToWeb"})Description
AcuToWeb server/10.5.0.7577c8b is vulnerable to reflected cross-site scripting (XSS) via the portgw parameter. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
Remediation
Update AcuToWeb to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the portgw parameter.
Acunetix Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acunetix"})Description
Acunetix login panel was detected.
AdGuard Panel - Detect
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AdGuard Home"})Description
AdGuard panel has been detected.
Adapt Authoring Tool - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adapt authoring tool"})Description
Login panel for adapt was detected.
AddOnFinance Portal - Detect
Author: ritikchaddhaAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AddOnFinancePortal"})Description
AddOnFinance Portal Panel was detected.
Adfinity Login Panel - Detect
Author: righettodAdded: Apr 3, 2025
runzero-match
service["http.body"] matches "(?i)Adfinity"Description
Adfinity products was detected.
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
runzero-match
service["product"] contains "Adminer:Adminer"Description
Adminer <= 5.4.1 contains a denial of service caused by lack of origin validation in version check endpoint, letting attackers trigger server errors via crafted POST requests, exploit requires no special privileges.
Impact
Attackers can cause server errors resulting in denial of service for all users.
Remediation
Upgrade to Adminer 5.4.2 or later.
Adminer <4.7.9 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage.
Remediation
Upgrade to version 4.7.9 or later.
Adminer <=4.8.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled).
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the Adminer interface, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
This vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
Adminer Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adminer"})Description
Adminer contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer login panel was detected.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
An Adminer login panel was detected.
Adobe AEM CRX Package Manager - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe AEM CRX Package Manager panel was detected.
Adobe AEM Default Login
runzero-match
service["http.body"] contains `href="/etc.clientlibs/`Description
Adobe AEM default login credentials were discovered.
Adobe AEM JCR Compare Exposure
Author: pussycat0xAdded: Jan 2, 2026
runzero-match
service["product"] contains "Adobe:Experience Manager"Description
Detected an exposed Adobe AEM JCR compare functionality that was accessible without proper authorization. This exposure may have allowed attackers to infer repository structure or sensitive content through comparison operations.
Adobe ColdFusion - Access Control Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the necessary security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Access Control Bypass
Author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearchAdded: Jul 12, 2023CWE-284,NVD-CWE-OTHERCVE-2023-29298
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the latest security patches or updates provided by Adobe to fix the access control bypass vulnerability.
Adobe ColdFusion - Arbitrary File Read
runzero-match
service["http.head.server"] matches `(?i)coldfusion`Description
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can read and write arbitrary files on the server, potentially leading to complete system compromise.
Remediation
Update Adobe ColdFusion to version 2023.7, 2021.13 or later depending on your version.
Adobe ColdFusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Deserialization of Untrusted Data
runzero-match
service["product"] matches "(?i)Adobe.ColdFusion"Description
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to Adobe ColdFusion version ColdFusion 2018 Update 18, ColdFusion 2021 Update 8, ColdFusion 2023 Update2 or later to mitigate this vulnerability.
Adobe ColdFusion - Local File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Unauthenticated Arbitrary File Read vulnerability due to deserialization of untrusted data in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier
Impact
This vulnerability can lead to unauthorized access to sensitive information stored on the server.
Remediation
Apply the necessary security patches or updates provided by Adobe to fix the vulnerability.
Adobe ColdFusion - Pre-Auth Remote Code Execution
runzero-match
service["product"] matches "(?i)Adobe.ColdFusion"Description
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to Adobe ColdFusion version 2023.0.0.328155 or later to mitigate this vulnerability.
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Impact
This vulnerability can lead to unauthorized access to sensitive information and potential compromise of the affected system.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Adobe ColdFusion Component Browser Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An Adobe ColdFusion Component Browser login panel was detected.
Adobe ColdFusion WDDX Deserialization Gadgets
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute arbitrary code without user interaction and completely compromise ColdFusion installations.
Remediation
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
Adobe Coldfusion - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can bypass access controls to access Adobe ColdFusion administration endpoints, potentially allowing full control over the ColdFusion server and access to sensitive application data.
Remediation
Upgrade to Adobe ColdFusion 2023.6 or 2021.12 or later versions that address this access control vulnerability.
Adobe Coldfusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser
Impact
Unauthenticated attackers can inject malicious JavaScript through crafted URLs to execute code in victim browsers, potentially stealing ColdFusion administrator session cookies and gaining access to sensitive application configurations.
Remediation
Update Adobe ColdFusion to version 2023.6 or 2021.12 or later that properly escapes URLs in the CFIDE administrator and wizards interfaces.
Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
runzero-match
service["product"] contains "Adobe:ColdFusion"Description
Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade Adobe Coldfusion to a version higher than 8.0.1 or apply the necessary patches provided by the vendor.
Adobe Commerce & Magento - CosmicSting
runzero-match
service["product"] matches "(?i)Adobe.Magento"Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution.
Impact
Unauthenticated attackers can exploit XXE to achieve arbitrary code execution on Adobe Commerce and Magento instances.
Remediation
Update Adobe Commerce to version 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 or later.
Adobe Connect < 12.1.5 - Local File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Connect"}) || any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction
Impact
Unauthenticated attackers can exploit improper access control to download arbitrary files through the system/download endpoint, potentially accessing sensitive Adobe Connect meeting recordings and configuration files.
Remediation
Update Adobe Connect to version 12.1.5 or later that implements proper access control checks for the system/download functionality.
Adobe Connect Central Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
An Adobe Connect Central login panel was detected.
Adobe Experience Manager Felix Console - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "AEM Sign In"})Description
Adobe Experience Manager Felix Console contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. Remote code execution may also be possible via installation of OSGI bundle.
Adobe Experience Manager Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
An Adobe Experience Manager login panel was detected.
Adobe Experience Manager Sling User Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe Experience Manager Sling user login panel was detected.
Adobe Experience Manager ≤ 6.5.23.0 – SSRF
Author: DhiyaneshDk,assetnoteAdded: Sep 29, 2025
runzero-match
service["http.body"] matches "/libs/granite/core/content/login\\.html"Description
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass
Impact
Unauthenticated attackers can bypass security feature restrictions and force the server to make requests to arbitrary URLs, potentially enabling access to internal services and metadata endpoints.
Remediation
Upgrade Adobe Experience Manager to a version later than 6.5.23.0 that properly validates redirect URLs and implements SSRF protections.
Adobe Media Server Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Media Server"})Description
An Adobe Media Server login panel was detected.
Ads Pro Plugin <= 4.89 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ap-plugin-scripteo"Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
Remediation
Update the Ads Pro Plugin to version later than 4.89. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
Advanced eMail Solution DEEPMail - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced eMail Solution DEEPMail"})Description
Advanced eMail Solution DEEPMail login panel was detected.
Advantech R-SeeNet - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the graph parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in the R-SeeNet application.
Advantech R-SeeNet 2.4.12 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Update to the latest version of Advantech R-SeeNet to mitigate this vulnerability.
Advantech WebAccess/SCADA - Panel
Author: 0x_AkokoAdded: Jun 2, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advantech WebAccess"}) and service["favicon.ico.image.mmh3"] == "2047556588"Description
Detected Advantech WebAccess/SCADA login panel, a web-browser-based HMI/SCADA software used in critical manufacturing, energy, and water systems.
Aerohive NetConfig UI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aerohive NetConfig UI"})Description
An Aerohive NetConfig user interface was detected. The NetConfig UI provides a fundamental set of configurations for configuring basic network and HiveManager connectivity settings, and uploading new IQ Engine images to Extreme Networks APs.
Aethra Telecommunications Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aethra Telecommunications Operating System"})Description
Aethra Telecommunication login Panel was detected.
Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Agent Zero"})Description
Agent-Zero v0.8.0 - 0.9.4 contains a path traversal caused by improper validation in /api/download_work_dir_file.py, letting attackers access unauthorized files, exploit requires crafted request.
Impact
Attackers can access unauthorized files, potentially exposing sensitive data or system information.
Remediation
Update to the latest version of Agent-Zero
AgentGPT Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AgentGPT"})Description
AgentGPT was detected. AgentGPT was a browser-based autonomous AI agent platform that allows users to create, configure and deploy AI agents directly in the browser.
Agentejo Cockpit < 0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate the vulnerability.
Agentejo Cockpit <0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, potentially leading to unauthorized access, data manipulation, or denial of service.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.
Agentejo Cockpit <0.12.0 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
Impact
Successful exploitation of this vulnerability could allow an attacker to manipulate database queries, potentially leading to unauthorized access, data leakage, or data corruption.
Remediation
Upgrade Agentejo Cockpit to version 0.12.0 or later to mitigate this vulnerability.
AirNotifier Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AirNotifier"})Description
AirNotifier login panel was detected.
AirOS Panel - Detect
Author: rxeriumAdded: Aug 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-697231354"Description
AirOS panel was detected.
Airbyte Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Airbyte"})Description
Airbyte panel was detected. Airbyte is a popular open-source data integration platform.
Airflow Experimental <1.10.11 - REST API Auth Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || service["http.body"] matches "(?i)apache airflow"Description
Airflow's Experimental API prior 1.10.11 allows all API requests without authentication.
Impact
Allows unauthorized access to Airflow Experimental REST API
Remediation
From Airflow 1.10.11 forward, the default has been changed to deny all requests by default. Note - this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide linked in the references.
Akamai CloudTest < 60 2025.06.02 - XML External Entity (XXE)
runzero-match
service["http.body"] matches "Akamai CloudTest"Description
Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.
Impact
Unauthenticated attackers can exploit XXE injection to read arbitrary files from the server through malicious XML entities in SOAP requests.
Remediation
Upgrade Akamai CloudTest to version 60 2025.06.02 (12988) or later that properly disables external entity processing.
Akuiteo Login Panel - Detect
Author: righettodAdded: Nov 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Akuiteo"})Description
Akuiteo products was detected.
Alamos GmbH Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alamos GmbH \\| FE2"})Description
Alamos GmbH panel was detected.
Alcatel-Lucent OmniPCX - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)omnipcx for enterprise"})Description
The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
Impact
Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.
Remediation
Update to supported versions that filter shell metacharacters in the "user" parameter.
Alfresco - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Alfresco"}) && service["http.body"] contains "/share/res/js/alfresco"Description
Detected Alfresco Content Services was found to have been using the default administrator credentials (admin:admin). An attacker could have gained full administrative access to manage content, users, and repository configuration.
Alfresco Content App Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alfresco Content App"})Description
Alfresco Content App panel was detected.
Alfresco Share - Open Redirect
runzero-match
service["product"] matches "(?i)alfresco"Description
Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information.
Remediation
Apply the latest security patches or updates provided by Alfresco to fix the open redirect vulnerability.
Alibaba Druid Monitor Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)druid monitor"})Description
Alibaba Druid Monitor default login information (admin/admin) was discovered.
Alibaba Nacos - Default Login
Author: SleepingBag945Added: Aug 22, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nacos"})Description
The default username and password for Nacos are both nacos.
Alibaba Sentinel - Server-side request forgery (SSRF)
runzero-match
any(each(service["html.titles"]), {# matches "Sentinel Dashboard"})Description
There is a Pre-Auth SSRF vulnerability in Alibaba Sentinel version 1.8.2, which allows remote unauthenticated attackers to perform SSRF attacks via the /registry/machine endpoint through the ip parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to send crafted requests from the server, potentially leading to unauthorized access to internal resources or network scanning.
Remediation
Apply the latest security patches or updates provided by Alibaba Sentinel to fix the SSRF vulnerability (CVE-2021-44139).
AlienVault USM Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AlienVault USM"})Description
An AlienVault USM login panel was detected.
All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)plugins360.all.in.one"Description
WordPress All-in-One Video Gallery plugin through 2.6.0 is susceptible to arbitrary file download and server-side request forgery (SSRF) via the 'dl' parameter found in the ~/public/video.php file. An attacker can download sensitive files hosted on the affected server and forge requests to the server.
Impact
An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access, data leakage, or further attacks.
Remediation
Update to the latest version of the All-In-One Video Gallery plugin (2.6.0) or apply the vendor-provided patch to fix the SSRF vulnerability.
All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/all-in-one-wp-migration"Description
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87.
Impact
An unauthenticated attacker can access the error.log file, which may contain sensitive information such as full server path disclosures, backup filenames, and other debugging details. This information could be used in further attacks.
Remediation
Update the All-in-One WP Migration and Backup plugin to version 7.87 or later.
Allied Telesis Device GUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)allied telesis device gui"})Description
Allied Telesis Device GUI login panel was detected.
Allnet - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-121681558"Description
Allnet contains a default login vulnerability. Default admin login password 'admin' was found.
Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/pojo-accessibility/"Description
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Impact
Unauthenticated attackers can extract sensitive database information via blind SQL injection, risking data disclosure.
Remediation
Update to a version later than 4.0.3 or the latest available version.
AlphaWeb XE Default Login
runzero-match
service["http.body"] contains ">AlphaWeb XE<"Description
An AlphaWeb XE default login was discovered.
Altenergy Power Control Software - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)altenergy power control software"})Description
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely.
Impact
Authenticated attackers can execute SQL injection through the date parameter in the status_zigbee function to extract sensitive power system data including energy metrics and device configurations.
Remediation
Validate and sanitize all user inputs before processing them in SQL queries. Use parameterized queries or prepared statements to prevent SQL injection attacks.
Altenergy Power Control Software C1.2.5 - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Altenergy Power Control Software"})Description
Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability.
AlternC Desktop Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AlternC Desktop"})Description
AlternC Desktop panel was detected.
Amazon EC2 - Server-side request forgery (SSRF)
runzero-match
service["http.head.server"] matches "EC2ws"Description
SSRF vulnerability exists in Amazon EC2, or Amazon Elastic Compute Cloud which is a web service provided by Amazon Web Services (AWS) that offers resizable compute capacity in the cloud.
Ambassador API Gateway Diagnostics - Exposure
Author: 0x_AkokoAdded: Dec 12, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ambassador Diagnostic Overview"})Description
Detected Ambassador API Gateway diagnostics portal, revealing service mappings, API endpoints, routing configurations, and internal cluster information.
Amcrest IP Camera Web Management - Data Exposure
runzero-match
service["http.body"] matches "(?i)Amcrest"Description
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.
Impact
An attacker can gain unauthorized access to sensitive data.
Remediation
Apply the latest firmware update provided by the vendor to fix the vulnerability.
Amcrest Login
runzero-match
service["http.body"] matches "(?i)amcrest"Description
An Amcrest LDAP user login was discovered.
AmpJuke - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-121681558"Description
AmpJuke contains a default login vulnerability. Default admin login password 'pass' was found.
Ampache Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)for the love of music"})Description
Ampache login panel was detected.
Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
Author: s4e-ioAdded: Jun 10, 2024
runzero-match
service["http.body"] matches "/wp-content/plugins/analytics-insights"Description
The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Impact
Unauthenticated attackers can redirect users to malicious sites for phishing attacks, credential harvesting, or malware distribution by exploiting insufficient redirect validation.
Remediation
Upgrade to Analytics Insights for Google Analytics 4 version 6.3 or later.
Anaqua Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Anaqua User Sign On"})Description
Checks for the presence of Anaqua login page
Andover Continuum BMS - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Andover Continuum"Description
Andover Continuum Building Management System panel has been detected.
Ansible Semaphore Panel Detect
runzero-match
service["http.body"] matches "(?i)Semaphore</title>"Description
An Ansible Semaphore login panel was detected.
Ansible Tower - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ansible tower"})Description
Ansible Tower was detected. Ansible Tower is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments.
AnteeoWMS < v4.7.34 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ANTEEO"Description
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
Impact
Unauthenticated attackers can execute arbitrary SQL commands via the username parameter, potentially extracting sensitive database information.
Remediation
Update AnteeoWMS to version 4.7.34 or later.
Anyscale Ray - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "463802404" || service["http.body"] matches "(?i)ray dashboard" || any(each(service["html.titles"]), {# matches "(?i)ray dashboard"})Description
Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
Impact
Unauthenticated attackers with network access to the Ray Dashboard API can execute arbitrary code remotely as root, leading to complete system compromise.
Remediation
Upgrade Anyscale Ray to version 2.6.4 or later, or version 2.8.1 or later, and restrict network access to the Ray Dashboard API.
Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "463802404"Description
The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
Impact
The issue is exploitable without authentication and is dependent only on network connectivity to the Ray Dashboard port (8265 by default). The vulnerability could be exploited to retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API. As an impact it is known to affect confidentiality, integrity, and availability.
Remediation
Update to the latest version
AnythingLLM - Information Disclosure
runzero-match
service["http.body"] matches "(?i)AnythingLLM"Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Impact
Unauthenticated attackers can read and write to the Qdrant database, compromising semantic search and leaking confidential documents.
Remediation
Update to version 1.10.0 or later.
AnythingLLM - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AnythingLLM"})Description
AnythingLLM suffers from an information disclosure vulnerability through the `/api/setup-complete` API endpoint. By accessing this endpoint, a remote and unauthenticated attacker can access sensitive configuration of the target AnythingLLM instance. This detection is included in the AI and LLM category.
Impact
An attacker can use the vulnerability to obtain device administrator rights.
Remediation
Update AnythingLLM to the latest version and implement proper authentication for the setup-complete API endpoint.
AnythingLLM Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AnythingLLM \\| Your personal LLM trained on anything"})Description
Detects the AnythingLLM web interface.
Apache 2.4.49 - Path Traversal and Remote Code Execution
runzero-match
service["http.head.server"] matches `Apache/2\.4\.49`Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade Apache to version 2.4.50 or apply the relevant patch provided by the vendor.
Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
runzero-match
service["http.head.server"] matches `Apache/2\.4\.(49|59)`Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code and gain unauthorized access to sensitive information.
Remediation
Upgrade to Apache HTTP Server 2.4.51 or later.
Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)apache.http.server"Description
Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
Impact
Attackers can perform SSRF attacks via mod_proxy to access internal resources and forward requests to arbitrary origin servers, potentially exposing internal services and data.
Remediation
Upgrade to Apache version 2.4.49 or later.
Apache APISIX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache apisix dashboard"})Description
An Apache APISIX login panel was detected.
Apache ActiveMQ - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "ActiveMQ"})Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.
Impact
Authenticated attackers can execute arbitrary code on the broker JVM, potentially leading to full system compromise.
Remediation
Upgrade to version 5.19.5 or 6.2.3 or later.
Apache ActiveMQ - Remote Code Execution via HTTP Discovery Transport Bypass
runzero-match
service["product"] matches "(?i)ActiveMQ"Description
Apache ActiveMQ before 5.19.6 and 6.0.0 through 6.2.4 is vulnerable to remote code execution via a bypass of the CVE-2026-34197 security fix. The original fix blocked the "vm://" transport scheme in BrokerView.addNetworkConnector() and BrokerView.addConnector() to prevent authenticated attackers from loading malicious Spring XML configurations via the Jolokia API. However, the fix only denied the "vm" scheme. An attacker can bypass this restriction by using the HTTP Discovery transport(http://attacker/discovery), which is not in the denied scheme list. The attacker-controlled HTTP endpoint returns a vm:// transport URI as a second-stage response, which then loads a remote Spring XML application context, leading to arbitrary code execution on the broker JVM. The activemq-http module must be on the classpath (present by default in the "all" distribution), and authenticated access to the Jolokia API (/api/jolokia/) is required.
Impact
Authenticated attackers can execute arbitrary code on the broker JVM, potentially leading to full system compromise.
Remediation
Attacker must be authenticated and activemq-http module must be on classpath.
Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ActiveMQ"})Description
Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
Impact
Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
Remediation
Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
Apache ActiveMQ Artemis Console Default Login
Author: pdteamAdded: Jun 5, 2025
runzero-match
any(each(service["html.titles"]), {# contains "ActiveMQ Artemis Console"})Description
Detected Apache ActiveMQ Artemis console default login credentials were discovered.
Apache ActiveMQ Default Login
Author: pdteamAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# contains "Apache ActiveMQ"})Description
Apache ActiveMQ default login credentials were discovered.
Apache ActiveMQ Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache ActiveMQ"})Description
An Apache ActiveMQ implementation was discovered.
Apache Airflow <1.10.14 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"})Description
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized execution of arbitrary code.
Remediation
Change default value for [webserver] secret_key config.
Apache Airflow <=1.10.10 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || service["http.body"] matches "(?i)apache airflow" || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"})Description
Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
Apache Airflow Admin Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"})Description
An Apache Airflow admin login panel was discovered.
Apache Airflow Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Sign In - Airflow"})Description
Apache Airflow default login credentials were discovered.
Apache Airflow OS Command Injection
runzero-match
service["http.body"] matches "(?i)apache airflow" || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"})Description
Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Airflow.
Apache Airflow v3 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Airflow"})Description
Apache Airflow v3 default login credentials were discovered.
Apache Ambari Default Login
runzero-match
service["http.body"] contains `>See third-party tools/resources that Ambari uses and their respective authors<`Description
An Apache Ambari default admin login was discovered.
Apache Apisix Admin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Apache APISIX Dashboard"})Description
An Apache Apisix default admin login was discovered.
Apache Apollo - Default Login
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Apache Apollo"})Apache Apollo Panel - Detect
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Apollo"})Apache Axis2 Default Login
runzero-match
service["http.body"] matches "(?i)Apache Axis"Description
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or the ability to modify or delete data.
Remediation
Disable or restrict access to the Axis2 web interface, or apply the necessary patches or updates provided by the vendor.
Apache CloudStack - Default Login
Author: DhiyaneshDKAdded: Jul 30, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Apache CloudStack"})Description
CloudStack instance discovered using weak default credentials, allows the attacker to gain admin privilege.
Apache Cocoon 2.1.12 - XML Injection
runzero-match
service["http.body"] matches "(?i)Apache Cocoon"Description
Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade to Apache Cocoon 2.1.13 or later.
Apache DolphinScheduler Default Login
runzero-match
any(each(service["html.titles"]), {# matches "DolphinScheduler"})Description
Apache DolphinScheduler default admin credentials were discovered.
Apache Doris - Default Login
Author: icarotAdded: Oct 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "24048806"Description
Tests if Apache Doris Panel, it is an easy-to-use, high performance and unified analytics database, is using the default password on root/admin user accounts.
Apache Druid - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Apache Druid"})Description
Apache Druid is vulnerable to RCE due to Log4j.
Apache Druid - Server-Side Request Forgery
Author: xbow,DhiyaneshDKAdded: Aug 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "apache druid"})Description
Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.This issue affects all previous Druid versions.When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.
Impact
Authenticated attackers can exploit SSRF vulnerabilities through the management proxy to redirect requests to arbitrary servers, potentially enabling XSS, XSRF attacks, or accessing internal services.
Remediation
Upgrade to Apache Druid version 31.0.2 or 32.0.1, or disable the management proxy to mitigate this vulnerability.
Apache Druid Kafka Connect - Remote Code Execution
runzero-match
service["http.body"] matches "Apache Druid"Description
The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
Impact
Authenticated attackers can exploit unsafe deserialization in the Kafka Connect REST API to execute arbitrary code through JNDI injection, potentially compromising the entire Apache Druid data analytics infrastructure.
Remediation
Apply Apache Druid security patches that validate and sanitize SASL JAAS configuration in Kafka connector settings to prevent JNDI injection attacks.
Apache Flink - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches `^Apache Flink Web Dashboard`})Description
Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).
Impact
Unauthenticated attackers can read arbitrary files from the JobManager local filesystem, potentially exposing sensitive configuration files, credentials, and proprietary data.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Flink to mitigate the vulnerability.
Apache HTTP Server - ACL Bypass
runzero-match
any(each(service["html.titles"]), {# matches "Apache HTTP Server"})Description
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
Impact
Authenticated attackers can bypass ACL restrictions by crafting requests with incorrect encoding, potentially accessing protected backend services or resources that should be restricted by authentication mechanisms.
Remediation
Upgrade to Apache HTTP Server version 2.4.60 or later.
Apache HTTP Server - Remote Code Execution
runzero-match
service["product"] matches "(?i)apache.http.server"Description
Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.
Impact
Attackers can exploit the mod_proxy_uwsgi vulnerability to access sensitive information or execute arbitrary code on the Apache HTTP Server, potentially compromising the entire web server and its hosted applications.
Remediation
Update Apache HTTP Server to version 2.4.45 or later.
Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect
runzero-match
service["product"] matches "(?i)apache.http.server"Description
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Upgrade Apache HTTP server to version 2.4.40 or later to mitigate this vulnerability.
Apache HertzBeat - Default Credentials
Author: securitytaters,icarotAdded: Sep 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "HertzBeat"})Description
Apache HertzBeat enables default admin (and others) credentials. An attacker can execute unauthorized operations.
Apache HugeGraph-Server - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "HugeGraph"})Description
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
Impact
Unauthenticated attackers can execute arbitrary commands via the gremlin component in Apache HugeGraph-Server, potentially compromising the entire graph database system.
Remediation
Update Apache HugeGraph-Server to version 1.3.0 or later.
Apache HugeGraph-Server <1.5.0 - Authentication Bypass
runzero-match
service["product"] contains "Apache:HugeGraph"Description
Apache HugeGraph-Server versions prior to 1.5.0 contain an authentication bypass vulnerability caused by assumed-immutable data. This flaw allows attackers to bypass authentication mechanisms without requiring specific privileges or user interaction.
Impact
Attackers can bypass authentication, gaining unauthorized access to sensitive data or functionalities.
Remediation
Upgrade to Apache HugeGraph-Server version 1.5.0 or later.
Apache JMeter Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache jmeter dashboard"})Description
Apache JMeter Dashboard login panel was detected.
Apache Kafka Center Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Kafka Center"})Description
Apache Kafka Center default admin credentials were discovered.
Apache Kafka Consumer Offset Monitor Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"}) || any(each(service["html.titles"]), {# matches "(?i)kafka center"})Description
Apache Kafka Consumer Offset Monitor panel was detected.
Apache Kafka Control Center Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka center"}) || any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"})Description
Apache Kafka Control Center login panel was detected.
Apache Kafka Monitor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka center"}) || any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"})Description
Apache Kafka Monitor login panel was detected.
Apache Karaf - Default Login
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="karaf'})Description
Apache Karaf contains a default login vulnerability. Default login credentials were detected. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Apache Kylin 3.0.1 - Command Injection Vulnerability
runzero-match
service["favicon.ico.image.mmh3"] == "-186961397"Description
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution and potential compromise of the affected server.
Remediation
Upgrade to a patched version of Apache Kylin or apply the necessary security patches provided by the vendor.
Apache Log4j Server - Deserialization Command Execution
runzero-match
service["product"] matches "(?i)apache.log4j" and service["service.transport"] contains "tcp"Description
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Impact
Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary commands on the affected server.
Remediation
Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
Apache Log4j2 - Remote Code Injection
runzero-match
service["product"] matches "(?i)apache.log4j"Description
Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Log4j2.
Apache Log4j2 Remote Code Injection
Author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovoAdded: Apr 27, 2023CWE-20,CWE-917CVE-2021-44228
runzero-match
service["product"] matches "(?i)apache.log4j"Description
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, potentially compromising the affected system.
Remediation
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
Apache Mesos - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mesos"})Description
Apache Mesos panel was detected.
Apache NiFi - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nifi"})Description
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.
Impact
Attackers can create Process Groups bound to Parameter Contexts without proper authorization checks, enabling them to download non-sensitive parameter values and potentially access sensitive configuration data.
Remediation
Update Apache NiFi to version 2.1.0 or later to address the missing authorization checks for Parameter Contexts.
Apache NiFi - Remote Code Execution
Author: arliyaAdded: Jan 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NiFi"})Description
Apache NiFi is designed for data streaming. It supports highly configurable data routing, transformation, and system mediation logic that indicate graphs. The system has unauthorized remote command execution vulnerability.
Apache OFBiz - Directory Traversal & Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ofbiz"})Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache OFBiz - Improper Authorization & Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OFBiz"}) || service["http.head.setCookie"] matches "^OFBiz.Visitor" || service["last.http.head.setCookie"] matches "^OFBiz.Visitor"Description
Improper Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache OFBiz - JNDI Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "Apache OFBiz"Description
Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.
Remediation
Upgrade to Apache OFBiz version 8.12.03 or later.
Apache OFBiz - Remote Code Execution
runzero-match
service["http.body"] matches "ofbiz"Description
Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server
Impact
Unauthenticated attackers can exploit missing view authorization checks to execute arbitrary code on Apache OFBiz servers.
Remediation
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Apache OFBiz - XML External Entity Injection
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
Impact
Attackers can disclose sensitive filesystem data, probe network ports, and determine file existence, leading to information disclosure and potential further exploitation.
Remediation
Update to the latest OFBiz version or apply security patches addressing XML external entity vulnerabilities.
Apache OFBiz 17.12.03 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache OFBiz.
Apache OFBiz < 17.12.07 - Arbitrary Code Execution
runzero-match
service["http.body"] matches "OFBiz"Description
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
Impact
Unauthenticated attackers can exploit unsafe deserialization to execute arbitrary code, leading to complete server compromise.
Remediation
Upgrade to Apache OFBiz version 17.12.07 or later.
Apache OFBiz < 18.12.07 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)OFBiz"Description
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
Impact
Unauthenticated attackers can read arbitrary files from the server filesystem through the Solr plugin debug endpoint in Apache OFBiz, potentially accessing configuration files, credentials, and other sensitive system information.
Remediation
Upgrade to Apache OFBiz version 18.12.07 or later to mitigate this local file inclusion vulnerability.
Apache OFBiz < 18.12.10 - Arbitrary Code Execution
runzero-match
service["http.body"] matches "OFBiz"Description
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.
Impact
Unauthenticated attackers can exploit unmaintained XML-RPC functionality to execute arbitrary code through Java deserialization, enabling complete server compromise.
Remediation
Users are recommended to upgrade to version 18.12.10.
Apache OFBiz < 18.12.11 - Remote Code Execution
runzero-match
service["http.body"] matches "OFBiz"Description
The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary Groovy code, leading to remote code execution and complete system compromise.
Remediation
Upgrade Apache OFBiz to version 18.12.11 or later.
Apache OFBiz < 18.12.11 - Server Side Request Forgery
runzero-match
service["http.body"] matches "OFBiz"Description
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
Impact
Unauthenticated attackers can read arbitrary file properties and perform SSRF attacks, potentially accessing sensitive internal resources or configuration files.
Remediation
Upgrade Apache OFBiz to version 18.12.11 or later.
Apache OFBiz <17.12.06 - Arbitrary Code Execution
runzero-match
service["http.body"] matches "ofbiz"Description
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade Apache OFBiz to version 17.12.06 or later to mitigate this vulnerability.
Apache OFBiz <17.12.07 - Arbitrary Code Execution
runzero-match
service["http.body"] matches "ofbiz"Description
Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade Apache OFBiz to version 17.12.07 or later to mitigate this vulnerability.
Apache OFBiz <=16.11.07 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade Apache OFBiz to a version higher than 16.11.07 to mitigate this vulnerability.
Apache OFBiz Directory Traversal - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OFBiz"}) || service["http.head.setCookie"] matches "^OFBiz.Visitor" || service["last.http.head.setCookie"] matches "^OFBiz.Visitor"Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.13
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
Apache OfBiz Default Login
runzero-match
service["http.head.setCookie"] matches "^OFBiz.Visitor="Description
Apache OfBiz default admin credentials were discovered.
Apache Pinot < 1.3.0 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1696974531"Description
This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.
Impact
Unauthenticated attackers can bypass authentication by injecting special characters in URIs, gaining unauthorized access to Apache Pinot administrative functions.
Remediation
Update Apache Pinot to version 1.3.0 or later to address the authentication bypass vulnerability.
Apache Polaris - Default Login
Author: icarotAdded: Mar 17, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Polaris"})Description
The Apache Polaris server is configured with default administrative credentials, allowing an attacker to perform unauthorized operations. This template verifies the use of the default username root and password s3cr3t.
Apache Polaris - Information Disclosure
Author: icarotAdded: Mar 17, 2026
runzero-match
service["http.body"] matches "(?i)org\\.apache\\.polaris"Description
Detects a Apache Polaris server, the interoperable, open source catalog for Apache Iceberg.
Apache Ranger - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Ranger - Sign In"})Description
Apache Ranger contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Apache RocketMQ Console Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rocketmq"}) || any(each(service["html.titles"]), {# matches "(?i)rocketmq-console-ng"})Description
Apache RocketMQ Console panel was detected.
Apache S2-032 Struts - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).
Impact
Remote code execution
Remediation
Upgrade to Apache Struts version 2.3.20.2, 2.3.24.2, or 2.3.28.1.
Apache ShardingSphere ElasticJob-UI privilege escalation
runzero-match
service["favicon.ico.image.mmh3"] == "816588900"Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
Impact
Successful exploitation of this vulnerability could result in unauthorized access and control of the ElasticJob-UI application.
Remediation
Apply the latest security patches or updates provided by Apache ShardingSphere to mitigate the privilege escalation vulnerability.
Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability
runzero-match
service["product"] matches "(?i)apache.shiro"Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Impact
Remote code execution
Remediation
Upgrade to a patched version of Apache Shiro
Apache Sling - Default Login
Author: icarotAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Sling"})Description
Apache Sling default login was discovered.
Apache Solr - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Apache Solr"Description
Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass.A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path.This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.This issue affects Apache Solr- from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.
Impact
Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache Solr - Deserialization of Untrusted Data
runzero-match
any(each(service["html.titles"]), {# matches "Solr"})Description
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
Impact
Unauthenticated attackers can trigger remote code execution via unsafe deserialization by pointing the JMX server to a malicious RMI server, leading to complete Solr server compromise.
Remediation
Upgrade to Apache Solr version 5.5.6, 6.6.6, or later versions that are not vulnerable.
Apache Solr - Host Environment Variables Leak via Metrics API
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache solr"}) || any(each(service["html.titles"]), {# matches "(?i)solr admin"})Description
Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Apache Solr.
The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users can specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host,unlike Java system properties which are set per-Java-proccess.
Impact
This vulnerability can lead to the exposure of sensitive information, potentially allowing an attacker to gain unauthorized access or perform further attacks.
Remediation
Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
Apache Solr 7+ - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "Apache Solr"Description
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+.
Apache Solr <= 7.1 - XML Entity Injection
runzero-match
service["product"] matches "(?i)apache.solr"Description
Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
Impact
Successful exploitation of this vulnerability could lead to information disclosure, denial of service.
Remediation
Upgrade to a patched version of Apache Solr (7.2 or higher) or apply the recommended security patches.
Apache Solr <=8.3.1 - Remote Code Execution
runzero-match
service["product"] matches "(?i)apache.solr"Description
Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of Apache Solr (8.4.0 or later) to mitigate this vulnerability.
Apache Solr <=8.8.1 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)apache.solr"Description
Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
This issue is resolved in Apache Solr 8.8.2 and later.
Apache Solr Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)solr admin"}) || any(each(service["html.titles"]), {# matches "(?i)apache solr"})Description
Apache Solr admin panel was detected.
Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
runzero-match
service["product"] matches "(?i)apache.solr"Description
Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk.
Impact
Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary commands on the affected system.
Remediation
Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
Apache Spark - Authentication Bypass
runzero-match
service["product"] matches "(?i)apache.spark"Description
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Impact
Attackers can execute arbitrary shell commands on the host machine, leading to full system compromise.
Remediation
Update to Spark 2.4.6 or later to fix the vulnerability.
Apache Spark Panel - Detect
runzero-match
service["http.body"] matches "(?i)/apps/imt/html/" || any(each(service["html.titles"]), {# matches "(?i)spark master at"})Description
Apache Spark panel was detected.
Apache Spark UI - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spark master at"}) || service["http.body"] matches "(?i)/apps/imt/html/"Description
Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Apply the latest security patches or updates provided by Apache Spark to fix the remote command injection vulnerability.
Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache streampipes"})Description
Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens.
Impact
Successful exploitation of this vulnerability could allow an attacker to take over user accounts.
Remediation
Update to Apache StreamPipes 0.95.0 or later.
Apache Streampark - Default Login
Author: icarotAdded: Sep 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache StreamPark"})Description
Apache Streampark server enables default admin credentials. An attacker can execute unauthorized operations.
Apache Struts - Multiple Open Redirection Vulnerabilities
runzero-match
service["http.body"] matches "apache struts"Description
Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
Impact
An attacker can exploit these vulnerabilities to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Developers should immediately upgrade to Struts 2.3.15.1 or later.
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.
Impact
This vulnerability can lead to remote code execution, allowing attackers to take control of the affected system.
Remediation
Developers should immediately upgrade to Struts 2.3.15.1 or later.
Apache Struts 2 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
Impact
Remote attackers can execute arbitrary commands on the target system.
Remediation
Upgrade to Apache Struts 2.3.32 or 2.5.10.1 or apply the necessary patches.
Apache Struts 2.0.0-2.5.25 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts.
Apache Struts <=2.5.20 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.
Remediation
Upgrade Apache Struts to a version higher than 2.5.20 or apply the necessary patches provided by the vendor.
Apache Struts2 S2-008 RCE
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
Remediation
Developers should immediately upgrade to at least Struts 2.3.18.
Apache Struts2 S2-012 RCE
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
Remediation
Developers should immediately upgrade to Struts 2.3.14.3 or later.
Apache Struts2 S2-052 - Remote Code Execution
runzero-match
service["http.body"] matches "apache struts"Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Struts2 S2-053 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Struts2 S2-053 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Struts2 S2-057 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Superset - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1582430156" || service["http.body"] matches "(?i)apache superset"Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to sensitive information.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Superset.
Apache Superset - Default Login
Author: theamanrawatAdded: Apr 23, 2026
runzero-match
(any(each(service["html.titles"]), {# matches "(?i)Superset"}) && service["http.body"] contains `alt="Superset"`) || service["favicon.ico.image.mmh3"] == "1582430156"Description
Apache Superset instance discovered using weak default credentials, allows the attacker to gain admin privilege.
Apache Superset Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1582430156" || service["http.body"] matches "(?i)apache superset"Description
Apache Superset login panel was detected.
Apache Tika - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tika"})Description
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
Impact
Attackers can exploit XXE to read local files or cause denial of service, potentially exposing sensitive information or disrupting service.
Remediation
Upgrade tika-core to \u003E= 3.2.2 and ensure tika-pdf-module and tika-parsers are updated to latest versions.
Apache Tomcat - Default Login Discovery
runzero-match
service["http.head.server"] contains "Apache Tomcat"Description
Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 default login credentials were successful.
Apache Tomcat - HTTP Request Smuggling
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tomcat"})Description
Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.
Impact
Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls.
Remediation
Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.
Apache Tomcat - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Apache Tomcat"})Description
Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.
Impact
An attacker can redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Upgrade to Apache Tomcat version 9.0.12 or later, or apply the relevant patch provided by the Apache Software Foundation.
Apache Tomcat JK Connect <=1.2.44 - Manager Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tomcat"})Description
Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
Impact
Unauthenticated attackers can gain unauthorized access to the Apache Tomcat Manager interface, potentially leading to further compromise of the server.
Remediation
Upgrade to a patched version of Apache Tomcat JK Connect (1.2.45 or higher) or apply the recommended security patches.
Apache Tomcat Manager Default Login
Author: pdteam,sinKettu,nybble04Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Apache Tomcat"})Description
Apache Tomcat Manager default login credentials were discovered.
Apache Tomcat Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache tomcat"}) || service["http.body"] matches "(?i)apache tomcat"Description
Apache Tomcat Manager login panel was detected.
Apache Tomcat Remote Command Execution
runzero-match
service["http.body"] matches "(?i)apache tomcat" || any(each(service["html.titles"]), {# matches "(?i)apache tomcat"})Description
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if
a) an attacker is able to control the contents and name of a file on the server; and
b) the server is configured to use the PersistenceManager with a FileStore; and
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to succeed.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, allowing attackers to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patches provided by Apache to mitigate this vulnerability.
Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache tomcat"Description
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Impact
Attackers can execute arbitrary system commands on Windows systems when CGI Servlet is enabled with enableCmdLineArguments, leading to complete server compromise.
Remediation
Upgrade to Tomcat 9.0.18, 8.5.40, 7.0.94 or later, and ensure enableCmdLineArguments is disabled.
Apache Unomi - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Apache Unomi"})Description
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, enabling attackers to execute arbitrary code.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the Java process, potentially leading to complete system compromise.
Remediation
Update Apache Unomi to version 1.5.2 or later. Disable OGNL scripting in conditions if not required.
Apache `mod_proxy_cluster` Cluster Manager Interface - Exposure
Author: oleveloperAdded: Oct 10, 2025
runzero-match
service["http.body"] contains "Mod_cluster Status" || service["http.body"] contains "mod_proxy_cluster"Description
The Apache mod_proxy_cluster management interface provides administrative control and visibility into the load balancer’s nodes and contexts.
Apereo CAS Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'CAS - Central Authentication Service'"})Description
Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, data theft, or defacement.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Aperio eSlideManager - Panel
Author: Th3l0newolfAdded: May 12, 2025
runzero-match
service["http.body"] matches "(?i)eSlideManager - Login"Description
Aperio eSlideManager Login Panel was discovered.
Apigee Login Panel - Detect
Author: righettodAdded: Feb 12, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-839356603"Description
Apigee login panel was detected.
Apollo Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "11794165"Description
An Apollo default login was discovered.
Appium Desktop Server - Remote Code Execution
runzero-match
service["product"] matches "(?i)appium.desktop"Description
OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
Impact
Unauthenticated attackers can exploit OS command injection through the url parameter to execute arbitrary system commands and completely compromise Appium Desktop Server installations.
Remediation
Fixed in v1.22.3-4
Application Management Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)amp - application management panel"})Description
Application Management Panel was detected.
Appsmith User Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appsmith"})Description
Appsmith user login panel was detected.
Appspace 6.2.4 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Appspace"})Description
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
Upgrade to a patched version of Appspace 6.2.4 or apply the necessary security patches provided by the vendor.
Appspace Login Panel - Detect
Author: ritikchaddhaAdded: Jul 25, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appspace"})Description
Appspace is the workplace experience platform for your whole team that lets you manage it all – from employee communications to your physical office spaces.
Appsuite Login Panel - Detect
Author: DhiyaneshDKAdded: Nov 7, 2023
runzero-match
service["http.body"] matches "(?i)appsuite"Appwrite <=1.2.1 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Sign In - Appwrite"})Description
Appwrite through 1.2.1 is susceptible to server-side request forgery via the component /v1/avatars/favicon. An attacker can potentially access network resources and sensitive information via a crafted GET request, thereby also making it possible to modify data and/or execute unauthorized administrative operations in the context of the affected site.
Impact
This vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further exploitation of the server.
Remediation
Upgrade Appwrite to a version higher than 1.2.1 to mitigate the SSRF vulnerability.
Appwrite Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - appwrite"}) || service["favicon.ico.image.mmh3"] == "-633108100"Description
Appwrite login panel was detected.
Aptus Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aptus Login"})Description
Aptus login panel was detected.
Aqua Enterprise - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aqua Enterprise"})Description
Aqua Enterprise panel was detected.
Aquatronica Controller System <= 5.1.6 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)aquatronica"Description
Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.
Impact
Unauthenticated attackers can retrieve sensitive configuration data including plaintext credentials through the tcp.php endpoint, potentially gaining full administrative access to the controller system.
Remediation
Upgrade to Aquatronica Controller System firmware version 5.1.7 or later and web interface version 2.1 or later that implements proper authentication controls.
ArangoDB Web Interface - Detect
Author: pussycat0xAdded: Jul 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)arangodb web interface"})Description
ArangoDB Web Interface was detected.
ArcGIS REST Services Directory - Detect
Author: HeeresSAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)arcgis"})Description
Check for the existence of the "/arcgis/rest/services" path on an ArcGIS server.
ArcServe Panel - Detect
Author: DhiyaneshDkAdded: Jun 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1889244460"Arcane <= 1.17.2 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "arcane"Description
Arcane <= 1.17.3 contains an unauthenticated server-side request forgery caused by lack of URL scheme and host validation in /api/templates/fetch endpoint, letting remote attackers perform SSRF, exploit requires no authentication.
Impact
Remote attackers can make the server perform arbitrary HTTP requests, potentially accessing internal resources or sensitive data.
Remediation
Upgrade to version 1.17.3 or later.
Arcane Login Panel - Detect
Author: KazgangapAdded: Mar 24, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-313371739"Description
Detects the presence of the Arcane login panel, a modern Docker management platform.
Archibus Web Central Login - Panel Detect
runzero-match
service["favicon.ico.image.mmh3"] == "889652940"Description
Archibus Web Central login panel was detected.
Arcserve UDP <= 9.0.6034 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1889244460"Description
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
Impact
Unauthenticated attackers can bypass authentication by leaking the AuthUUID token, allowing them to execute any administrative task and potentially compromise all backup data managed by Arcserve UDP.
Remediation
Upgrade to Arcserve UDP version 9.1 or later that addresses this authentication bypass vulnerability.
Arcserve Unified Data Protection - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1015186617"Description
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
Impact
Attackers can bypass authentication, gaining unauthorized access to the system.
Remediation
Update to the latest version of Arcserve Unified Data Protection or apply security patches provided by the vendor.
Argilla Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Argilla"})Description
Argilla is an open-source data labelling platform for AI and LLM fine-tuning workflows.
It provides a web interface for annotating datasets used in machine learning model training.
Argo CD Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Argo CD"})Description
An Argo CD login panel was discovered.
Argo CD Unauthenticated Access to sensitive setting
runzero-match
service["http.body"] matches "(?i)Argo CD"Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern.
Impact
Unauthenticated attackers can access sensitive password patterns and application settings exposed by the /api/v1/settings endpoint.
Remediation
Update Argo CD to a version that patches CVE-2024-37152.
Aria2 WebUI - Path traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aria2 webui"})Description
webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.
Impact
An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.
Remediation
Upgrade to the latest version of Aria2 WebUI to fix the path traversal vulnerability.
Arize Phoenix - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Arize Phoenix`Description
Arize Phoenix is an open-source AI observability and evaluation platform for monitoring,
debugging, and evaluating LLM applications.
Artica Pandora FMS 7.44 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
Impact
Unauthenticated attackers can execute arbitrary system commands via the events feature, leading to complete server compromise and access to all monitoring data.
Remediation
Upgrade to Pandora FMS version 7.45 or later, or apply vendor-provided security patches.
Artica Pandora FMS <=7.42 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Artica Pandora FMS through 7.42 is susceptible to arbitrary file read. An attacker can read the chat history, which is in JSON format and contains user names, user IDs, private messages, and timestamps. This can potentially lead to unauthorized data modification and other operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system.
Remediation
Upgrade Artica Pandora FMS to version 7.43 or later to mitigate this vulnerability.
Artica Proxy - Unauthenticated LFI
runzero-match
service["http.body"] matches "(?i)artica"Description
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
Impact
Unauthenticated attackers can read arbitrary files on the server including configuration files with credentials and other sensitive data.
Remediation
Update Artica Proxy to a version newer than 4.50.
Artica Proxy 4.30.000000 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Artica"Description
Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php.
Impact
Attackers can inject malicious JavaScript through the password parameter in the Artica Proxy login page that reflects back to users, potentially stealing credentials or session tokens when victims submit the login form.
Remediation
Upgrade to a patched version of Artica Proxy or apply the vendor-supplied patch to mitigate the vulnerability.
Artica Proxy Community Edition <4.30.000000 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)artica"Description
Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.
Remediation
Upgrade to Artica Proxy Community Edition version 4.30.000000 or later to fix the Local File Inclusion vulnerability.
Aruba Instant - Default Login
Author: SleepingBag945Added: Sep 8, 2023
runzero-match
service["http.body"] matches "(?i)jscripts/third_party/raphael-treemap\\.min\\.js"Description
Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions.
AstrBot - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AstrBot"})Description
AstrBot contains a default login vulnerability. An attacker can access the AstrBot dashboard using default credentials and gain control over the chatbot framework, modify configurations, manage LLM providers, and execute unauthorized operations.
AstrBot WebUI Login Panel - Detect
Author: theamanrawatAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AstrBot"})Description
Astrbot WebUI login panel was detected.
Astro - Broken Access Control
Author: zhero___,DhiyaneshDKAdded: Nov 23, 2025
runzero-match
service["http.body"] matches "_astro"Description
Astro 2.16.0 to 5.15.5 contains a broken access control caused by insecure use of unsanitized x-forwarded-proto and x-forwarded-port headers in URL building, letting attackers bypass middleware protection, cause DoS, SSRF, and URL pollution, exploit requires crafted headers.
Impact
Attackers can bypass route protection, cause denial of service, perform SSRF, and pollute URLs leading to security bypasses and potential XSS.
Remediation
Update to version 5.15.5 or later.
Astro - Information Disclosure
runzero-match
service["http.body"] matches "(?i)astro"Description
Astro versions v5.0.3 through v5.0.7 and Astro v4.16.17 or older with sourcemaps enabled contain a source code disclosure caused by sourcemap files being publicly accessible in the build output folder, letting unauthenticated users read server source code, exploit requires sourcemaps to be enabled.
Impact
Unauthenticated users can access server source code, potentially leading to discovery of further vulnerabilities or sensitive information.
Remediation
Update Astro to version 5.0.8 or later for server-output projects, and to 5.0.9 or later (or 4.16.18 for Astro v4) for static-output projects with sourcemaps enabled.
Astro - Reflected XSS via server islands feature
runzero-match
service["http.body"] matches "(?i)_server-islands"Description
Astro 5.15.8 contains a reflected XSS caused by improper handling of server islands feature, letting remote attackers execute scripts, exploit requires use of server islands in the application.
Impact
Remote attackers can execute scripts in users' browsers, potentially leading to session hijacking or data theft.
Remediation
Update to version 5.15.8 or later.
Astro - Unauthorized Third-Party Image Access
runzero-match
service["http.body"] matches "astro"Description
Astro < 5.13.2 and < 4.16.18 contains an information disclosure vulnerability caused by improper validation of protocol-relative URLs in the image optimization endpoint, letting attackers serve images from unauthorized third-party domains, exploit requires on-demand rendering deployment.
Impact
Attackers can serve images from unauthorized third-party domains, potentially leading to information disclosure or content spoofing.
Remediation
Update to versions 5.13.2 or 4.16.18 or later.
Astro SSR - Open Redirect
runzero-match
service["product"] matches "(?i)Astro"Description
Astro 5.2.0 through 5.12.7 contains an open redirect caused by improper handling of paths with double slashes in trailing slash redirection logic, letting attackers redirect users to arbitrary external domains, exploit requires on-demand SSR with Node or Cloudflare adapters.
Impact
Attackers can redirect users to malicious sites, increasing phishing and social engineering risks.
Remediation
Upgrade to version 5.12.8 or later; alternatively, block outgoing redirects with Location headers starting with // at the network level.
Astro SSR - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)Astro"Description
Astro before 5.17.3 and @astrojs/node before 9.5.4 are vulnerable to full-read SSRF due to improper Host header validation in error page rendering, allowing attackers to redirect requests and access internal resources.
Impact
Full-read SSRF allowing access to internal services, cloud metadata endpoints (AWS/GCP/Azure IMDS), environment files, and any host reachable from the server.
Remediation
Upgrade to astro >= 5.17.3 or @astrojs/node >= 9.5.4. The fix reads prerendered error files directly from disk and validates the Host: header the same way X-Forwarded-Host was already validated.
Atarim < 4.2.2 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)atarim"Description
Vito Peleg Atarim <= 4.2 contains an insertion of sensitive information into sent data vulnerability caused by improper handling of embedded sensitive data, letting attackers retrieve embedded sensitive data remotely, exploit requires no special privileges.
Impact
Attackers can retrieve embedded sensitive data, potentially leading to information disclosure.
Remediation
Update to the latest version beyond 4.2.
Atlantis Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1706783005"Description
Atlantis panel was detected.
Atlassian Bamboo Login Panel - Detect
Author: righettodAdded: Mar 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Bamboo"})Description
Atlassian Bamboo login panel was detected.
Atlassian Confluence < 5.8.6 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)Atlassian.Confluence"Description
Confluence Server and Data Center before 5.8.6 contain a blind server-side request forgery caused by the WidgetConnector plugin, letting remote attackers manipulate internal network resources, exploit requires network access to the server.
Impact
Authenticated attackers can manipulate internal network resources via SSRF, potentially accessing sensitive internal services or data.
Remediation
Upgrade to Confluence Server version 5.8.6 or later.
Atlassian Confluence End-of-Life - Detect
Author: Shivam KambojAdded: Mar 15, 2026
runzero-match
service["product"] contains "Atlassian:Confluence"Description
Detected Atlassian Confluence instances versions that have reached End-of-Life (EOL) and no longer receive security updates.
Atlassian Confluence XSLT Macro - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "-305179312"Description
Atlassian Confluence Data Center and Server include an XSLT macro feature that may be vulnerable to Server-Side Request Forgery (SSRF). By leveraging the ability of the XSLT macro to access external resources, attackers can potentially cause the server to make HTTP requests to arbitrary URLs. This can allow internal network scanning, access to sensitive systems, or exposure of internal information.
Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)Atlassian.Jira"Description
The Atlassian Jira IconUriServlet of the OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 contains a cross-site scripting vulnerability which allows remote attackers to access the content of internal network resources and/or perform an attack via Server Side Request Forgery.
Impact
Successful exploitation of these vulnerabilities could lead to unauthorized access, data theft, and potential server-side attacks.
Remediation
Apply the latest security patches provided by Atlassian to mitigate these vulnerabilities.
Atlassian Jira Server-Side Template Injection
runzero-match
any(each(service["html.titles"]), {# matches `(?i)^system\s+dashboard\s+-\s+`}) || service["favicon.ico.image.md5"] matches `(?i)^(1391664373e72311a656c4a5504682af|88717398db158e3330ce94fc1784e4a7|04d89d5b7a290334f5ce37c7e8b6a349|08aa365c2d0863df2735d386f77c22c2)$`Description
Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the necessary security patches or upgrade to a fixed version provided by Atlassian to mitigate this vulnerability.
Atlassian Questions For Confluence - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)confluence"}) || service["favicon.ico.image.md5"] matches `(?i)^(bad2c1f96cd66e70b4aa119e7270cc62|966e60f8eb85b7ea43a7b0095f3e2336)$`Description
Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Confluence instance.
Remediation
Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials.
Atom.CMS 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)atomcms"Description
Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_uploads.php which allows an attacker to execute arbitrary SQL commands.
Impact
Successful exploitation could lead to unauthorized access, data leakage, and potential data manipulation.
Remediation
Apply the latest security patches provided by the vendor to mitigate the SQL Injection vulnerability in Atom.CMS 2.0.
AudioCodes 310HD, 320HD, 420HD, 430HD & 440HD - Default Login
runzero-match
service["http.head.server"] contains "AudioCodes Web Server"Description
AudioCodes devices 310HD, 320HD, 420HD, 430HD & 440HD contain a default login vulnerability. Default login credentials were discovered. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
AudioCodes Device Manager Express - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)audiocodes"})Description
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
Impact
Unauthenticated attackers can exploit SQL injection in the login form to bypass authentication, extract sensitive VoIP configuration data, and potentially gain administrative access to the AudioCodes Device Manager system.
Remediation
Update AudioCodes Device Manager Express to a version newer than 7.8.20002.47752 that uses parameterized queries and properly validates input.
AudioCodes Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Audiocodes"Description
AudioCodes login panel was detected.
Audiobookshelf Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Audiobookshelf"})Aurelia-Path < 1.1.7 - Prototype Pollution
runzero-match
service["product"] contains "Blue Spire:Aurelia"Description
Aurelia-path before 1.1.7 contains a prototype pollution caused by parsing malicious URL parameters, letting attackers modify Object.prototype, exploit requires the application to parse user-controlled URLs.
Impact
Update to version 1.1.7 or later.
Remediation
Aurelia-path parseQueryString function was found vulnerable to prototype pollution via crafted __proto__ URL parameters.
Authelia Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Authelia"})Description
Authelia is an open-source authentication and authorisation service providing two-factor authentication and single sign-on (SSO) for applications via a web portal.
Authentik Panel - Detect
Author: rxeriumAdded: Sep 9, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-178113786"Description
An Authentik search engine was detected.
AutoSet Page - Detect
Author: MaStErChoAdded: Dec 31, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AutoSet"})Automation Anywhere Automation 360 - Server-Side Request Forgery
Author: DhiyaneshDKAdded: Jul 27, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1005691603"Description
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component.
Impact
An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Automation By Autonami < 3.3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/wp-marketing-automations/"Description
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.
Impact
Unauthenticated attackers can exploit time-based SQL injection through the bwfan-track-id parameter to extract sensitive database information including user credentials, email addresses, WooCommerce customer data, and marketing automation information.
Remediation
Fixed in 3.3.0
Automatisch Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Automatisch"})Description
The open source Zapier alternative.
Autonomy Ultraseek - Open Redirect
runzero-match
service["product"] matches "(?i)autonomy.ultraseek"Description
Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
Impact
An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks.
Remediation
Apply the vendor-supplied patch or upgrade to a newer version of Autonomy Ultraseek that addresses the open redirect vulnerability.
AvantFAX Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)avantfax - login"})Description
An AvantFAX login panel was discovered.
Avatier Password Management Panel
runzero-match
service["favicon.ico.image.mmh3"] == "983734701"Description
An Avatier password management panel was detected.
Avaya Phone Web Interface - Default Login
runzero-match
service["http.body"] matches `(?i)Avaya J1\d9 Phone`Description
Avaya phone web interface contains a default login vulnerability. An attacker can obtain access to sensitive information, modify data, and/or execute unauthorized operations.
Aviatrix Cloud Controller Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aviatrix cloud controller"})Description
An Aviatrix Cloud Controller login panel was detected.
Aviatrix Controller - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "aviatrix controller"})Description
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50603.
Avigilon Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - avigilon control center"})Description
Avigilon login panel was detected.
Avtech AVN801 Network Camera Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches `(?i):::\s+login\s+:::`})Description
An Avtech AVN801 Network Camera administration panel was detected.
Axel WebServer - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axel"})Description
Axel WebServer panel was detected.
Axigen Web Admin Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axigen\u00a0WebAdmin"})Description
An Axigen Web Admin panel was discovered.
Axigen WebMail PanelDetection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axigen WebMail"})Description
An Axigen webmail panel was discovered.
Axway API Manager Panel - Detect
Author: johnk3r,righettodAdded: May 25, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axway API Manager Login"})Description
Axway API Manager panel was detected.
Axway SecureTransport Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securetransport"}) || any(each(service["html.titles"]), {# matches "(?i)st web client"})Description
AXWAY SecureTransport login panel was detected.
Axway SecureTransport Web Client Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)st web client"}) || any(each(service["html.titles"]), {# matches "(?i)securetransport"})Description
AXWAY Secure Transport Web Client panel was detected.
Axxon Next Client Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)axxon next client"})Description
Axxon One is a limitlessly scalable video management software
Azkaban Web Client
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Azkaban Web Client"})Description
An Azkaban web client panel was discovered.
Azkaban Web Client Default Credential
runzero-match
any(each(service["html.titles"]), {# matches "Azkaban Web Client"})Description
Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs. Default web client credentials were discovered.
BEdita Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bedita"})Description
BEdita login panel was detected.
BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
runzero-match
service["http.body"] matches "/wp-content/plugins/bj-lazy-load"Description
The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb.
Impact
Attackers can include and execute remote malicious files, potentially leading to remote code execution and complete site compromise.
Remediation
Fixed in 1.0
BMC Control-M MFT Login Panel - Detect
Author: righettodAdded: Apr 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)File Exchange"})Description
BMC Control-M MFT products was detected.
BMC Discovery Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BMC Software"})Description
BMC Discovery login panel was detected.
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
runzero-match
service["http.body"] matches "/footprints/servicedesk/"Description
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Impact
Authenticated attackers can make the server send arbitrary outbound requests, potentially interacting with internal services or causing denial of service.
Remediation
Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
runzero-match
service["http.body"] matches "BMC Software"Description
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Impact
Authenticated attackers can cause the server to make arbitrary outbound requests, potentially impacting system availability and internal network security.
Remediation
Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
BMC FootPrints - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/footprints/servicedesk/"Description
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Impact
Unauthenticated attackers can bypass access controls to access and modify application data and system resources.
Remediation
Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
BMC Remedy SSO Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BMC Remedy Single Sign-On domain data entry"})Description
BMC Remedy Single Sign-On domain data entry login panel was detected.
Babel - Open Redirect
runzero-match
service["product"] matches "(?i)cmsmadesimple.bable"Description
Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks.
Remediation
Upgrade to Babel version 7.4.0 or later to mitigate this vulnerability.
Barco ClickShare - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["http.head.setCookie"] contains "ClickShareSession"Description
Barco ClickShare contains a default login vulnerability. Default login password 'admin' was found.
Barco/AWIND OEM Presentation Platform - Remote Command Injection
runzero-match
service["product"] matches "(?i)crestron.am.firmware"Description
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
Impact
Successful exploitation of this vulnerability could lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Barracuda Message Archiver - Panel Detect
Author: inokiiAdded: Sep 15, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1436966696" || any([service["http.body"], service["last.http.body"]], {# matches "/css/archiver.css"})Description
Barracuda Networks Barracuda Message Archiver (BMA) panel was detected.
Baserow Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches `^Login \/\/ Baserow`})Description
Baserow login interface was discovered.
Batflat CMS - Default Login
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] contains "Powered by Batflat"Description
Batflat CMS is vulnerable to default login vulnerability that most commonly affects devices having some pre-set (default) administrative credentials to access all configuration settings.
Bazarr < 1.4.3 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Bazarr"})Description
Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability.
Impact
Unauthenticated attackers can read arbitrary files from the Bazarr server via path traversal.
Remediation
Update Bazarr to version 1.4.4 or later.
Beckhoff TwinCAT HMI Server - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)TwinCAT" && service["http.body"] matches "(?i)Beckhoff"Description
Beckhoff TwinCAT HMI (Human Machine Interface) Server is part of the TwinCAT
industrial automation platform used in manufacturing, robotics, and process
automation. It exposes a web-based HMI accessible via browser for monitoring
and controlling PLC-driven systems.
Beego Admin Dashboard Panel- Detect
runzero-match
service["http.body"] matches "(?i)beego admin dashboard"Description
Beego Admin Dashboard panel was detected.
Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution
runzero-match
service["product"] matches "(?i)linksys.re6500.firmware"Description
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
Remediation
Update the Belkin Linksys RE6500 firmware to version 1.0.012.001 or later.
BentoML v1.3.9 - Open Redirect
Author: DhiyaneshDKAdded: Jan 22, 2025
runzero-match
service["http.body"] matches "BentoML"Description
An open redirect vulnerability exists in BentoML v1.3.9, where the file parameter in the /ui/gradio_api/file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs.
Impact
Unauthenticated attackers can redirect users to malicious URLs via the file parameter, facilitating phishing attacks.
Remediation
Update BentoML to a version newer than v1.3.9.
Bentoml - Server Side Request Forgery
runzero-match
service["http.body"] matches "BentoML"Description
BentoML's upload file request is vulnerable to SSRF that allowing attacker to access internal service (local network).
Beszel Login Panel - Detect
Author: righettodAdded: Mar 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)beszel"})Description
Beszel products was detected.
Beszel Unfinished Installation
Author: 0x_AkokoAdded: Jan 20, 2026
runzero-match
service["http.body"] matches "(?i)globalThis\\.BESZEL"Description
Detected Beszel server monitoring hub had an unfinished installation with no admin account configured, allowing attackers to create an admin account and gain full control.
Better Search Replace < 1.4.5 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/better-search-replace/"Description
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Impact
Attackers can execute arbitrary code, delete files, or retrieve sensitive data on the server.
Remediation
Update to the latest version of the plugin, version 1.4.5 or later.
BeyondTrust Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BeyondInsight"Description
BeyondTrust login panel was detected.
BeyondTrust Privileged Remote Access - Panel
Author: righettodAdded: Apr 10, 2024
runzero-match
service["http.body"] matches "(?i)BeyondTrust Privileged Remote Access Login"Description
BeyondTrust Privileged Remote Access login panel was detected.
BeyondTrust Remote Support Panel - Detect
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-694003434"Description
Detect BeyondTrust Remote Support Panel.
BigAnt - Default Password
runzero-match
any(each(service["html.titles"]), {# matches "BigAnt"})Description
Misconfiguratoin leads to Default Login into BigAnt Super Admin Account.
BigAnt Admin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BigAnt Admin"Description
BigAnt admin login panel was detected.
BigAnt Server 5.6.06 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)bigant"Description
BigAnt Server 5.6.06 is susceptible to improper access control. The software utililizes weak password hashes. An attacker can craft a password hash and thereby possibly possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Unauthenticated attackers can access the ms_admin.php file containing weak password hashes for administrative accounts, potentially facilitating password cracking and unauthorized access.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the access control issue.
BigAnt Server v5.6.06 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)BigAnt"Description
BigAnt Server v5.6.06 is vulnerable to local file inclusion.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in BigAnt Server v5.6.06.
BioTime Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BioTime"})Description
BioTime Web login panel was detected.
Bitbucket Panel - Detect
Author: Shivam KambojAdded: Dec 27, 2025
runzero-match
service["product"] contains "Atlassian:Bitbucket"Description
Bitbucket panel was detected. Bitbucket is a Git-based source code repository hosting service owned by Atlassian, providing CI/CD and collaboration features.
Bitdefender GravityZone Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bitdefender gravityzone"})Description
Bitdefender GravityZone panel was detected.
Bitrix Component - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.
Impact
Unauthenticated attackers can inject malicious JavaScript and potentially execute arbitrary PHP code if the victim has administrator privileges, compromising the entire Bitrix24 collaboration platform and accessing sensitive business data.
Remediation
Update Bitrix24 to a version newer than 22.0.300 that properly initializes variables and sanitizes input in the bitrix/modules/main/tools.php component.
Bitrix Login Panel
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface.
Bitrix Path Disclosure
Author: DhiyaneshDkAdded: Dec 26, 2025
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Detected Full Path Disclosure (FPD) in Bitrix by sending requests request to specific paths and identifying fatal error stack traces that leaked absolute filesystem paths.
Bitrix Site Manager - Log File Disclosure
runzero-match
service["http.body"] matches "(?i)bitrix"Description
Detected Bitrix Site Manager log files, potentially exposing sensitive information including database credentials, file paths, SQL queries, and user session data.
Bitrix24 <=20.0.0 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability.
Bitwarden Web Vault Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bitwarden web vault"})Black Duck Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Black Duck"})Description
Black Duck login panel was detected.
Blink Router - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "B-LINK"})Description
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the enable parameter in the set_hidessid_cfg endpoint, achieving complete device compromise.
Remediation
Upgrade Blink router firmware to the latest version that properly sanitizes command parameters.
Blinko - Login Panel Detection
Author: 0x_AkokoAdded: May 11, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Blinko"})Description
Detected A Blinko self-hosted personal note application login panel.
BlogEngine CMS - Open Redirect
runzero-match
service["http.body"] matches "blogengine\\.net"Description
Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect
Impact
Unauthenticated attackers can exploit open redirect through the years parameter to redirect users to malicious websites for phishing attacks.
Remediation
Update to the latest version of blogengine.net CMS to fix the open redirect vulnerability.
Blue Iris Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Blue Iris Login"})Description
Blue Iris login panel was detected.
Blue Yonder Panel - Detect
runzero-match
service["http.body"] matches "(?i)title=\\\\"Description
Blue Yonder login panel was discovered
Bluemind Panel - Detect
Author: TigibusAdded: Apr 30, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to BlueMind"})Description
Bluemind application panel was discovered.
Boa 0.94.13 - Information Disclosure
runzero-match
service["http.head.server"] matches "Boa/0.94.13"Description
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE- multiple third parties report that this is a site-specific issue because those files are not part of Boa.
Impact
Unauthenticated attackers can access sensitive JavaScript files exposing logging functionality and potentially other configuration details.
Remediation
Update Boa web server to a version newer than 0.94.13 or apply vendor security patches.
Bonita - Default Login
Author: DhiyaneshDkAdded: Sep 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1197926023"Description
Bonita login was using default credentials which can led to gain super administrator access.
Bonita Portal Login - Detect
Author: DhiyaneshDKAdded: Sep 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1197926023"Description
Detects the presence of Bonita Portal login page.
Bonobo Git Server Login Panel - Detect
Author: bhutchAdded: Apr 23, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-219625874"Description
Bonobo Git Server login panel was detected.
BookStack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bookstack"})Description
Bookstack login panel was detected.
Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
Author: r3naissanceAdded: May 6, 2025
runzero-match
service["http.body"] matches "(?i)bootstrap-multiselect"Description
A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
Remediation
Only use the necessary components (css/js) in production applications
Botpress Admin Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)@botpress/ui-admin"Description
Botpress admin panel was detected. Botpress is an open-source conversational AI platform for building chatbots and virtual assistants.
Breeze <= 2.4.4 - Arbitrary File Upload
runzero-match
service["http.body"] matches "/wp-content/plugins/breeze/"Description
Breeze Cache WordPress plugin <= 2.4.4 contains an unrestricted file upload vulnerability caused by missing file type validation in 'fetch_gravatar_from_remote' function, letting unauthenticated attackers upload arbitrary files, exploit requires 'Host Files Locally - Gravatars' enabled.
Impact
Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
Remediation
Update to the latest version where this vulnerability is fixed.
Brickcom Camera - Default Login
Author: 0x_AkokoAdded: Mar 18, 2026
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Brickcom'})Description
Detected Brickcom IP cameras accessible using default credentials (admin/admin). Successful authentication exposed full camera configuration, live video streams, LED control, and network settings to remote attackers.
Brickcom Camera - Unauthenticated Snapshot Access
Author: 0xr2rAdded: Mar 17, 2026
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Brickcom'})Description
Detected Brickcom IP cameras was exposed live camera snapshots without authentication via the ONVIF media endpoint.
Brother MFC-L9570CDW - Information Disclosure
runzero-match
service["http.body"] matches "(?i)MFC-L9570CDW"Description
An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51977.
Browser Configuration "browserconfig.xml" Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
service["http.body"] matches "(?i)browserconfig\\.xml"Description
Browser Configuration "browserconfig.xml" File was exposed.
Buddy Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-850502287"Description
Buddy panel was detected.
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
runzero-match
service["product"] matches "(?i)buddypress"Description
WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information, escalate privileges, or execute arbitrary code on the affected system.
Remediation
This issue has been remediated in WordPress BuddyPress 7.2.1.
Budibase Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)budibase"})Description
Budibase login panel was detected.
Buffalo WSR-2533DHPL2 - Path Traversal
runzero-match
service["service.port"] == "9000" && any(each(service["html.titles"]), {# matches `(?i)^Redirecting...`})Description
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
Impact
An attacker can exploit this vulnerability to read sensitive files, such as configuration files, credentials, or other sensitive information.
Remediation
Apply the latest firmware update provided by Buffalo to fix the path traversal vulnerability.
Buildbot Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)buildbot"})Description
Buildbot panel was detected.
Busybox Repository Browser - Detect
Author: ritikchaddhaAdded: May 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Busybox Repository Browser"})Description
Busybox Repository Browser was detected.
Bylancer Quicklancer 2.4 G - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1099370896"Description
A SQL injection vulnerability exists in the Quicklancer 2.4, GET parameter 'range2', that has time-based blind SQL injection and a boolean-based blind SQL injection, which can be exploited remotely by unauthenticated attacker to execute arbitrary SQL queries in the database.
Impact
Unauthenticated attackers can exploit time-based and boolean-based blind SQL injection to extract sensitive database information, modify data, and potentially compromise the entire Quicklancer application.
Remediation
Update Quicklancer to a version later than 2.4 G to address the SQL injection vulnerability in the range2 parameter.
Bynder Login Panel - Detect
Author: righettodAdded: Mar 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1017650009"Description
Bynder login panel was detected.
CAIMORE Gateway Default Login - Detect
Author: pussycat0xAdded: Aug 18, 2023
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# matches '(?i)realm="CaiMore Gateway'})Description
The gateway of Xiamen Caimao Communication Technology Co., Ltd. is designed with open software architecture. It is a metal shell design, with two Ethernet RJ45 interfaces, and an industrial design wireless gateway using 3G/4G/5G wide area network for Internet communication. There is a command execution vulnerability in the formping file of the gateway of Xiamen Caimao Communication Technology Co., Ltd. An attacker can use this vulnerability to arbitrarily execute code on the server side, write to the back door, obtain server permissions, and then control the entire web server.
CAREL Boss Mini - Login Panel Detected
Author: KazgangapAdded: Mar 5, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1092427843"Description
CAREL Boss Mini login panel was detected. Boss Mini is a local supervisor solution by CAREL used for monitoring and managing HVAC/R systems in commercial facilities. Exposed panels may indicate misconfigured network segmentation.
CAREL Boss Mini <= 1.4.0 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1092427843"Description
Boss Mini 1.4.0 Build 6221 contains a file inclusion caused by manipulation of the 'path' argument in boss/servlet/document, letting remote attackers include arbitrary files, exploit requires remote access.
Impact
Remote attackers can include arbitrary files, potentially leading to remote code execution or full system compromise.
Remediation
Update to the latest version of Boss Mini or apply security patches provided by the vendor.
CAS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'cas"})Description
CAS login panel was detected.
CData API Server < 23.4.8844 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData - API Server"})Description
A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
Impact
Unauthenticated attackers can exploit path traversal to gain complete administrative access to the CData API Server.
Remediation
Update CData API Server to version 23.4.8844 or later.
CData Arc < 23.4.8839 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Arc"})Description
A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
Impact
Unauthenticated attackers can access sensitive information and perform limited unauthorized actions via path traversal.
Remediation
Update CData Arc to version 23.4.8839 or later.
CData Connect < 23.4.8846 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Connect"})Description
A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
Impact
Unauthenticated attackers can exploit path traversal to gain complete administrative access to CData Connect.
Remediation
Update CData Connect to version 23.4.8846 or later.
CData RSB Connect v22.0.8336 - Server Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "163538942"Description
CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery (SSRF).
Impact
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the server, potentially leading to unauthorized access or data leakage.
Remediation
Apply the latest security patches or updates provided by CData to fix the SSRF vulnerability in RSB Connect v22.0.8336.
CData Sync < 23.4.8843 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Sync"})Description
A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
Impact
Unauthenticated attackers can access sensitive information and perform limited unauthorized actions via path traversal.
Remediation
Update CData Sync to version 23.4.8843 or later.
CERIO-DT Interface - Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DT-100G-N"})Description
CERIO DT series routers have an operation command injection vulnerability in specific versions. An attacker could exploit this vulnerability to execute commands.
CGIT - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)git repository browser"})Description
CGIT panel was detected.
CISCO Expressway Login Panel - Detect
Author: righettodAdded: Mar 16, 2024
runzero-match
service["http.body"] matches "(?i)Cisco Expressway"Description
CISCO Expressway login panel was detected.
CODESYS WebVisu - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)WEBVISU LOGIN"Description
CODESYS WebVisu is the web-based HMI (Human-Machine Interface) component of the
CODESYS industrial automation runtime. It provides browser-based access to PLC
visualizations and industrial control interfaces. Exposed instances may reveal
real-time process data and control functions without authentication.
CRM Perks Forms <= 1.1.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/crm-perks-forms/"Description
CRM Perks CRM Perks Forms (affected versions 1.1.4 and earlier) contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of CRM Perks Forms, version 1.1.5 or later.
CRMEB v.5.2.2 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CRMEB"})Description
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
Impact
Attackers can execute SQL injection via the selectId parameter in getProductList to obtain sensitive database information.
Remediation
Update CRMEB to a version later than 5.2.2 that patches the SQL injection vulnerability.
CVAT Computer Vision Annotation Tool - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Computer Vision Annotation Tool"})Description
CVAT (Computer Vision Annotation Tool) was detected. CVAT is a widely used open-source annotation platform for labelling images, video, and 3D point clouds used to train AI/ML computer vision models.
Cachet <=2.3.18 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1606065523"Description
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor.
Cacti 1.2.24 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cacti"}) || service["favicon.ico.image.mmh3"] == "-1797138069" || any(each(service["html.titles"]), {# matches "(?i)login to cacti"})Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Cacti <=1.2.22 - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Login to Cacti"})Description
Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade Cacti to version 1.2.23 or later to mitigate this vulnerability.
Cacti Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1797138069" || any(each(service["html.titles"]), {# matches "(?i)login to cacti"}) || any(each(service["html.titles"]), {# matches "(?i)cacti"})Description
Cacti login panel was detected.
Cacti cmd_realtime.php - Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1797138069"Description
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP.
Impact
Authenticated attackers can inject and execute arbitrary commands on the Cacti server.
Remediation
Update Cacti to a version that patches the command injection vulnerability.
Cacti v1.2.8 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "login to cacti"})Description
Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of Cacti v1.2.9 or later to mitigate this vulnerability.
Caddy 2.4.6 - Open Redirect
runzero-match
service["http.head.server"] matches "caddy"Description
Caddy 2.4.6 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site via a crafted URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.
Remediation
Upgrade Caddy to version 2.4.7 or later to mitigate the vulnerability.
Calibre <= 7.14.0 Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)Calibre"Description
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
Impact
Attackers can exploit the content server's export functionality to read arbitrary files from the system through path traversal.
Remediation
Update Calibre to version 7.15.0 or later to address the arbitrary file read vulnerability.
Calibre <= 7.14.0 Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Calibre"Description
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
Impact
Unauthenticated attackers can execute arbitrary Python code through the content server's template functionality, achieving complete system compromise.
Remediation
Update Calibre to version 7.15.0 or later to address the remote code execution vulnerability.
Camaleon CMS - Default Login
Author: DhiyaneshDKAdded: Sep 26, 2024
runzero-match
service["http.body"] matches "(?i)camaleon_cms"Description
Camaleon CMS default login credentials was discovered.
Camaleon CMS Login - Panel
Author: DhiyaneshDKAdded: Sep 26, 2024
runzero-match
service["http.body"] matches "(?i)camaleon_cms"Description
Camaleon CMS admin login panel was discovered.
Camunda - Default Login
runzero-match
service["http.body"] matches "Camunda Welcome"Description
Camunda login panel contains a default login vulnerability.
Canon Devices - Authentication Bypass in Catwalk Server
runzero-match
any(each(service["html.titles"]), {# matches "(?i)imageRUNNER"})Description
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Impact
Unauthenticated attackers can modify email settings and redirect FAX and scan data to attacker-controlled email addresses when PIN protection is disabled, potentially intercepting sensitive business communications.
Remediation
Configure a PIN for General User Mode or apply Canon firmware updates that address this vulnerability.
Canon R-ADV C3325 - Default-Login
Author: ritikchaddhaAdded: Sep 20, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)c3325"})Canon iR-ADV Panel - Detect
Author: ritikchaddha,matejsmyckaAdded: Sep 9, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Canon iR-ADV"})Canopy 5.7GHz Access Point - Default Login
Author: defektiveAdded: May 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Canopy"})Description
Cambium Networks / Motorola Canopy 5750AP ADVANTAGE Access Point 5.7GHz login credentials were discovered.
Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)instructure.canvas.learning.management"Description
Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
Apply the latest security patches provided by Canvas LMS to mitigate the vulnerability.
Caprover - Default Login
Author: ritikchaddhaAdded: Jun 28, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "988422585"Description
Caprover defaultl login has been detected.
Car Rental Management System 1.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)car rental management system"Description
Car Rental Management System 1.0 allows an unauthenticated user to perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, leading to code execution.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in the Car Rental Management System 1.0.
Car Rental Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)car rental management system"Description
Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/ajax.php?action=login. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Carel pCOWeb <B1.2.4 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)pCOWeb"Description
Carel pCOWeb prior to B1.2.4 is vulnerable to stored cross-site scripting, as demonstrated by the config/pw_snmp.html "System contact" field.
Impact
Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.
Remediation
Apply the latest patch or upgrade to a version that addresses the vulnerability.
CasaOS < 0.4.4 - Authentication Bypass via Internal IP
runzero-match
service["http.body"] matches "(?i)/casaos-ui/public/index\\.html"Description
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Impact
Successful exploitation allows unauthorized access to the CasaOS system.
Remediation
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
CasaOS < 0.4.4 - Authentication Bypass via Random JWT Token
runzero-match
service["http.body"] matches "(?i)/casaos-ui/public/index\\.html"Description
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Impact
Successful exploitation allows unauthorized access to the CasaOS system.
Remediation
The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.
CasaOS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)CasaOS"Description
CasaOS login panel was detected.
Cascade CMS Panel - Detect
Author: righettodAdded: Nov 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cascade CMS"})Description
Cascade CMS was detected — a web content management system for managing stand-out websites.
Casdoor - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Casdoor"})Description
Detected Casdoor platform was found to have been using the default administrator credentials (admin:123). An attacker could have gained full administrative access to manage organizations, users, applications, and OAuth providers.
Casdoor 1.13.0 - Unauthenticated SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)casdoor"})Description
Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Upgrade to a patched version of Casdoor or apply the necessary security patches to mitigate the SQL injection vulnerability.
Casdoor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)casdoor"})Description
Casdoor login panel was detected.
CaseManager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CaseManager"})Description
CaseManager login panel was detected.
Cassia Bluetooth Gateway Panel - Detect
Author: DhiyaneshDkAdded: Apr 23, 2024
runzero-match
service["http.body"] matches "(?i)Cassia Bluetooth Gateway Management Platform"Description
Cassia Bluetooth Gateway Management Platform login page was discovered.
Cassia Gateway Firmware - Remote Code Execution
runzero-match
service["http.body"] matches "Cassia Bluetooth Gateway Management Platform"Description
In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.
Impact
Unauthenticated attackers can inject Bash code through the queueUrl parameter which executes with root privileges on device startup, potentially compromising the Bluetooth gateway and all connected IoT devices.
Remediation
Update Cassia Gateway firmware to a version newer than XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947 that properly sanitizes the queueUrl parameter.
Caton Network Manager System Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Caton Network Manager System"})Description
Caton Network Manager System login panel was detected.
Cellinx NVT Web Server - Local File Disclosure
runzero-match
service["http.body"] matches "(?i)/viewer/viewer\\.html"Description
Cellinx NVT v1.0.6.002b was discovered to contain a local file disclosure vulnerability via the component /cgi-bin/GetFileContent.cgi.
Impact
Unauthenticated attackers can read arbitrary files from the server through the PATH parameter in GetFileContent.cgi, potentially exposing system credentials, configuration files, and sensitive video surveillance data.
Remediation
Update Cellinx NVT to a version newer than 1.0.6.002b that validates file paths in GetFileContent.cgi and restricts file access to authorized directories only.
Celonis Login - Panel
Author: r3dg33kAdded: Nov 16, 2025
runzero-match
service["http.body"] matches "(?i)Amazing insights\\. Better results\\." || any(each(service["html.titles"]), {# matches "(?i)Celonis"})Description
Detects Celonis Process Intelligence login panels.
CentOS Web Panel - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Control WebPanel"})Description
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
Impact
Unauthenticated attackers can execute arbitrary OS commands with root privileges via command injection in the idsession parameter, leading to complete server compromise.
Remediation
Apply security updates provided by CentOS Web Panel.
CentOS Web Panel - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Control WebPanel"})Description
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
Impact
Unauthenticated attackers can exploit SQL injection via the idsession parameter to extract database contents or execute arbitrary commands with root privileges.
Remediation
Apply security updates provided by CentOS Web Panel.
CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Login \\| Control WebPanel"})Description
CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to CentOS Web Panel version 0.9.8.1147 or later to mitigate this vulnerability.
CentreStack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack"})Description
Gladinet CentreStack login panel was detected.
Centreon Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)centreon"})Description
Centreon login panel was detected.
Chainlit Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)content\s*=\s*"https://github.com/Chainlit/chainlit"`Description
Chainlit panel was detected. Chainlit is an open-source framework for building production-ready conversational AI applications.
Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
runzero-match
service["product"] matches "(?i)Chamilo"Description
Command injection in `/main/webservices/additional_webservices.php`
in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
remote code execution via improper neutralisation of special characters.
Impact
Unauthenticated attackers can execute arbitrary system commands through the wsConvertPpt SOAP endpoint by injecting special characters in the file_name parameter, potentially compromising the entire Chamilo LMS platform and accessing student data.
Remediation
Update Chamilo LMS to a version newer than 1.11.20 that properly neutralizes special characters and validates input in additional_webservices.php.
ChanCMS <= 3.3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ChanCMS"Description
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
Remediation
Update to the latest version.
ChanCMS <= 3.3.0 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "ChanCMS"Description
yanyutao0402 ChanCMS 3.3.0 contains a server-side request forgery caused by manipulation of the "taskUrl" argument in /cms/collect/getArticle, letting remote attackers make arbitrary requests, exploit requires no special privileges.
Impact
Remote attackers can make arbitrary requests from the server, potentially accessing internal resources or sensitive data.
Remediation
Update to the latest version of ChanCMS.
Change Detection - Server Side Template Injection
runzero-match
service["http.body"] matches "(?i)Change Detection"Description
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
Impact
Unauthenticated attackers can execute arbitrary code on the server through Server Side Template Injection.
Remediation
Update changedetection.io to version 0.45.21 or later.
Changedetection.io <= 0.47.4 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)change detection"})Description
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51483.
Changedetection.io Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Change Detection"})Description
Change Detection is an open-source service which allows you to detect changes on websites
Changedetection.io RSS Single Watch - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Change Detection"})Description
changedetection.io < 0.54.1 contains a stored XSS caused by unescaped reflection of UUID path parameter in RSS single-watch endpoint, letting remote attackers execute JavaScript in victim's browser, exploit requires victim to visit crafted URL.
Impact
Attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking or other client-side attacks
Remediation
Update to version 0.54.1 or later.
Changjietong Remote Communication GNRemote.dll - SQL Injection
runzero-match
service["http.body"] matches "(?i)远程通CHANJET_Remote"Description
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution
Author: SleepingBag945Added: Oct 13, 2025
runzero-match
service["product"] matches "(?i)畅捷通.TPlus"Description
Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.
ChatGPT-Next-Web - SSRF/XSS
runzero-match
any(each(service["html.titles"]), {# matches "NextChat,\"ChatGPT Next Web"})Description
Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web
Impact
Unauthenticated attackers can exploit SSRF vulnerabilities through the /api/cors endpoint to access internal network resources and inject malicious JavaScript for cross-site scripting attacks.
Remediation
Do not expose to the Internet
ChatGPT个人专用版 - Server Side Request Forgery
Author: DhiyaneshDKAdded: Mar 30, 2024
runzero-match
any(each(service["html.titles"]), {# matches "ChatGPT个人专用版"})Description
A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.
Impact
Attackers can force the application to make arbitrary requests including reading local files and accessing internal resources via SSRF in the pictureproxy.php file.
Remediation
Update ChatGPT个人专用版 to a version that addresses CVE-2024-27564.
Check Point Quantum Gateway - Information Disclosure
runzero-match
service["http.body"] matches "(?i)check point ssl network"Description
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Impact
Unauthenticated attackers can read arbitrary files on Check Point Security Gateways, potentially exposing sensitive configuration files and credentials.
Remediation
Apply Check Point security fixes for CVE-2024-24919 as specified in SK182337.
CheckPoint SSL Network Extender Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)check point ssl network extender"}) || any(each(service["html.titles"]), {# matches "(?i)ssl network extender login"})Description
CheckPoint SSL Network Extender login panel was detected.
Checkmarx Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)CxSASTManagerUri"Description
Checkmarx login panel was detected.
Checkmate Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Checkmate$" })Description
Checkmate administrative login page was found.
Checkmk - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Check_MK"})Description
Checkmk monitoring instance is accessible with default credentials (cmkadmin/cmkadmin). This provides full administrative access to the monitoring platform, including the ability to view all monitored hosts, execute commands on agents, and access stored credentials.
Impact
An attacker with admin access to Checkmk can view the entire monitored infrastructure, access stored SNMP community strings and SSH credentials, execute commands on monitored hosts via the agent, and gain visibility into the organization's network topology.
Remediation
Change the default cmkadmin password immediately after installation using 'cmk-passwd cmkadmin' or through the web interface.
Checkmk Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Check_MK"})Description
Checkmk login panel was detected.
Chef Automate < 4.13.295 — SQL Injection
runzero-match
service["http.body"] matches "(?i)Chef Automate"Description
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
Impact
Authenticated attackers with knowledge of a well-known token can execute arbitrary SQL queries through the compliance service, potentially gaining access to restricted functionality and sensitive data.
Remediation
Upgrade to version 4.13.295 or later.
Chemotargets Clarity Vista Login Panel - Detect
Author: righettodAdded: Apr 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ClarityVista"})Description
Chemotargets Clarity Vista login panel was detected.
ChirpStack - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "ChirpStack LoRaWAN"})Description
Fresh ChirpStack installations use the default credentials (admin/admin), allowing attackers to easily access the admin console.
ChirpStack LoRaWAN Detection
Author: ProjectDiscoveryAIAdded: Mar 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ChirpStack LoRaWAN"})Description
Detects the presence of ChirpStack LoRaWAN Network-Server by identifying unique page characteristics in the HTML response.
Chronos Panel - Detect
Author: righettodAdded: Oct 24, 2023
runzero-match
service["http.body"] matches "(?i)chronoslogin\\.js"Description
Chronos Login Panel was detected.
ChurchCRM - API Authentication Bypass via URL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
Impact
Unauthenticated attackers can access all protected API endpoints, exposing sensitive church member data and system information.
Remediation
Update to version 7.1.0 or later.
ChurchCRM - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ChurchCRM"})Description
A reflected cross-site scripting (XSS) vulnerability was discovered in ChurchCRM via the 'username' parameter in /session/begin.
ChurchCRM - Default Login
Author: KazgangapAdded: Nov 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM contains a default login vulnerability.
ChurchCRM Panel - Detect
Author: KazgangapAdded: Nov 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM panel was discovered.
Ciphertrust - Default Login
Author: SleepingBag945Added: Sep 8, 2023
runzero-match
any(each(service["html.titles"]), {# contains "(?i)CipherTrust Manager"})Description
Attackers can control the entire platform through the default password (initpass) vulnerability, and use administrator privileges to operate core functions.
Circutor Line-TCPRS1 - Default Login
Author: s4e-ioAdded: Mar 2, 2026
runzero-match
service["http.body"] matches "(?i)Line-TCPRS1"Description
A default login was discovered on a Circutor Line-TCPRS1 device. An attacker can obtain access to user accounts, access sensitive information, modify data, and execute unauthorized operations.
Cisco ACE 4710 Device Manager Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ACE 4710 Device Manager"Description
Cisco ACE 4710 Device Manager login panel was detected.
Cisco ASA - Local File Inclusion
runzero-match
asset["hw_product"] matches `(?i)adaptive\s+security\s+appliance`Description
Cisco Adaptive Security Appliances (ASA) web interfaces could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.
Impact
An attacker can read sensitive files on the Cisco ASA firewall, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the necessary security patches or updates provided by Cisco to fix the local file inclusion vulnerability.
Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
runzero-match
asset["hw_product"] matches `(?i)adaptive\s+security\s+appliance`Description
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is vulnerable to local file inclusion due to directory traversal attacks that can read sensitive files on a targeted system because of a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
Impact
An attacker can exploit this vulnerability to read sensitive files on the affected system.
Remediation
Apply the necessary security patches or updates provided by Cisco to fix the vulnerability.
Cisco BroadWorks - Remote Code Execution (Apache Log4j)
runzero-match
service["product"] matches "(?i)Cisco.BroadWorks"Description
Cisco BroadWorks is susceptible to Log4j JNDI remote code execution. Cisco BroadWorks is an enterprise-grade calling and collaboration platform delivering unmatched performance, security and scale.
Cisco CloudCenter Suite (Log4j) - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "CloudCenter Suite"})Description
Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Remediation
From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Cisco Edge 340 Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cisco edge 340"})Description
Cisco Edge 340 panel was detected.
Cisco Email Security Appliance - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco\\s+(?:Cloud\\s+)?Gateway"})Description
Detected Cisco Email Security Appliance login panel.
Cisco Finesse - Server-Side Request Forgery (SSRF)
runzero-match
any(each(service["html.titles"]), {# matches "Cisco Finesse"})Description
Cisco Finesse contains an SSRF caused by insufficient validation of user-supplied input in HTTP requests, letting unauthenticated remote attackers access limited sensitive information, exploit requires sending crafted HTTP requests.
Impact
Attackers can access sensitive information from services associated with the device, potentially leading to information disclosure.
Remediation
Apply the latest security patches and updates provided by Cisco for Finesse.
Cisco HyperFlex HX Data Platform - Remote Command Execution
runzero-match
service["product"] matches "(?i)cisco.hyperflex.hx.data"Description
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Apply the necessary security patches or updates provided by Cisco to mitigate this vulnerability.
Cisco HyperFlex HX Data Platform - Remote Command Execution
runzero-match
service["product"] matches "(?i)cisco.hyperflex.hx.data"Description
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Attackers can execute arbitrary commands on the device, potentially leading to full system compromise.
Remediation
Apply the latest security updates and patches provided by Cisco for HyperFlex HX.
Cisco IOS XE - Impant Detection
Author: DhiyaneshDK,rxeriumAdded: Oct 26, 2023
runzero-match
service["http.body.mmh3"] == "1076109428"Description
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
Remediation
Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'.
Cisco IOS XE Web UI - Command Injection
runzero-match
service["http.body.mmh3"] == "1076109428"Description
A vulnerability in the web UI component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. This vulnerability is due to improper input validation in the web UI. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.
Impact
Unauthenticated attackers can execute arbitrary commands with root privileges through crafted HTTP requests to the web UI component, potentially compromising the entire Cisco IOS XE router and all managed network traffic.
Remediation
Apply Cisco security patches from advisory cisco-sa-iosxe-webui-privesc-j22SaA4z that validate input in the web UI and prevent command injection in the SOAP API.
Cisco ISE - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "identity services engine"})Description
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Impact
Unauthenticated remote attackers can execute arbitrary code as root, leading to full system compromise.
Remediation
Update to the latest available version.
Cisco ISE Admin Login Panel - Detect
Author: bhutchAdded: Jun 11, 2025
runzero-match
service["http.body"] matches "(?i)Identity Services Engine"Description
Cisco Identity Services Engine (ISE) admin login panel was discovered.
Cisco Identity Services Engine Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)identity services engine"})Description
Cisco Identity Services Engine admin login panel was detected.
Cisco Prime Infrastructure Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)prime infrastructure"})Description
A Cisco Prime Infrastructure login panel was discovered.
Cisco Secure CN Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Secure CN"})Description
Cisco Secure CN login panel was detected.
Cisco Secure Firewall ASA & FTD - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/\\+CSCOE\\+/logon\\.html"Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests.
Impact
An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
Remediation
Update to the latest available version of Cisco Secure Firewall ASA and FTD Software.
Cisco Secure Firewall Management Center - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)BackdraftSyncIntegration"Description
Cisco Secure Firewall Management Center Software contains an authentication bypass caused by improper system process creation at boot, letting unauthenticated remote attackers execute scripts and gain root access, exploit requires crafted HTTP requests.
Impact
Unauthenticated remote attackers can gain root access by executing scripts, leading to full system compromise.
Remediation
Update to the latest available version.
Cisco ServiceGrid Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco ServiceGrid"})Description
Cisco ServiceGrid login panel was detected.
Cisco Small Business 200,300 and 500 Series Switches - Open Redirect
runzero-match
service["product"] matches "(?i)cisco.sg200.firmware"Description
Cisco Small Business 200,300 and 500 Series Switches contain an open redirect vulnerability in the Web UI. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the necessary patches or updates provided by Cisco to fix the open redirect vulnerability.
Cisco Smart Software Manager On-Prem Panel - Detect
Author: irshad ahamedAdded: Jul 28, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)on-prem license workspace"})Description
Cisco Smart Software Manager On-Prem is an on-premises software license management solution offered by Cisco. It enables organizations to manage and optimize their Cisco software licenses, entitlements, and usage in their local data centers, providing greater control and visibility over software assets.
Cisco Systems Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Systems Login"})Description
Cisco Systems login panel was detected.
Cisco TelePresence Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Telepresence"})Description
Cisco TelePresence login panel was detected.
Cisco UCS Manager KVM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cisco ucs kvm direct"})Description
Cisco UCS Manager KVM login panel was detected.
Cisco Unified Communications - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Cisco Unified"})Description
Cisco Unified Communications is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Cisco Unified Communications Manager - Cluster Enumeration
Author: Morgan RobertsonAdded: Jan 28, 2026
runzero-match
service["product"] contains "Cisco:Unified Communications Manager"Description
Enumerated Cisco UCM cluster nodes (servers) using the unauthenticated UDS API (XML), allowing identification of backend servers without authentication.
Cisco Unified Communications Self-Service User Portal - Detection
Author: Morgan RobertsonAdded: Jan 25, 2026
runzero-match
service["product"] contains "Cisco:Unified Communications Manager"Description
Detected the presence of the Cisco Unified Communications User Management Panel.
Cisco Unity Connection Panel - Detect
Author: HeeresSAdded: Feb 29, 2024
runzero-match
service["http.body"] matches "(?i)Cisco Unity Connection"Description
A Cisco Unity Connection instance was detected.
Cisco Web UI Login - Detect
Author: drewvravickAdded: Mar 26, 2025
runzero-match
service["http.body"] matches "(?i)webui-centerpanel"Description
Detects the presence of Cisco Web UI login panels
Cisco WebEx - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Cisco WebEx"})Description
Cisco WebEx is susceptible to Log4j JNDI remote code execution. Cisco WebEx provides web conferencing, videoconferencing and contact center as a service applications.
Cisco Webex Meetings - Panel
Author: EyonnAdded: Jan 22, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Webex Meetings"})Description
Detects Cisco Webex Meetings panel by requesting the modern Webex dashboard and matching unique Webex HTML markers.
Cisco vManage (Log4j) - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "vManage"})Description
Cisco vManage is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. More information is available in the cisco-sa-apache-log4j-qRuKNEbd advisory.
Cisco vManage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco vManage"})Description
Cisco vManage login panel was detected.
Citrix ADC Gateway Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix ADC Gateway login panel was detected.
Citrix Bleed - Leaking Session Tokens
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway\" \\|\\| title:\"netscaler gateway"})Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
Impact
Unauthenticated attackers can leak session tokens from memory, potentially hijacking authenticated sessions and accessing sensitive Gateway resources.
Remediation
Apply Citrix security updates immediately. Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-8.50, 13.1 before 13.1-49.15, 13.0 before 13.0-92.19, and 12.1 (EOL).
Citrix Gateway and Citrix ADC - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix ADC and Citrix Gateway versions before 13.1 and 13.1-45.61, 13.0 and 13.0-90.11, 12.1 and 12.1-65.35 contain a cross-site scripting vulnerability due to improper input validation.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the necessary patches or updates provided by Citrix to mitigate this vulnerability.
Citrix NetScaler Memory Disclosure - CitrixBleed 2
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Gateway"}) || any(each(service["html.titles"]), {# matches "(?i)NetScaler AAA"}) || service["favicon.ico.image.mmh3"] == "-1166125415" || service["favicon.ico.image.mmh3"] == "-1292923998"Description
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
Impact
Unauthenticated attackers can trigger memory overread conditions to leak sensitive information from NetScaler memory, potentially exposing session tokens and credentials similar to CitrixBleed.
Remediation
Apply the security patches as described in Citrix support article CTX693420 and restrict access to the NetScaler Management Interface.
Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
runzero-match
service["favicon.ico.image.mmh3"] == "-1292923998,-1166125415"Description
The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker.
Impact
The vulnerability allows an attacker to recover potentially sensitive data from memory. Although in most cases nothing of value is returned, we have observed instances where POST request bodies are leaked.
Remediation
Update to version 13.1-51.15 or later
Citrix SD-WAN Center - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Citrix SD-WAN"})Description
Citrix SD-WAN Center is susceptible to remote command injection via the ping function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, pingCount, or packetSize, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire Citrix SD-WAN Center infrastructure.
Remediation
Apply the necessary patches or updates provided by Citrix to mitigate this vulnerability.
Citrix SD-WAN Center - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Citrix SD-WAN"})Description
Citrix SD-WAN Center is susceptible to remote command injection via the addModifyZTDProxy function in NmsController. The function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ztd_password, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure.
Remediation
Apply the latest security patches provided by Citrix to mitigate the vulnerability.
Citrix SD-WAN Center - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Citrix SD-WAN"})Description
Citrix SD-WAN Center is susceptible to remote command injection via the apply action in StorageMgmtController. The callStoragePerl function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying an array value with crafted values for action, host, path, or type, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure.
Remediation
Apply the latest security patches provided by Citrix to mitigate the vulnerability.
Citrix SD-WAN Center - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Citrix SD-WAN"})Description
Citrix SD-WAN Center is susceptible to remote command injection via the trace_route function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure.
Remediation
Apply the necessary patches or updates provided by Citrix to mitigate the vulnerability.
Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix sd-wan"})Description
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in specific components, which could allow for execution of arbitrary SQL queries against the backend database. This could result in information disclosure, manipulation of data, or complete compromise of affected systems.
Impact
Successful exploitation may allow a remote unauthenticated attacker to execute SQL commands on the system, potentially resulting in unauthorized access, data leakage, modification of critical data, or full compromise of the SD-WAN appliance.
Remediation
Apply the vendor patch: upgrade Citrix SD-WAN to version 10.2.3 or later, and NetScaler SD-WAN to version 10.0.8 or later as detailed in the official Citrix advisory.
Citrix StoreFront - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/citrix/storeweb"Description
Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow.
Impact
Unauthenticated attackers can inject malicious JavaScript via reflected XSS during XML parsing in the SSO flow, potentially stealing user credentials or session tokens.
Remediation
Apply Citrix security updates immediately. Update to StoreFront versions 2402, 2203 CU1, 2203 LTSR CU5, 1912 LTSR CU8, or later.
Citrix StoreFront Server - XML External Entity
runzero-match
service["product"] matches "(?i)citrix.storefront.server"Description
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
Impact
Attackers can read arbitrary files, perform server-side request forgery, or cause denial of service through XXE attacks.
Remediation
Update to version 1903 or later for StoreFront, CU4 or later for 7.15 LTSR, CU8 or later for 7.6 LTSR.
Citrix VPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix VPN panel was detected.
Citrix XenApp - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "/citrix/xenapp"Description
Citrix XenApp is susceptible to Log4j JNDI remote code execution. Citrix Virtual Apps is an application virtualization software produced by Citrix Systems that allows Windows applications to be accessed via individual devices from a shared server or cloud system.
Citrix XenMobile Server - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "XenMobile"})Description
XenMobile Server is an on-premises enterprise mobility management solution and versions 10.14 RP2, 10.13 RP5 and 10.12 RP10 are vulnerable to CVE-2021-44228 (Apache Log4j). JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Claris FileMaker Server Admin Console - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Claris FileMaker"})Description
Claris FileMaker Server Admin Console panel was detected.
Claris FileMaker WebDirect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Claris FileMaker WebDirect"})Description
Claris FileMaker WebDirect panel was detected.
CleanWeb Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CleanWeb"})Description
CleanWeb login panel was detected.
Clear-Com Core Configuration Manager Panel - Detect
runzero-match
service["http.body"] matches "(?i)CCM - Authentication Failure"Description
Clear-Com Core Configuration Manager panel was detected.
ClearML Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ClearML"})Description
ClearML was detected. ClearML is an open-source MLOps platform for experiment tracking, model management, and pipeline orchestration. Exposed instances may allow access to ML experiments, models, and infrastructure configurations.
ClearPass Policy Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)clearpass policy manager"})Description
ClearPass Policy Manager login panel was detected.
Cleo Harmony < 5.8.0.21 - Arbitary File Read
runzero-match
service["http.head.server"] matches "Cleo"Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50623.
Cloud OA System - SQL Injection
runzero-match
service["http.body"] matches "(?i)全程云办公"Description
cloud OA system /OA/PM/svc.asmx page parameters are not properly filtered, resulting in a SQL injection vulnerability, which can be used to obtain sensitive information in the database.
CloudPanel Login - Detect
Author: DhiyaneshDkAdded: Jun 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "151132309" || any(each(service["html.titles"]), {# matches "(?i)cloudpanel"})Cloudera Hue Default Admin Login
runzero-match
any(each(service["html.titles"]), {# matches "Hue - Welcome to Hue"})Description
Cloudera Hue default admin credentials were discovered.
Cloudflare Access - Login Panel Detection
Author: rxeriumAdded: Feb 5, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloudflare Access"})Description
Detected exposed Cloudflare Access login pages.
Remediation
- Ensure Cloudflare Access policies are properly configured to restrict access to authorized users only
- Review and enforce appropriate authentication rules and multi-factor authentication requirements
- Limit exposure of Access login pages to necessary endpoints only
Cloudlog Panel - Detect
Author: s4e-ioAdded: Jan 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Cloudlog"})Description
Cloudlog panel was discovered.
Cloudphysician RADAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloudphysician RADAR"})Description
Cloudphysician RADAR login panel was detected.
Cluster Control CMON API - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "160707013"Description
Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the Cluster Control server.
Remediation
Update Severalnines Cluster Control to version 1.9.8-9778, 2.0.0-9779, or 2.1.0-9780 or later.
Cnzxsoft System - Default Login
Author: SleepingBag945Added: Sep 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)中新金盾信息安全管理系统"})Description
Cnzxsoft Golden Shield Information Security Management System has a default weak password.
Cobbler 'XML-RPC' - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cobbler Web Interface"})Description
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.
Impact
Anyone with network access can connect to Cobbler XML-RPC with default credentials and make arbitrary changes, gaining full control.
Remediation
Update Cobbler to version 3.2.3 or 3.3.7 or later.
Cobbler - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
Impact
Unauthenticated attackers can bypass authentication to gain unauthorized access, leading to privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
Cobbler <3.3.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially resulting in complete compromise of the affected system.
Remediation
Upgrade Cobbler to version 3.3.0 or later, which includes a fix for this vulnerability.
Cobbler WebGUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler WebGUI login panel was detected.
Cockpit CMS 0.6.1 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)cockpit"Description
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Impact
Unauthenticated attackers can inject custom PHP code to achieve remote command execution, leading to complete Cockpit CMS compromise.
Remediation
Upgrade to Cockpit CMS version 0.6.1 or later.
Cockpit Project Login Panel - Detect
Author: righettodAdded: Apr 15, 2025
runzero-match
service["http.body"] matches "(?i)cockpit/static/login\\.css"Description
Cockpit Project products was detected.
Code-Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)code-server login"})Description
Code-Server login panel was detected.
CodeChecker <= 6.24.1 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1496590341"Description
Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others.
Impact
Unauthenticated attackers can bypass authentication by crafting API URLs ending with specific keywords, gaining superuser access to all API endpoints including product management and configuration.
Remediation
Upgrade CodeChecker to version 6.24.2 or later.
Cofense Vision Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "739801466"Description
Cofense Vision login panel was detected.
Cogent DataHub (OPC DataHub) - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^DataHub Web Server"}) || service["http.body"] matches "(?i)You have successfully configured the DataHub to run as a web server"Description
Cogent DataHub (OPC DataHub) is an industrial middleware platform for OPC connectivity,
data bridging, and SCADA integration. The embedded web server is commonly exposed on
port 80 or 443.
Cognita Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Sign in to Cognita"})Description
Cognita is an open-source RAG framework by Truefoundry for building modular and
production-ready RAG pipelines.
ColdFusion Administrator Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
ColdFusion Administrator login panel was detected.
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cmp-coming-soon-maintenance/"Description
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.
Impact
Unauthenticated attackers can bypass maintenance mode restrictions to access published posts and pages that should be protected during maintenance.
Remediation
Fixed in version 4.1.7
Commvault - SSRF via /commandcenter/deployWebpackage.do
runzero-match
service["favicon.ico.image.mmh3"] == "1209838013"Description
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
Impact
Unauthenticated attackers can exploit SSRF through ZIP file uploads containing path traversal sequences, potentially leading to remote code execution on the Commvault server.
Remediation
Apply the security patch as described in Commvault's security advisory for Command Center Innovation Release 11.38.
Commvault Unauthenticated Password Disclosure (WT-2025-0047)
Author: DhiyaneshDK,iamnoooob,pdresearch,watchtowrAdded: Aug 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-542502280"Description
An issue was discovered in Commvault before 11.36.60. A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.
Impact
Unauthenticated attackers can exploit the public sharing login mechanism to access API endpoints and retrieve sensitive user information including passwords.
Remediation
Upgrade Commvault to version 11.36.60 or later that properly restricts API access and removes the vulnerable login mechanism.
Commvault Web Console Panel - Detect
Author: rxeriumAdded: Oct 8, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-542502280"Description
Commvault web console login panel was detected.
Compalex Panel - Detect
Author: MaStErChoAdded: Jan 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)COMPALEX"})CompleteView Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CompleteView Web Client"})Description
CompleteView panel was detected.
Concourse CI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Concourse"})Description
Concourse CI login panel was detected.
Concrete5 Install Panel
Author: osamahamad,princechaddhaAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)install concrete5"}) || any(each(service["html.titles"]), {# matches "(?i)concrete5"})Description
A Concrete5 installation panel was discovered.
Concrete5 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)concrete5"}) || any(each(service["html.titles"]), {# matches "(?i)install concrete5"})Description
Concrete5 login panel was detected.
Confluence - Remote Code Execution
runzero-match
service["product"] matches "(?i)Atlassian.Confluence"Description
Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or updates provided by Atlassian to mitigate this vulnerability.
ConnectWise Control Remote Support Software Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-82958153"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-82958153"Description
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Impact
Unauthenticated attackers can bypass authentication to access confidential information or critical systems, potentially leading to complete system compromise.
Remediation
Update ConnectWise ScreenConnect to version 23.9.8 or later.
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/fluentform/"Description
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
Impact
Unauthenticated attackers can grant Fluent Form management permissions to any user account, providing access to all plugin settings and sensitive data.
Remediation
Update Contact Form Plugin by Fluent Forms to version 5.1.17 or later.
Contao Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)contao open source cms" || any(each(service["html.titles"]), {# matches "(?i)contao"})Description
Contao login panel was detected.
Content Central Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Content Central Login"})Description
Content Central login panel was detected.
Contest Gallery < 13.1.0.6 - SQL injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/contest-gallery/"Description
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
Impact
Unauthenticated attackers can exploit SQL injection to extract database contents and enumerate all registered users including their email addresses, potentially facilitating targeted phishing attacks.
Remediation
Fixed in version 13.1.0.6
Control Web Panel (CWP) - File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-356182173"Description
In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
Impact
A remote, unauthenticated attacker can leverage this vulnerability to register arbitrary API keys, access sensitive files (such as /etc/passwd), and potentially achieve remote code execution. Successful exploitation results in full compromise of the web panel and host system, allowing for exposure of confidential data, server takeover, and further attacks on internal infrastructure.
Remediation
Update to version 0.9.8.1107 or later to fix input validation issues.
Control Web Panel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CWP \\|用户"})Description
Control Web Panel login panel was detected.
Copa-Data zenon - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)zenon Web Server"Description
Copa-Data zenon is an industrial automation platform used in manufacturing,
energy, and infrastructure. The zenon Web Server and Smart Server expose a
browser-based HMI interface for remote monitoring and control of SCADA processes.
CopyParty v1.8.6 - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
Impact
Unauthenticated attackers can inject malicious JavaScript through the k304 parameter to steal user session cookies when users click malicious links to CopyParty.
Remediation
Fixed in v1.8.6
Copyparty <= 1.8.2 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Unauthenticated attackers can exploit path traversal in the .cpr subfolder to read arbitrary files from the file server, potentially accessing sensitive system files and user data stored outside the web document root.
Remediation
Update Copyparty to version 1.8.2 or later that properly validates file paths in the .cpr subfolder and prevents directory traversal attacks.
Copyparty <=1.18.6 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty before 1.18.7 is vulnerable to reflected cross-site scripting (XSS) via the 'filter' parameter in the '/?ru' endpoint. Unsanitized user input is reflected in the HTML response, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser.
Impact
Attackers can execute arbitrary JavaScript in victim browsers through malicious URLs containing XSS payloads in the filter parameter, potentially leading to session hijacking.
Remediation
Upgrade Copyparty to version 1.18.7 or later to mitigate this vulnerability.
Cortex XSOAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cortex xsoar"})Description
Cortex XSOAR login panel was detected.
CouchDB - Default Login
runzero-match
service["http.head.server"] matches `^CouchDB/`Description
CouchDB weak admin credentials were discovered.
CouchDB Erlang Distribution - Remote Command Execution
runzero-match
service["service.transport"] == "tcp" and service["protocol"] contains "couchdb"Description
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
Couchbase Server - Broken Access Control
runzero-match
service["http.body"] matches "(?i)Couchbase"Description
Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit requires no special conditions.
Impact
Attackers can access and modify administrative settings, potentially leading to data tampering or system compromise.
Remediation
Update to the latest version where the /settings REST endpoint requires authentication.
Couchbase Server Console - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Couchbase Console"})Description
Couchbase Server administrative console was discovered.
Cox Business Dominion Gateway Login Panel - Detect
Author: DhiyaneshDKAdded: Jun 3, 2024
runzero-match
service["http.body"] matches "(?i)Cox Business"Description
Cox Business Dominion Gateway Login page was discovered.
Craft CMS - Remote Code Execution via Template Path Manipulation
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
Impact
Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
Remediation
Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
Craft CMS < 3.3.0 - Server-Side Template Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS" || service["product"] contains "nystudio107:SEOmatic"Description
Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server.
Remediation
Upgrade Craft CMS to version 3.3.0 or higher to mitigate this vulnerability.
Craft CMS <=v3.7.31 - SQL Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the GraphQL API endpoint, potentially compromising the database.
Remediation
Update Craft CMS to a version later than v3.7.31.
Craft CMS Admin Login Panel - Detect
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS admin login panel was detected.
Craft CMS Installation Wizard Exposure
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Detected Craft CMS installation wizard was exposed, allowing attackers to complete the installation process and gain administrative access to the CMS.
CraftCMS - Remote Code Execution
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
Impact
Unauthenticated attackers can exploit remote code execution vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
Remediation
This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CraftCMS Debug Methods Exposed
Author: 0x_AkokoAdded: Jan 27, 2026
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Detected CraftCMS with devMode enabled, which exposed the Yii2 debug toolbar and sensitive information. This misconfiguration could have leaked database queries, session data, cookies, stack traces, CSRF tokens, and internal application details to unauthenticated users.
CraftCMS SEOmatic - Server-Side Template Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS" || service["product"] contains "nystudio107:SEOmatic"Description
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
Impact
Unauthenticated attackers can exploit SSTI via X-Forwarded-Host header to execute arbitrary Twig templates and system commands, achieving complete server compromise.
Remediation
Upgrade to CraftCMS SEOmatic version 3.4.12 or later.
CrafterCMS Engine - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)craftercms"Description
CrafterCMS Engine is vulnerable to reflected cross-site scripting (XSS) via the transformerName parameter in the /api/1/site/url/transform endpoint, allowing attackers to execute arbitrary JavaScript in the context of the user.
Impact
Unauthenticated attackers can inject malicious JavaScript through the transformerName parameter in various API endpoints to steal CrafterCMS user credentials and session data.
Remediation
Update CrafterCMS Engine to the latest version that addresses this vulnerability.
CrafterCMS Login Panel - Detect
Author: righettodAdded: May 11, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)craftercms"})Description
CrafterCMS login panel was detected.
Creatio Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Creatio"})Description
Creatio login panel was detected.
Crestron Airmedia 2.0 - Default Login
Author: Andrew LentzAdded: Sep 27, 2025
runzero-match
service["http.body"] matches "(?i)airmedia"Description
Crestron AirMedia 2.0 devices contain default credentials (admin:admin) that allow unauthorized administrative access to device configuration and control.
Crontab UI - Dashboard Exposure
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)Crontab UI"CrushFTP - Anonymous Login
Author: pussycat0xAdded: Apr 26, 2024
runzero-match
service["http.body"] contains "CrushFTP" || service["http.head.server"] contains "CrushFTP" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP Anonymous login credentials were discovered.
CrushFTP - Authentication Bypass
Author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslimeAdded: Apr 14, 2025CWE-287CVE-2025-31161
runzero-match
any(each(service["html.titles"]), {# matches "(?i)crushftp webinterface"}) || service["favicon.ico.image.mmh3"] == "-1022206565" || service["http.body"] matches "(?i)crushftp"Description
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
Impact
Unauthenticated attackers can bypass authentication by forging session cookies, gaining unauthorized administrative access to CrushFTP and potentially compromising the entire file transfer infrastructure.
Remediation
Upgrade to CrushFTP version 10.8.4 or 11.3.1 or later that properly validates session authentication.
CrushFTP - Default Login
Author: pussycat0xAdded: Apr 26, 2024
runzero-match
service["http.body"] contains "CrushFTP" || service["http.head.server"] contains "CrushFTP" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP default login credentials were discovered.
CrushFTP VFS - Sandbox Escape LFR
runzero-match
service["http.body"] matches "(?i)crushftp"Description
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
CrushFTP WebInterface Panel - Detect
runzero-match
service["http.body"] matches "(?i)crushftp" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP WebInterface login panel was detected.
Crypto <= 2.15 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/crypto"Description
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Impact
Unauthenticated attackers can bypass authentication to log in as any existing user including administrators if they know the username, gaining complete control of the WordPress site and all its data.
Remediation
Update Crypto plugin to a version later than 2.15 that properly restricts and validates method calls in the crypto_connect_ajax_process function.
Cryptobox Panel - Detect
Author: righettodAdded: Jun 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cryptobox"})Description
Cryptobox was detected.
Cryptocurrency Widgets Pack < 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cryptocurrency-widgets-pack/"Description
The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the columns[0][name] parameter in the mcwp_table AJAX action, potentially extracting sensitive database information including cryptocurrency data, user credentials, and plugin configuration.
Remediation
Fixed in version 2.0
Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/cryptocurrency-widgets-pack"Description
Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion of sensitive information.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
CudaTel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CudaTel"})Description
CudaTel login panel was detected.
Cvent Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Cvent Inc"Description
Cvent login panel was detected.
Cyber Chef Panel - Detect
Author: rxeriumAdded: May 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CyberChef"})Description
A Cyber Chef Panel was detected
CyberPanel - Command Injection
runzero-match
service["http.body"] matches "(?i)cyberpanel"Description
CyberPanel contains a command injection vulnerability in the /ftp/getresetstatus and /dns/getresetstatus endpoints.The vulnerability exists due to improper validation of the 'statusfile' parameter, which is directly used in a shell command.The security middleware only validates POST requests, allowing attackers to bypass protection using OPTIONS requests.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
CyberPower - Missing Authentication
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
Remediation
Upgrade CyberPower PowerPanel Enterprise to version 2.8.3 or later to address the SQL injection vulnerability.
CyberPower - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower < v2.8.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower < v2.8.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to .
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Cyberoam SSL VPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cyberoam ssl vpn portal"})Description
Cyberoam SSL VPN panel was detected.
Cyberpanel Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)cyberpanel"Description
Cyberpanel login panel was detected.
D-LINK DNS-320L,DNS-320LW and DNS-327L - Information Disclosure
runzero-match
service["http.body"] matches "(?i)Text:In order to access the ShareCenter"Description
A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler.
Impact
Unauthenticated attackers can access sensitive system information from D-Link NAS devices.
Remediation
Update D-Link NAS firmware to a version that patches the information disclosure vulnerability.
D-Link - Remote Command Execution
runzero-match
service["product"] matches "(?i)dlink.dir.820l.firmware"Description
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file
Impact
Unauthenticated attackers can execute arbitrary system commands via command injection in the DDNS function, leading to complete router compromise and control over network traffic.
Remediation
DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.
D-Link - Unauthenticated Remote Code Execution
runzero-match
service["product"] matches "(?i)dlink.dir.860l.firmware"Description
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
D-Link AC Centralized Management System - Default Login
Author: SleepingBag945Added: Sep 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AC集中管理平台"})Description
D-Link AC Centralized Management System default login credentials were discovered.
D-Link Central WiFi Manager CWM(100) - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)D-Link Central WiFiManager"Description
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
Impact
Unauthenticated attackers can execute arbitrary PHP code via cookie manipulation, leading to complete compromise of the D-Link Central WiFi Manager and potential access to all managed WiFi networks.
Remediation
Update D-Link Central WiFi Manager to version 1.03R0100_BETA6 or later.
D-Link Central WifiManager - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)dlink.central.wifimanager"Description
D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, data leakage, and potential compromise of the entire network.
Remediation
Apply the latest security patches or updates provided by D-Link to fix the SSRF vulnerability in Central WifiManager.
D-Link D-View 8 v2.0.1.28 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1317621215"Description
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
Impact
Unauthenticated attackers can exploit static JWT keys to forge authentication tokens and bypass authentication to gain administrative access to D-Link D-View systems.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
D-Link DAR-8000-10 - Command Injection
runzero-match
service["http.body"] matches "(?i)dar-8000-10"Description
D-Link DAR-8000-10 version has an operating system command injection vulnerability. The vulnerability originates from the parameter id of the file /app/sys1.php which can lead to operating system command injection.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the id parameter in /app/sys1.php, potentially gaining full control of the D-Link DAR-8000-10 router and intercepting all network traffic.
Remediation
Update D-Link DAR-8000-10 firmware to a patched version that properly sanitizes the id parameter in sys1.php and prevents operating system command injection.
D-Link DIR-605 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)l_tb>DIR-605"Description
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version - 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
Impact
Unauthenticated attackers can obtain router credentials including usernames and passwords by exploiting information disclosure in the getcfg.php endpoint.
Remediation
Apply firmware updates provided by D-Link or replace the device with a supported model.
D-Link DIR-615 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Roteador Wireless"})Description
D-Link DIR-615 devices with firmware 20.06 are susceptible to unauthorized access. An attacker can access the WAN configuration page wan.htm without authentication, which can lead to disclosure of WAN settings, data modification, and/or other unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to the router, potentially compromising the network and exposing sensitive information.
Remediation
Apply the latest firmware update provided by D-Link to fix the vulnerability and ensure strong and unique passwords are set for router administration.
D-Link DIR-803 - Authentication Bypass
runzero-match
asset["hw_vendor"] == "D-Link" && asset["hw_product"] matches "(?i)DIR-803"Description
An authentication bypass vulnerability exists in D-Link DIR-803 routers (firmware A1 1.04 and earlier). By manipulating the AUTHORIZED_GROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication.
Impact
Remote attackers can disclose sensitive information, potentially compromising device confidentiality.
Remediation
Upgrade to the latest supported version or replace the device as it is no longer maintained.
D-Link DIR-816L - Improper Access Control
runzero-match
service["http.body"] matches "(?i)dir-816l"Description
D-Link DIR-816L_FW206b01 is susceptible to improper access control. An attacker can access folders folder_view.php and category_view.php and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected router.
Remediation
Apply the latest firmware update provided by D-Link to fix the access control issue.
D-Link DIR-859 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)D-Link"})Description
A critical information disclosure vulnerability exists in D-Link devices where sensitive device account information including credentials can be retrieved by sending an unauthenticated request to `/getcfg.php` endpoint with the parameter `SERVICES=DEVICE.ACCOUNT`. This could allow attackers to obtain administrative credentials and gain full control of the affected device.
Impact
Unauthenticated attackers can retrieve administrative credentials and sensitive device account information, enabling full device compromise.
Remediation
Update D-Link DIR-859 router to the latest firmware version that addresses CVE-2024-57045 as specified in D-Link's security bulletin.
D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection
runzero-match
service["product"] matches "(?i)dlink.dir820la1.firmware"Description
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
Impact
Unauthenticated attackers can execute arbitrary OS commands with root privileges on the D-Link DIR820LA1 router, leading to complete device compromise and network takeover.
Remediation
Upgrade to the latest firmware version from D-Link or replace the affected device with a patched model.
D-Link DIR850 ET850-1.08TRb03 - Open Redirect
runzero-match
service["product"] matches "(?i)dlink.dir.850l.firmware"Description
DLink DIR850 ET850-1.08TRb03 contains incorrect access control vulnerability in URL redirection, which can be used to mislead users to go to untrusted sites.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the latest firmware update provided by D-Link to fix the open redirect vulnerability.
D-Link DNS-320 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the affected device.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
D-Link DNS-320 - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "sharecenter"Description
D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
D-Link DSL-2750B Devices Command Injection Vulnerability
runzero-match
asset["hw_vendor"] == "D-Link" && asset["hw_product"] matches "(?i)DSL-2750B"Description
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the
login.cgi cli parameter.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
D-Link NAS - Command Injection via Group Parameter
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection.
Impact
Unauthenticated attackers can execute arbitrary OS commands via the group parameter, potentially compromising the entire D-Link NAS device.
Remediation
Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028.
D-Link NAS - Command Injection via Name Parameter
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection.
Impact
Unauthenticated attackers can execute arbitrary OS commands via the name parameter, potentially compromising the entire D-Link NAS device.
Remediation
Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028.
D-Link NAS `sc_mgr.cgi` - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/cgi-bin/login_mgr\\.cgi"Description
The D-Link NAS interface sc_mgr.cgi contains a command execution vulnerability that allows attackers to execute arbitrary commands on the device, potentially leading to unauthorized access or control over the system.
Remediation
To remediate this vulnerability, ensure that the device firmware is updated to the latest version provided by the manufacturer. Additionally, consider implementing network segmentation and firewall rules to restrict unauthorized access to the device.
D-Link Network Attached Storage - Backdoor Account
runzero-match
service["http.body"] contains `In order to access the ShareCenter` || service["last.http.body"] contains `In order to access the ShareCenter`Description
A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials.
Impact
Attackers can use hardcoded credentials to gain unauthorized access to D-Link NAS devices and execute commands.
Remediation
Update D-Link NAS firmware to a version that removes the backdoor account.
D-Link Network Attached Storage - Command Injection and Backdoor Account
runzero-match
service["http.body"] contains `In order to access the ShareCenter` || service["last.http.body"] contains `In order to access the ShareCenter`Description
UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Impact
Attackers can execute arbitrary commands on D-Link NAS devices using hardcoded credentials and command injection.
Remediation
Retire and replace the affected D-Link NAS devices as they are end-of-life and no longer supported.
D-Link Routers - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "968533676"Description
D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to complete compromise of the device and the network it is connected to.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
DAEnetIP4 METO v1.25 - Session Hijacking
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DAEnetIP4"})Description
DAEnetIP4 METO v1.25 contains improper session management in the /login_ok.htm endpoint, letting attackers hijack sessions, exploit requires attacker to control or intercept session tokens.
Impact
Attackers can hijack user sessions, gaining unauthorized access to user accounts and sensitive information.
Remediation
Implement proper session management and secure session tokens, and update to the latest version if available.
DATAGERRY - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. An attacker can remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
DATAGERRY - REST API Auth Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
Impact
Allows unauthorized access to REST API
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
DELL iDRAC9 - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Integrated (?:Dell )?Remote Access Controller"})Description
DELL iDRAC9 default login credentials was discovered.
DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "-1465479343"Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
Impact
Unauthenticated attackers can force the server to retrieve NTLM authentication hashes through malicious file uploads with Unicode-normalized paths, potentially exposing domain credentials to third-party SMB servers.
Remediation
Upgrade DNN Platform to version 10.0.1 or later that properly handles Unicode path normalization and prevents NTLM hash disclosure.
DPLUS Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DPLUS Dashboard"})Description
DPLUS Dashboard panel was detected.
DQS Superadmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DQS Superadmin"})Description
DQS Superadmin login panel was detected.
DVWA Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Login :: Damn Vulnerable Web Application"})Description
Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
Dagu Workflow Engine - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Dagu"})Description
Dagu (<= 1.30.3) ships with authentication disabled by default. The POST /api/v2/dag-runs endpoint accepts inline YAML DAG specifications and immediately executes shell commands without credentials.
Remediation
Upgrade to a patched version.
Dahua EIMS - Remote Command Execution
runzero-match
service["product"] matches "(?i)大华.EIMS"Description
Dahua EIMS capture_handle interface allows remote command execution.
Dahua IPC/VTH/VTO - Authentication Bypass
runzero-match
asset["hw_vendor"] == "Dahua"Description
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Impact
Unauthenticated attackers can bypass device authentication by constructing malicious login packets, gaining full administrative access to Dahua IPC/VTH/VTO devices.
Remediation
Apply firmware updates provided by Dahua to address the authentication bypass vulnerability.
Dahua IPC/VTH/VTO - Authentication Bypass
runzero-match
asset["hw_vendor"] == "Dahua"Description
Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Impact
An attacker can gain unauthorized access to the device, potentially compromising the security and privacy of the system.
Remediation
Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability.
Dahua Security - Configuration File Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "2019488876"Description
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
Impact
This vulnerability can lead to unauthorized access to sensitive information, potentially compromising the security of the system.
Remediation
To remediate this vulnerability, ensure that the configuration file is properly secured and access to it is restricted to authorized personnel only.
Dahua Smart Park Integrated Management Platform - Remote Command Execution
Author: DhiyaneshDKAdded: Dec 4, 2023
runzero-match
service["http.body"] matches "src=\\\\"Description
Dahua Smart Park Integrated Management Platform is vulnerable to RCE.
Dahua Web Service Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1653394551"Description
A Dahua admin login panel was detected.
Danswer - Insecure Direct Object Reference
runzero-match
service["favicon.ico.image.mmh3"] == "484766002"Description
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
Impact
Authenticated attackers can access and view files belonging to other users without proper authorization checks through insecure direct object references, leading to unauthorized disclosure of sensitive chat files and data.
Remediation
Update Danswer to a version that implements proper authorization checks to verify file ownership before allowing access through the GET /api/chat/file/{file_id} and GET /api/chat/get-chat-session endpoints.
Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dapr dashboard"})Description
Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
The vulnerability allows unauthorized access to the Dapr Dashboard, potentially leading to unauthorized actions and data exposure.
Remediation
Upgrade Dapr Dashboard to a version that includes the fix for CVE-2022-38817 or apply the necessary patches provided by the vendor.
Darktrace Threat Visualizer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)darktrace threat visualizer"Description
Darktrace Threat Visualizer login panel was detected.
Dasan GPON Devices - Remote Code Execution
runzero-match
service["product"] matches "(?i)dasannetworks.gpon.router.firmware"Description
Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected device.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Dashy Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1013024216"Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
runzero-match
service["http.body"] matches "(?i)apriso"Description
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
Impact
Unauthenticated attackers can exploit unsafe deserialization to execute arbitrary code on DELMIA Apriso servers, achieving complete system compromise.
Remediation
Upgrade DELMIA Apriso to a version later than Release 2025 that properly validates deserialized data.
DataEase 2.10.4-2.10.7 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
Impact
Authenticated users can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to version 2.10.8 or later.
DataEase < 2.10.10 - JWT Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "^DataEase"})Description
DataEase < 2.10.10 contains a broken authentication caused by ineffective secret verification, letting users forge JWT tokens, exploit requires no special privileges.
Impact
Users can forge JWT tokens, potentially gaining unauthorized access to the system.
Remediation
Update to version 2.10.10 or later.
DataEase <= 2.4.1 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.
Impact
Attackers can access sensitive configuration and credential information from the DataEase system.
Remediation
Update DataEase to version 2.5.0 or later.
DataEase v2.10.2 - JWT Signature Verification Bypass
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Attackers can forge JWT tokens to bypass authentication and gain unauthorized access to any interface.
Remediation
Update DataEase to version 2.10.2 or later.
DataHub Metadata - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "DataHub"})Description
DataHub Metadata contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
DataTaker DT80 dEX 1.50.012 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datataker"})Description
DataTaker DT80 dEX 1.50.012 is susceptible to information disclosure. A remote attacker can obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI, thereby possibly accessing sensitive information, modifying data, and/or executing unauthorized operations.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, potentially compromising the confidentiality of the system.
Remediation
Apply the latest firmware update provided by the vendor to mitigate the information disclosure vulnerability.
Datadog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Datadog"})Description
Datadog login panel was detected.
Dataease - Default Login
Author: DhiyaneshDKAdded: Dec 5, 2023
runzero-match
service["http.body"] matches "Dataease"Description
Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password.
As a result, many Dataease can log in with this built-in account.
Dataease - Login Panel
Author: DhiyaneshDKAdded: Dec 5, 2023
runzero-match
service["http.body"] matches "(?i)dataease"Description
Dataease Login Panel is discovered
Datagerry - Default Login
Author: gy741Added: Sep 30, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Datagerry was using default username and password was discovered.
Datagerry Panel - Detect
Author: s4e-ioAdded: Feb 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Datagerry panel was discovered.
Dataiku - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dataiku"})Description
Dataiku contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. This vulnerability may also lead to server-side request forgery and/or remote code execution.
Dataiku Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dataiku"})Description
Dataiku panel was detected.
Datart v1.0.0-rc.3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Datart"})Description
Datart v1.0.0-rc.3 contains a vulnerability that allows remote attackers to execute arbitrary code via INIT connection parameters.
Davantis Video Analytics Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Davantis"})Description
Davantis Video Analytics panel was detected.
DaybydayCRM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)daybyday"})Description
DaybydayCRM login panel was detected.
DbGate - Remote Code Execution via Anonymous JWT
runzero-match
any(each(service["html.titles"]), {# matches "DbGate"})Description
DbGate contains a remote code execution vulnerability exploitable by unauthenticated attackers. The /auth/login endpoint issues anonymous JWT tokens without credentials, and the /runners/start endpoint accepts JavaScript payloads that execute via Node.js child_process, allowing arbitrary command execution on the server.
Impact
An unauthenticated attacker can execute arbitrary system commands on the server with the privileges of the DbGate process, leading to full server compromise, data exfiltration from connected databases, lateral movement, and deployment of backdoors or ransomware.
Remediation
Update DbGate to the latest patched version.
DbGate Web Client - Unauthenticated Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1198579728"Description
DbGate Web Client Management is suspectible to an unauthenticated remote code execution vulnerability.
DbGate Web Client Management - Panel Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1198579728"Description
The DbGate Web Client Management Panel is detected on the target system.
Debug Endpoint pprof - Exposure Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Impact
An attacker can exploit this vulnerability to gather sensitive information, potentially leading to further attacks.
Remediation
Disable or restrict access to the Debug Endpoint pprof to prevent unauthorized access.
Dede CMS - SQL Injection
runzero-match
service["http.body"] matches "(?i)DedeCms"Description
Dede CMS contains a SQL injection vulnerability which allows remote unauthenticated users to inject arbitrary SQL statements via the ajax_membergroup.php endpoint and the membergroup parameter.
DedeCMS - Open Redirect
runzero-match
service["http.body"] matches "power by dedecms\" \\|\\| title:\"dedecms"Description
DedeCMS contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
DedeCMS - Open Redirect via download.php
runzero-match
any(each(service["html.titles"]), {# matches "DedeCMS"})Description
Dedecms 5.71sp1 and earlier contain a URL redirect caused by a logic error that does not properly validate GET request input, letting attackers redirect users to arbitrary URLs, exploit requires sending crafted GET requests.
Impact
Attackers can redirect users to malicious sites, potentially leading to phishing or malware distribution.
Remediation
Update to the latest version of Dedecms or apply security patches addressing URL redirect issues.
DedeCMS 5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patch or upgrade to a newer version of DedeCMS to mitigate the SQL Injection vulnerability.
DedeCMS 5.7.109 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "DedeCms"Description
Manipulation of the rssurl parameter in co_do.php leads to server-side request forgery in DedeCMS version 5.7.109.
Impact
Successful exploitation could lead to sensitive data exposure, server-side request forgery, and potential server compromise.
Remediation
Apply the vendor-supplied patch or update to a non-vulnerable version of DedeCMS.
DedeCMS 5.7.87 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
Directory traversal vulnerability in DedeCMS 5.7.87 allows reading sensitive files via the $activepath parameter.
Impact
Unauthenticated attackers can exploit directory traversal through the activepath parameter in select_templets.php to read sensitive DedeCMS configuration files and source code.
Remediation
Update DedeCMS to a version newer than 5.7.87 that properly validates and sanitizes the activepath parameter in select_templets.php.
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Impact
Successful exploitation of these vulnerabilities can lead to unauthorized actions performed on behalf of the user and execution of arbitrary code.
Remediation
Apply the latest security patches and update to a newer version of DedeCMS.
Deep Sea Electronics DSE 855 Generator Controller - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "DSE 855"})Description
Deep Sea Electronics DSE 855 is a generator/mains automatic transfer switch (ATS) controller
with a built-in HTTP web server for remote monitoring and configuration of generator control systems.
The interface is commonly exposed on port 8090 and requires no authentication by default.
DefectDojo Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)DefectDojo Logo"Description
DefectDojo login panel was detected.
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/defender-security/"Description
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Impact
Unauthenticated attackers can bypass hidden login page protection through auth_redirect WordPress function to access the login page despite protection mechanisms.
Remediation
Fixed in 4.1.0
Dell BMC Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dell Remote Management Controller"})Description
Dell BMC web panel was detected.
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AVAMAR"})Description
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
Impact
Unauthenticated attackers can read or modify Local Download Service credentials, impersonate the service when accessing Dell EMC Online Support, or prevent legitimate connections by corrupting the configuration.
Remediation
Upgrade to a patched version of Dell EMC Avamar or apply vendor-provided security updates.
Dell EMC RecoverPoint Panel - Detect
Author: rxeriumAdded: Feb 18, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-742276344"Description
Dell EMC RecoverPoint management panel was detected.
Dell IDRAC Panel - Detect
runzero-match
service["http.body"] matches "(?i)thisIDRACText"Description
Dell IDRAC panel was detected.
Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Remote Code Execution
runzero-match
service["http.body"] matches "K1000 Logo"Description
service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter.
Impact
Unauthenticated attackers can execute arbitrary system commands via shell metacharacters, leading to complete server compromise and access to all managed systems.
Remediation
Upgrade to KACE K1000 version 6.4 SP3 (6.4.120822) or later.
Dell Laser Printer - Unauthenticated Detect
Author: pussycat0xAdded: Sep 18, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Laser Printer"})Description
The Dell Laser Printer web interface was accessible without authentication.
Dell OpenManage Switch Administrator Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Dell OpenManage Switch Administrator"Description
Dell OpenManage Switch Administrator login panel was detected.
Dell Remote Web Access Panel - Detect
Author: pussycat0xAdded: Sep 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dell Remote web"})Description
Dell Remote Web Access is a secure web portal that enables remote access to files, applications, and desktops hosted on Dell servers.
Dell UnityVSA < 5.5 - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Unisphere"})Description
Dell Unity, version(s) 5.5 and prior, contains an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability.
Impact
An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Remediation
Update to the latest version beyond 5.5.
Dell iDRAC6/7/8 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Integrated (?:Dell )?Remote Access Controller"})Description
Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
Delmia Apriso - Pre-Authentication Unsafe .NET Object Deserialization
runzero-match
service["http.body"] matches "(?i)/apriso/"Description
An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to pre-authentication remote code execution.
Impact
Attackers can exploit unsafe .NET object deserialization to achieve pre-authentication remote code execution.
Remediation
Update DELMIA Apriso to a version that addresses the unsafe deserialization vulnerability.
Delta Controls Admin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Delta Controls ORCAview"Description
Delta Controls admin login panel was detected.
Deluge - Default Login
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Deluge"})Description
Deluge Default login credentials were discovered.
Deluge WebUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)deluge webui"})Description
Deluge WebUI login panel was detected.
Dependency-Track Login - Panel
Author: Th3l0newolfAdded: Apr 10, 2025
runzero-match
service["http.body"] matches "(?i)Dependency-Track"Description
Dependency Track login panel was discovered.
Dericam Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dericam"})Description
Dericam login panel was detected.
Desktop Portal VMware Horizon DaaS Trade Platform
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)horizon daas"})DevDojo Voyager - Default login
Author: iamnoooob,rootxharsh,pdresearchAdded: Feb 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Voyager"})Description
DevDojo Voyager contains default credentials when run with dummy data. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
DevDojo Voyager <=1.8.0 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Voyager"})Description
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
Impact
Authenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, and application source code.
Remediation
Update DevDojo Voyager to version 1.8.1 or later to address the path traversal vulnerability.
Device42 Panel - Detect
Author: righettodAdded: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)device42"})Description
Device42 was detected — a Discovery, Asset Management and Dependency Mapping for Data Center and Cloud.
Devika - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Devika AI"})Description
A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server.
Impact
Successful exploitation could lead to unauthorized access to sensitive files and data.
Remediation
Ensure input validation is implemented to prevent malicious file inclusions and use whitelists for allowed file paths.
Devika v1 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1429839495"Description
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
Impact
Unauthenticated attackers can exploit path traversal to access sensitive files on the server.
Remediation
Update Devika to a version later than v1 that patches the path traversal vulnerability.
Devtron Panel Login Panel - Detect
Author: johnk3rAdded: Apr 10, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Devtron"})Description
Devtron Panel login panel was detected.
Dex Authentication - Panel
runzero-match
service["http.body"] matches "(?i)Log in to dex"Dialogic XMS Admin Console - Default Login
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Dialogic XMS Admin Console"})Description
Dialogic XMS Admin Console was using default credentials and it was discovered.
Dialogic XMS Admin Console - Detect
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dialogic XMS Admin Console"})Diced Zipline - Detect
Author: icarotAdded: Aug 10, 2025
runzero-match
service["http.body"] matches "(?i)Zipline"Description
Zipline panel was detected.
Dify - User Enumeration via "Account not found" Message
runzero-match
service["favicon.ico.image.mmh3"] == "97378986"Description
A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "account_not_found" or "Account not found.", allowing attackers to identify valid accounts.
Impact
Attackers can enumerate valid user accounts through distinct error messages returned by the login API, facilitating targeted credential stuffing and phishing attacks against Dify installations.
Remediation
Upgrade to the patched version of Dify that implements generic error messages for authentication failures.
Dify v1.6.0 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Dify"})Description
Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remote_files.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access.
Impact
Attackers can make arbitrary requests from the server, potentially accessing internal resources or sensitive data.
Remediation
Update to the latest version.
Dify v1.9.1 - Broken Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-1483370344" || service["favicon.ico.image.mmh3"] == "-791570210"Description
Dify v1.9.1 contains an insecure permissions vulnerability caused by lack of authorization checks in /console/api/system-features endpoint, letting unauthenticated attackers access sensitive system configuration data.
Impact
Unauthenticated attackers can access sensitive system configuration data, potentially leading to information disclosure.
Remediation
Update to the latest version of Dify.
Digi International Router - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Digi Router"})Description
Digi International cellular routers expose a web management interface used in industrial IoT and remote connectivity applications.
Digital Watchdog - Default Login
Author: omranisecurityAdded: May 27, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog default login credentials were discovered.
Digital Watchdog - Detect
Author: ritikchaddhaAdded: May 28, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog panel was detected.
Digital Watchdog DW Spectrum Server 4.2.0.32842 - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog DW Spectrum Server 4.2.0.32842 allows attackers to access sensitive infromation via a crafted API call.
Impact
Unauthenticated attackers can access sensitive system information including network configuration, remote addresses, and cloud host details through the moduleInformation API endpoint, potentially facilitating further attacks.
Remediation
Update Digital Watchdog DW Spectrum Server to a version newer than 4.2.0.32842 that requires authentication for the moduleInformation API endpoint.
DirectAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)directadmin login"})Description
DirectAdmin login panel was detected.
Directum Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Directum"})Description
Directum login panel was detected.
Discuz Panel - Detection
Author: ritikchaddhaAdded: Aug 7, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Discuz!"})Ditty < 3.1.58 - Server-Side Request Forgery
Author: s4e-ioAdded: Sep 8, 2025
runzero-match
service["http.body"] matches "/wp-content/plugins/ditty-news-ticker/"Description
The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.
Impact
Unauthenticated attackers can force the server to make requests to arbitrary URLs through the displayItems endpoint, potentially accessing internal services and exposing sensitive data.
Remediation
Upgrade Ditty WordPress plugin to version 3.1.58 or later that implements proper authorization checks on the displayItems endpoint.
Django - Open Redirect
runzero-match
service["product"] matches "(?i)djangoproject.django"Description
Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks or the exploitation of other vulnerabilities.
Remediation
Upgrade to the latest version of Django or apply the relevant patch provided by the Django project.
Django QuerySet.order_by - SQL Injection
runzero-match
service["product"] contains 'Django'Description
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by. Attackers can execute arbitrary SQL commands if they control order_by input parameters.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to Django 3.1.13 or 3.2.5 or later versions.
Django RasterField - SQL Injection
runzero-match
service["product"] contains "Django Project:Django"Description
Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
Remediation
Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
Django SQL Injection
runzero-match
service["product"] contains "Django Project:Django"Description
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version.
Dkron - Unauthenticated Remote Command Execution
Author: icarotAdded: Sep 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Dkron"})Description
An exposed Dkron server, a distributed and fault-tolerant job scheduling system for cloud-native environments, was found vulnerable to unauthenticated remote command execution (RCE).This flaw allowed attackers to execute arbitrary commands on the host without authentication.
Docassemble - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)docassemble"})Description
Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
Impact
Unauthenticated attackers can read arbitrary files on the server through URL manipulation in the Docassemble interview endpoint.
Remediation
Update Docassemble to version 1.4.97 or later.
Doccano - Default Login
Author: 0x_AkokoAdded: Mar 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)doccano"})Description
Detected the Doccano data labeling platform was using default administrator credentials (admin:password). An attacker could have gained full administrative access.
Docebo eLearning Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Docebo E-learning"})Description
Docebo eLearning login panel was detected.
Dockge Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dockge"})Description
A fancy, easy-to-use and reactive self-hosted docker compose.yaml stack-oriented manager
DocsGPT - Unauthenticated Remote Code Execution
Author: iamnoooob,rootxharsh,pdresearchAdded: Feb 25, 2025
runzero-match
service["http.body"] matches "Welcome to DocsGPT"Description
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.This issue affects DocsGPT- from 0.8.1 through 0.12.0.
Impact
Unauthenticated attackers can execute arbitrary Python code remotely on DocsGPT servers through improper eval() usage, leading to complete system compromise and potential access to all indexed documents and API keys.
Remediation
Upgrade to DocsGPT version 0.12.1 or later that addresses the eval() vulnerability.
DocuWare - Detect
Author: righettodAdded: Sep 26, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Docuware"})Description
DocuWare panel was detected.
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
runzero-match
service["http.body"] matches "(?i)Docusaurus"Description
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
Impact
A GitHub personal access token exposure vulnerability can grant an attacker unauthorized access to your repositories and organization resources, potentially leading to data exfiltration, code injection, and supply chain attacks.
Remediation
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.
Dokploy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dokploy"})Description
Dokploy login panel was detected.
Dokuwiki Login Panel - Detect
Author: righettodAdded: Feb 14, 2024
runzero-match
service["http.body"] matches "(?i)/dokuwiki/"Description
Dokuwiki login panel was detected.
Dolibarr Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dolibarr"})Description
Dolibarr login panel was detected.
Dolibarr Unauthenticated Contacts Database Theft
runzero-match
service["favicon.ico.image.mmh3"] == "440258421"Description
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
Impact
The attacker can access and steal sensitive information from the contacts database, potentially leading to data breaches and privacy violations.
Remediation
Apply the latest security patch or upgrade to a patched version of Dolibarr to mitigate the vulnerability.
Doris Panel - Detect
Author: ritikchaddhaAdded: Jan 22, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "24048806"Description
Doris panel detection template.
DotCMS < 5.0.2 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "dotCMS"})Description
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade to a version of DotCMS that is higher than 5.0.2 to mitigate the open redirect vulnerability.
DotNetNuke (DNN) ImageHandler <9.2.0 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)dotnetnuke"Description
DotNetNuke (aka DNN) before 9.2.0 suffers from a server-side request forgery vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
Impact
An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.
Remediation
Upgrade DotNetNuke (DNN) ImageHandler to version 9.2.0 or above.
Dotclear Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dotclear"})Description
Dotclear admin login panel was detected.
Download Monitor <= 4.7.60 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/download-monitor/"Description
The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks or unauthorized access.
Remediation
Update to the latest version of the Download Monitor plugin (4.7.60) or apply the provided patch to fix the vulnerability.
Dradis Professional Edition Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dradis Professional Edition"})Description
Dradis Professional Edition login panel was detected.
DragonFly Login - Panel
Author: DhiyaneshDKAdded: Sep 24, 2024
runzero-match
service["http.body"] matches "(?i)logo-dragonfly\\.png"Description
Dragonfly Login Panel was discovered
Dragonfly - Default Login
Author: DhiyaneshDKAdded: Sep 24, 2024
runzero-match
service["http.body"] matches "(?i)logo-dragonfly\\.png"Description
Dragonfly was using the default username, and the password was discovered.
Drawio <18.1.2 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "flowchart maker"})Description
Drawio before 18.1.2 is susceptible to server-side request forgery via the /service endpoint in jgraph/drawio. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services.
Remediation
Upgrade Drawio to version 18.1.2 or later to mitigate the SSRF vulnerability.
DrayTek - Remote Code Execution
runzero-match
asset["hw_vendor"] == "DrayTek"Description
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network.
Remediation
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
DrayTek Vigor - Command Injection
runzero-match
service["http.body"] contains `"excanvas.js" && "lang == \"zh-cn\"" && "detectLang" && server=="DWS"`Description
DrayTek Vigor devices contain a command injection vulnerability in the cvmcfgupload functionality. The vulnerability allows remote attackers to execute arbitrary commands through specially crafted requests to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint.
Impact
Unauthenticated attackers can execute arbitrary system commands on DrayTek Vigor devices via the cvmcfgupload endpoint, leading to complete device compromise and potential network infiltration.
Remediation
Update the firmware to the latest version provided by DrayTek. If no update is available, consider implementing network segmentation to restrict access to the device's management interface.
DrayTek Vigor - Command Injection
runzero-match
service["http.head.server"] matches "(?i)DWS"Description
DrayTek Gateway devices (Vigor2960, Vigor300B, etc.) are vulnerable to command injection via the session parameter in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. An attacker can inject arbitrary commands and retrieve their output.
Impact
Unauthenticated attackers can inject arbitrary system commands through the session parameter in the apmcfgupload endpoint to execute commands on DrayTek routers, enabling complete device compromise and network infiltration.
Remediation
Update the firmware to the latest version provided by DrayTek. If no update is available, consider implementing network segmentation to restrict access to the device's management interface.
Draytek VigorConnect 1.6.0-B - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)vigorconnect"Description
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Draytek VigorConnect 1.6.0-B.
Draytek VigorConnect 6.0-B3 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)vigorconnect"Description
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, potential data leakage, and further compromise of the affected system.
Remediation
Apply the latest security patches or updates provided by Draytek to fix the LFI vulnerability in VigorConnect 6.0-B3.
Drone CI Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1354079303"Description
Drone CI login panel was detected.
Drupal - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)drupal"}) || service["favicon.ico.image.md5"] matches `(?i)^(b6341dfc213100c61db4fb8775878cec|cf2445dcb53a031c02f9b57e2199bc03)`Description
Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Drupal site.
Remediation
Apply the official security patch provided by Drupal to fix the deserialization vulnerability.
Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
runzero-match
service["http.body"] matches `Drupal\s+(\d{1,2})(?:\s+\(https?:\/\/(?:www\.)?drupal\.org\))?`Description
Drupal core from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10 contains an SQL injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or full database compromise.
Remediation
Upgrade to versions 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10 or later.
Duomi CMS - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DuomiCMS"})Description
Duomi CMS contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Dynatrace Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1828614783"Description
Dynatrace login panel was detected.
DzzOffice Installation Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1961736892"Description
DzzOffice installation panel was detected.
DzzOffice Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1961736892"Description
DzzOffice login panel was detected.
E-mobile Panel - Detect
runzero-match
service["http.body"] matches "(?i)E-Mobile "Description
E-mobile panel was detected.
ECTouch v2 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "127711143"Description
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
Impact
Unauthenticated attackers can exploit SQL injection through the $arr['id'] parameter to extract database contents, potentially stealing customer data, order information, and payment details from the ECTouch e-commerce system.
Remediation
Update ECTouch to a version newer than 2.0 that uses parameterized queries or prepared statements for the id parameter in default/helpers/insert.php.
EMQX Login Panel - Detect
Author: righettodAdded: Mar 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EMQX Dashboard"})Description
EMQX login panel was detected.
EOS HTTP Browser
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EOS HTTP Browser"})ERPNext - Default Login
Author: 0x_AkokoAdded: Nov 14, 2025
runzero-match
service["http.body"] matches "(?i)Login to Frappe"Description
Detects ERPNext installations that use the default Administrator/admin login credentials. This misconfiguration grants attackers full administrative access to the system.
ESPHome - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ESPHome"})Description
ESPHome 2025.8.0 contains an authentication bypass caused by improper validation of base64-encoded Authorization values in the web_server component, letting attackers access functionality without valid credentials, exploit requires crafted Authorization header.
Impact
Attackers can bypass authentication to access web server functions, including OTA updates, potentially compromising device control.
Remediation
Upgrade to version 2025.8.1 or later.
ESPHome Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - esphome"})Description
ESPHome login panel was detected.
ESXi System Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)esxuiapp"Description
ESXi System login panel was detected.
ETQ Reliance - Authentication Bypass via Trailing Space
runzero-match
service["http.body"] matches "(?i)ETQ Reliance"Description
An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583.
Impact
Successful exploitation allows unauthenticated attackers to bypass authentication and gain elevated SYSTEM access, potentially leading to remote code execution.
Remediation
Apply the vendor patch to version MP-4583 or later, which includes stricter validation logic to exclude internal accounts from public authentication workflows.
ETQ Reliance - Reflected XSS via SQLConverterServlet
runzero-match
service["http.body"] matches "(?i)ETQ Reliance"Description
A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated user's browser session, potentially leading to session hijacking or unauthorized actions.
Remediation
Upgrade to ETQ Reliance version SE.2025.1 or later where the SQLConverterServlet has been disabled.
EVSE Web Interface Panel - Detection
Author: ritikchaddhaAdded: Aug 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)evse web interface"})EVlink City < R8 V3.4.0.1 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)evse web interface"})Description
A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.
Impact
Unauthenticated attackers can bypass authentication via hardcoded credentials and issue unauthorized administrative commands to the charging station web server, potentially disrupting charging operations or stealing sensitive data.
Remediation
Upgrade to EVlink City R8 V3.4.0.1 or later to fix the authentication bypass vulnerability.
EVlink Local Controller - Detection
Author: ritikchaddhaAdded: Aug 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EVlink Local Controller"})EWM Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EWM Manager"})Description
EWM Manager login panel was detected.
EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure
Author: Shivam KambojAdded: Feb 17, 2026
runzero-match
service["http.body"] contains "ewww_image_optimizer" && service["http.body"] contains "__construct()"Description
The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled.
Impact
Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
Remediation
Remove debug information and update to the latest version of EWWW Image Optimizer.
Eagle For Apache Kakfa Login - Detect
Author: irshad ahamedAdded: Jul 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1693580324"Description
EFAK is a visualization and management software that allows one to query, visualize, alert on, and explore their metrics wherever they were stored.
Easy Diffusion Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Easy Diffusion"})Description
Easy Diffusion (formerly Stable Diffusion UI) was detected. Easy Diffusion is a one-click, self-hosted Stable Diffusion web application focused on accessibility and ease of use for AI image generation. Exposed instances allow unauthenticated access to image generation capabilities and stored outputs.
EasyCVR video management - Users Information Exposure
Author: pussycat0xAdded: Jun 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EasyCVR"})Description
EasyCVR video management platform has leaked user information
EasyJOB Login Panel - Detect
Author: righettodAdded: Feb 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Log in - easyJOB"})Description
EasyJOB login panel was detected.
EasyReport - Default Login
runzero-match
service["http.body"] matches "(?i)EasyReport-A Sample and Easy to Use Web Reporting System"EasyVista Login Panel - Detect
Author: righettodAdded: May 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Easyvista"})Description
EasyVista login panel was detected.
Echelon i.LON SmartServer - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "i\\.LON SmartServer"})Description
Echelon (now Adesto/Dialog Semiconductor) i.LON SmartServer is a LonWorks/IP-852
building automation controller used in HVAC, lighting, and energy management systems.
The embedded web interface is frequently exposed on standard and non-standard ports.
Eclipse BIRT Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Eclipse BIRT Home"})Description
Eclipse BIRT (Business Intelligence Reporting Tool) detected
Eclipse Jetty - Directory Listing Enabled
Author: ritikchaddhaAdded: Dec 19, 2025
runzero-match
service["http.head.server"] matches "Jetty"Description
Eclipse Jetty server has directory listing enabled, which exposes the directory structure and file names to unauthenticated users. This can reveal sensitive files, backup files, configuration files, and aid attackers in reconnaissance.
Impact
Attackers can enumerate files and directories, discover hidden resources, backup files, configuration files, and potentially sensitive data that should not be publicly accessible.
Remediation
Disable directory listing by setting dirAllowed to false in the DefaultServlet configuration or by setting allowDirectoryListing to false in WebAppContext. Add index files (index.html) to directories that should not list contents.
Eclipse Theia IDE Panel - Detect
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Theia IDE"})Description
Detected Eclipse Theia IDE panel was exposed. Theia is an extensible platform for multi-language Cloud and Desktop IDEs. Exposed panels may have allowed unauthenticated access to development environments and terminal.
EcologyOA deleteUserRequestInfoByXml - XML External Entity Injection
runzero-match
service["product"] matches "(?i)泛微.协同办公OA"Description
EcologyOA deleteUserRequestInfoByXml interface has XXE
Edito CMS - Sensitive Data Leak
runzero-match
service["favicon.ico.image.mmh3"] == "1491301339"Description
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthorized user.
Impact
Unauthenticated attackers can download configuration files containing sensitive credentials from Edito CMS installations.
Remediation
Update Edito CMS to a version later than 3.25 that secures configuration file access.
EfroTech Timetrax v8.3 - Sql Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-661694518"Description
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
Impact
Unauthenticated attackers can execute SQL injection attacks to extract or modify sensitive timetrax database information.
Remediation
Update EfroTech Timetrax to a version later than v8.3 that patches the SQL injection vulnerability.
Eko Charger Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Charger Management Console"})Description
Eko Charger Management Console login panel was detected.
Eko Software Update Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ekoenergetyka-Polska Sp\\. z o\\.o - CCU3 Software Update for Embedded Systems"})Description
Eko software update panel for embedded systems was detected. An attacker can possibly upload a software image or restart the system.
EkoAPI Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EkoAPI Admin"})Description
EkoAPI Admin panel was detected.
Ektron CMS Blogs xmlrpc.aspx - XML External Entity Injection
runzero-match
service["http.body"] matches "EktronClientManager"Description
Detects XML External Entity (XXE) vulnerability in Ektron CMS Blogs component (/WorkArea/Blogs/xmlrpc.aspx). Allows unauthenticated attackers to read local files or perform SSRF.
Ektron CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ektron"Description
Ektron CMS login panel was detected.
ElasticSearch - Default Login
Author: Mohammad Reza Omrani | @omranisecurityAdded: Jul 24, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Elastic"})Description
Elasticsearch default credentials were discovered.
Elasticsearch 5 - Remote Code Execution (Apache Log4j)
runzero-match
service["product"] matches "(?i)elastic.elasticsearch"Description
Elasticsearch 5 is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Elber ESE DVB-S/S2 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Elber Satellite Equipment"})Description
Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system.
Impact
This grants them unauthorized administrative access to protected areas of the application, compromising the device's system security.
Remediation
Apply security patches from Elber or restrict access to the password management endpoints to authorized networks only.
Eleanor CMS - Open Redirect
runzero-match
service["http.body"] matches "eleanor"Description
Open redirect vulnerability in go.php in Eleanor CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the QUERY_STRING.
Impact
Attackers can redirect users to malicious sites for phishing attacks, malware distribution, or credential theft.
Remediation
Update to the latest version of Eleanor CMS to fix the open redirect vulnerability.
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Electrolink"})Description
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext.
Impact
Unauthenticated attackers can access plaintext credentials through the controlloLogin.js file, potentially gaining unauthorized access to Electrolink transmitter management interfaces.
Remediation
Change default credentials and restrict access to the controlloLogin.js file.
Elemiz Network Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Elemiz Network Manager"})Description
Elemiz Network Manager login panel was detected.
Elestio Memos <= v0.24.0 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "-1924700661"Description
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
Impact
Unauthenticated attackers can exploit SSRF vulnerabilities to access internal services, bypass network security controls, and potentially retrieve sensitive information from internal systems.
Remediation
Upgrade to Memos version 0.24.1 or later that properly validates and restricts URL access.
Ellucian Ethos Identity CAS - Cross-Site Scripting
runzero-match
service["http.body"] matches "Ellucian Company"Description
A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component.
Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/email-subscribers/"Description
Email Subscribers by Icegram Express <= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.
Impact
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Remediation
Fixed in 5.7.21
Emby < 4.5.0 - Server Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "emby"})Description
Emby Server before 4.5.0 allows server-side request forgery (SSRF) via the Items/RemoteSearch/Image ImageURL parameter.
Impact
An attacker can exploit this vulnerability to access internal resources, perform port scanning, and potentially pivot to other systems.
Remediation
Apply the latest security patches or upgrade to a patched version of Emby Server.
Emby Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emby"})Description
Emby login panel was detected.
Emby Server - Authentication Bypass
runzero-match
service["product"] contains "Emby:Emby"Description
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.
Impact
Attackers can gain unauthorized administrative access or view user accounts without passwords, risking full control over the server.
Remediation
Update to Emby Server version 4.8.31 or 4.7.12.
Emerson Network Power IntelliSlot Web Card Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Emerson Network Power IntelliSlot Web Card"})Description
Emerson Network Power IntelliSlot Web Card panel was detected.
Emqx Default Admin Login
runzero-match
service["favicon.ico.image.mmh3"] == "-670975485"Description
Emqx default admin credentials were discovered.
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/web/cgi-bin/usbinfo\\.cgi"Description
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected commands are executed with root privileges, leading to full system compromise.
Impact
Unauthenticated attackers can inject and execute arbitrary shell commands with root privileges through the path parameter in usbinteract.cgi, achieving complete system compromise.
Remediation
Upgrade EnGenius EnShare Cloud Service to version 1.4.12 or later that properly sanitizes user input in CGI scripts.
Enablix Panel - Detect
Author: DhiyaneshDkAdded: Oct 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Enablix"})Description
Enablix panel was detected.
Endpoint Protector Login Panel - Detect
Author: pussycat0xAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Endpoint Protector"})Description
Endpoint Protector - Reporting and Administration Tool login panel was detected.
EnjoyRMIS - SQL Injection
runzero-match
service["http.body"] matches "(?i)CheckSilverlightInstalled"Description
EnjoyRMIS GetOAById has a SQL injection vulnerability, through which an attacker can obtain sensitive database information and even control the server.
Envoy Proxy - Metadata Disclosure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
service["http.head.xEnvoyPeerMetadata"] != ""Description
Detected misconfigured Envoy proxy instances that disclose sensitive information about the target infrastructure via the "x-envoy-peer-metadata" response header.
EpiServer Find <13.2.7 - Open Redirect
runzero-match
service["product"] matches "(?i)episerver.find"Description
EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade to EpiServer Find version 13.2.7 or later to fix the open redirect vulnerability.
Episerver 7 - Blind XML External Entity Injection
runzero-match
service["http.body"] matches "episerver"Description
Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads.
Impact
Remote attackers can read sensitive files from the server, leading to information disclosure.
Remediation
Update to the latest version of Episerver or apply security patches that fix XXE vulnerabilities.
Episerver Login Panel
runzero-match
service["http.body"] matches "(?i)epihash"Description
Episerver login panel was detected.
Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/error-log-viewer-wp"Description
The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Impact
Unauthenticated attackers can read arbitrary files on the server including sensitive configuration files with database credentials and other sensitive data.
Remediation
Update Error Log Viewer By WP Guru plugin to a version newer than 1.0.1.3.
Erxes <0.23.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)erxes"})Description
Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to Erxes version 0.23.0 or later to mitigate the vulnerability.
Esafenet CDG NetSecConfigAjax - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)电子文档安全管理系统"})Description
The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
Esafenet CDG NoticeAjax - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)电子文档安全管理系统"})Description
CDGServer3 NoticeAjax Interface Sql Injection.
Eset Protect Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "751911084"Description
Login page for Eset Protect
Eslint Ignore File Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
service["http.body"] matches "(?i)eslintignore"Description
Eslint Ignore File was exposed.
Espec Web Controller - Panel
Author: darsesAdded: Aug 14, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "529766441" || any(each(service["html.titles"]), {# matches "(?i)Espec Web Controller"})Description
Espec Web Controller panel was discovered.
EspoCRM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-197006674" || service["http.body"] matches "(?i)Powered by EspoCRM"Description
EspoCRM panel was detected.
Essential Blocks < 4.4.3 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/essential-blocks/"Description
Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Upgrade to the latest version of Essential Blocks 4.4.3 to fix this issue.
EuroTel ETL3100 - Default Login
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] matches "ETL3100"Description
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon/"Description
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
Impact
An attacker could potentially access sensitive email information.
Remediation
Update to the latest version of the EventON WordPress Plugin to mitigate CVE-2024-0235.
EventON <= 2.1 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/"Description
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
Impact
Unauthenticated users can perform privileged actions, potentially leading to unauthorized access or modification of events.
Remediation
Fixed in version 2.1.2
EventON Lite < 2.1.2 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/"Description
The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors
to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
Impact
Unauthenticated attackers can exploit missing validation in the eventon_ics_download AJAX action to access any post content including unpublished or protected posts through ICS export functionality.
Remediation
Fixed in version 2.1.2
Eventin <= 4.0.26 - Privilege Escalation
runzero-match
service["http.body"] matches "/wp-content/plugins/eventin"Description
The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.
Impact
Unauthenticated attackers can import users with arbitrary roles including administrator through a missing permission check in the REST API, leading to full site compromise.
Remediation
Upgrade Eventin WordPress plugin to version 4.0.27 or later that implements proper permission checks on user import endpoints.
Eventum <3.4.0 - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "305412257"Description
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade to Eventum version 3.4.0 or later to fix the open redirect vulnerability.
Eventum Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "305412257"Description
Eventum login panel was detected.
Eveo URVE Web Manager - Server-Side Request Forgery
Author: DhiyaneshDkAdded: Jan 16, 2026
runzero-match
service["http.body"] matches "URVE Web Manager"Description
Eveo URVE Web Manager 27.02.2025 contains a server-side request forgery caused by improper validation of URL input in /_internal/redirect.php, letting attackers make requests to internal endpoints, exploit requires crafted URL input.
Impact
Attackers can make requests to internal-only accessible endpoints, potentially exposing sensitive internal services or data.
Remediation
Update to the latest version with SSRF protections or apply input validation to restrict URL requests.
Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection
runzero-match
service["http.body"] matches "(?i)evertz\\.min\\.css"Description
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass.Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary commands with root privileges, potentially disrupting media streaming or manipulating content.
Remediation
Apply the security patch from Evertz or restrict network access to the web management interface to trusted administrators only.
Evidently AI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Evidently"})Description
Evidently AI is an ML/LLM observability platform for monitoring data drift and model performance.
ExaGrid Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)exagrid manager"})Description
ExaGrid Manager login panel was detected.
Exchange Server - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119" || any(each(service["html.titles"]), {# matches "(?i)outlook"}) || any(each(service["html.titles"]), {# matches "(?i)outlook exchange"})Description
Microsoft Exchange Server is vulnerable to a remote code execution vulnerability. This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Exchange Server, potentially leading to a complete compromise of the system.
Remediation
Apply Microsoft Exchange Server 2019 Cumulative Update 9 or upgrade to the latest version.
Exolis Engage Panel - Detect
runzero-match
service["http.body"] matches "(?i)engage - Portail soignant"Description
Exolis Engage panel was detected.
Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/export-wp-page-to-static-html/"Description
Export WP Page to Static HTML & PDF WordPress plugin <= 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit requires site administrator to trigger backup with specific user role.
Impact
Unauthenticated attackers can access authentication cookies, potentially leading to account compromise or unauthorized access.
Remediation
Update to the latest version beyond 4.3.4.
Exposed MCP JSON-RPC 2.0 API Detection
Author: ivan_wallarmAdded: May 10, 2025
runzero-match
any(each(service["html.bodies"]), {# matches "(?i)get requires an active session"})Description
Detects exposed Machine Control Protocol (MCP) servers through JSON-RPC 2.0 API endpoints.
MCP servers often provide administrative access to AI tools, LLM systems, or other automation infrastructure.
Exposed MCP interfaces can lead to unauthorized access, information disclosure, and potential system compromise.
This template tests multiple detection methods including tools/list, rpc.discover, resources/list, and prompts/list.
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/extensive-vc-addon/"Description
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Impact
Unauthenticated attackers can exploit parameter validation flaws in the template loading mechanism to read arbitrary files including wp-config.php and escalate to remote code execution using PHP filter chains.
Remediation
Fixed in 1.9.1
Extreme NetConfig UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Extreme NetConfig UI"})Description
Extreme NetConfig UI panel was detected.
EyesOfNetwork - Hardcoded API Key
runzero-match
service["http.body"] matches "(?i)EyesOfNetwork"Description
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
Impact
Successful exploitation allows an attacker to create administrative users and gain unauthorized access to the EyesOfNetwork management system.
Remediation
Upgrade to a newer version of EyesOfNetwork or change the default hardcoded API key in the configuration.
EyesOfNetwork - Hardcoded API Key & SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EyesOfNetwork"})Description
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Impact
Unauthenticated attackers can bypass authentication via SQL injection and gain access to the EyesOfNetwork monitoring system and all monitored infrastructure data.
Remediation
Apply security patches or update to the latest version of EyesOfNetwork.
EyouCMS 1.5.4 Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "eyoucms"})Description
EyouCMS 1.5.4 is vulnerable to an Open Redirect vulnerability. An attacker can redirect a user to a malicious url via the Logout function.
Impact
Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.
Remediation
Apply the latest security patch or upgrade to a newer version of EyouCMS to mitigate the vulnerability.
EyouCms v1.6.3 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)eyoucms"})Description
EyouCms v1.6.3 was discovered to contain an information disclosure vulnerability via the component /custom_model_path/recruit.filelist.txt.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Upgrade eYouCMS to a patched version to mitigate CVE-2023-37645.
F-Secure Policy Manager - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "F-Secure Policy Manager"Description
F-Secure Policy Manager is susceptible to Log4j JNDI remote code execution.
F-Secure Policy Manager Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)f-secure policy manager server"})Description
F-Secure Policy Manager Server login panel was detected.
F-logic DataCube3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DataCube3"})Description
SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter.
Impact
Attackers can execute arbitrary SQL queries, potentially extracting or modifying sensitive database information.
Remediation
Update F-logic DataCube3 to a version that patches the SQL injection vulnerability.
F5 Admin Interface - Detect
Author: drewvravick,righettodAdded: Jun 3, 2024
runzero-match
service["http.body"] matches "(?i)BIG-IP Configuration Utility"Description
Detects F5 Admin Interfaces.
F5 BIG-IP Appliance Mode - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "big-ip®-\\+redirect\" \\+\"server"})Description
When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
Impact
A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388).
Remediation
Apply security patches from F5 Networks as outlined in K97843387 and ensure Appliance mode restrictions are properly enforced.
F5 BIG-IP TMUI - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the necessary security patches or upgrade to a non-vulnerable version of F5 BIG-IP TMUI.
F5 BIG-IP iControl - REST Auth Bypass RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary code on the affected system.
Remediation
Apply the necessary security patches or updates provided by F5 Networks to mitigate this vulnerability.
F5 BIG-IP iControl REST Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect"})Description
F5 BIG-IP iControl REST API discovered and may be vulnerable to an authentication bypass (not tested).
F5 iControl REST - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the necessary security patches or updates provided by F5 Networks to mitigate the vulnerability.
FASTPANEL Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FASTPANEL HOSTING CONTROL"})Description
FASTPANEL login panel was detected.
FOG Project < 1.5.10.34 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1952619005"Description
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.
Impact
Unauthenticated attackers can exploit command injection to achieve remote code execution on the FOG server.
Remediation
Update FOG Project to version 1.5.10.34 or later.
FOGProject <= 1.5.10.1673 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1952619005"Description
FOGProject version 1.5.10.1673 suffers from an authentication bypass vulnerability that allows unauthenticated users to access the management interface without proper authentication. This can lead to unauthorized access to system configuration, host management, and potentially database information.
Impact
Unauthenticated attackers can bypass authentication to access the FOGProject management interface and retrieve sensitive system configuration and host management information.
Remediation
Upgrade FOGProject to a version later than 1.5.10.1673 that implements proper authentication on all management endpoints.
FOSSBilling Panel - Detect
Author: ritikchaddhaAdded: Aug 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FOSSBilling"})Description
FOSSBilling panel has been detected.
FREEDOM Administration - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FREEDOM Administration"})Description
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE- the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Impact
Attackers can gain unauthorized access to building management systems using default credentials, potentially exposing residents' personally identifiable information and controlling access to apartment buildings.
Remediation
Change default credentials immediately to strong, unique passwords as recommended in the manufacturer's security guidelines.
FUEL CMS 1.4.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system, leading to complete compromise of the application and potentially the underlying server.
Remediation
Upgrade to FUEL CMS version 1.4.2 or later, which includes a patch for this vulnerability.
FUXA - SCADA/HMI Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)powered by (?:frangoteam|<span><b>frango</b>team</span>)`Description
FUXA is an open-source web-based SCADA/HMI platform built on Node.js.
It supports Modbus, OPC-UA, BACnet, MQTT, and Siemens S7 protocols and
is widely self-hosted for small industrial deployments. Instances are
frequently exposed to the internet without authentication.
FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FUXA"})Description
FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions.
Impact
Remote attackers can bypass authentication and gain full administrative access.
Remediation
Update to the latest version that removes hard-coded credentials.
FaceFusion Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "FaceFusion"})Description
FaceFusion panel was detected. FaceFusion is a next-generation face swapper and enhancer.
Falcosidekick UI Login Panel - Detect
Author: righettodAdded: Jul 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Falcosidekick"})Description
Falcosidekick UI login panel was detected.
Faraday Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)faradayApp"Description
Faraday login panel was detected.
FastAdmin < V1.3.4.20220530 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1036943727"Description
A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
Impact
Authenticated attackers can exploit path traversal to read sensitive files including database configuration files containing credentials, usernames, passwords, and other critical system information.
Remediation
Update FastAdmin to version 1.3.4.20220530 or later to address the path traversal vulnerability in the lang parameter.
FastChat - Open Redirect
Author: DhiyaneshDKAdded: Jan 20, 2025
runzero-match
service["http.body"] matches "Chatbot Arena"Description
Detects an open redirect vulnerability in lm-sys/fastchat version 0.2.36, which allows attackers to redirect users to malicious URLs.
Impact
Unauthenticated attackers can redirect users to malicious URLs, potentially facilitating phishing attacks or credential harvesting.
Remediation
Update FastChat to a version newer than 0.2.36.
FastGPT Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)FastGPT 是一个"Description
FastGPT is a knowledge-based platform built on the LLM, offering out-of-the-box
data processing and model invocation capabilities.
FastMile 5G Gateway Panel - Detect
runzero-match
service["http.body"] matches "(?i)FastMile 5G Gateway"Description
FastMile 5G Gateway web interface was discovered.
FasterXML Jackson Databind <=2.9.10.4 - Remote Code Execution
runzero-match
service["product"] matches "(?i)fasterxml.jackson.databind"Description
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Impact
Remote attackers can execute arbitrary code during deserialization, potentially leading to full system compromise.
Remediation
Update to version 2.9.10.4 or later.
FasterXML jackson-databind - Deserialization Remote Code Execution
runzero-match
service["product"] matches "(?i)fasterxml.jackson.databind"Description
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
Remediation
Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
Fastify Swagger-UI - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "-1180440057"Description
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.
Impact
Unauthenticated attackers can access sensitive files in the Fastify Swagger-UI module directory, potentially exposing source code or configuration files.
Remediation
Update @fastify/swagger-ui to version 2.1.0 or later, or configure the baseDir option.
Fastjson Insecure Deserialization - Remote Code Execution
runzero-match
service["product"] matches "(?i)alibaba.fastjson"Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Impact
Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
Remediation
Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
Fastly Backend Server Information Disclosure
runzero-match
service["http.head.xBackendServer"] != ""Description
Detected Fastly CDN misconfigured and exposing backend/origin server IP addresses or hostnames in HTTP response headers.
Feiyuxing Enterprise-Level Management System - Default Login
Author: SleepingBag945Added: Aug 21, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)飞鱼星企业级智能上网行为管理系统"})Description
Attackers can log in through admin:admin, check the system status, and configure the device.
Femtocell Access Point Panel - Detect
Author: DhiyaneshDkAdded: Apr 23, 2024
runzero-match
service["http.body"] matches "(?i)Femtocell Access Point"Description
Femtocell Access Point panel was discovered.
Fides Privacy Center ≤ 2.39.1 - Server-Side URL Disclosure
runzero-match
service["http.body"] matches "(?i)SERVER_SIDE_FIDES_API_URL"Description
Fides versions 2.19.0 to before 2.39.2rc0 contain an information disclosure caused by unauthenticated HTTP GET request to the Privacy Center, letting attackers access the SERVER_SIDE_FIDES_API_URL, which may reveal server configuration details, exploit requires no authentication.
Impact
Attackers can obtain server-side URLs, revealing private IPs, ports, and domain names, potentially aiding further targeted attacks.
Remediation
Update to version 2.39.2rc0 or later.
File Browser Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1052926265"FileCatalyst File Transfer Solution - Detect
Author: DhiyaneshDKAdded: Sep 18, 2024
runzero-match
service["http.body"] matches "(?i)FileCatalyst file transfer solution"Description
Detects the presence of FileCatalyst file transfer solution login panel
FileGator Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FileGator"})FileMage Gateway - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)filemage"})Description
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
Impact
An attacker can view, modify, or delete sensitive files on the system, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in FileMage Gateway.
Filegator - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "FileGator"})Financial Transaction Manager Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ftm manager" || any(each(service["html.titles"]), {# matches "(?i)ftm manager"})Description
Financial Transaction Manager login panel was detected.
FineCMS <5.0.9 - Open Redirect
runzero-match
service["product"] matches "(?i)finecms"Description
FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade to FineCMS version 5.0.9 or later to fix the open redirect vulnerability.
Fireware XTM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fireware xtm user authentication"})Description
Fireware XTM login panel was detected.
Flahscookie Superadmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flahscookie Superadmin"})Description
Flahscookie Superadmin login panel was detected.
Flarum < 1.8.5 - Open Redirect
runzero-match
service["product"] matches "(?i)Flarum"Description
Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation.
Impact
Unauthenticated attackers can redirect users to malicious phishing sites using the trusted domain of the Flarum installation.
Remediation
Update Flarum to version 1.8.5 or later.
Flatpress < 1.3 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1189292869" || service["http.body"] matches "(?i)flatpress"Description
Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.
Impact
Unauthenticated attackers can exploit path traversal to access and list sensitive directories and files in the FlatPress blogging system, potentially exposing configuration files and user data.
Remediation
Update FlatPress to version 1.3 or later that properly validates directory paths and prevents unauthorized directory listing in fp-content.
FleetCart 4.1.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)FleetCart"Description
Issues with information disclosure in redirect responses. Accessing the majority of the website's pages exposes sensitive data, including the "Razorpay" "razorpayKeyId".
Impact
Unauthenticated attackers can access sensitive configuration data including Razorpay payment gateway API keys through information disclosure in redirect responses.
Remediation
Update FleetCart to a version later than 4.1.1 that addresses this information disclosure vulnerability.
FlexNet Operations Panel - Detect
Author: righettodAdded: Jan 26, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FlexNet Login"})Description
FlexNet Operations was detected — a software monetization platform.
FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "FlexPaper"})Description
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
Impact
Unauthenticated attackers can execute arbitrary code on the server through the Publish Service, leading to complete server compromise and access to all hosted documents.
Remediation
Upgrade to FlowPaper version 2.3.7 or later, or remove the vulnerable Publish Service.
Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/flexible-checkout-fields/"Description
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
Impact
Unauthenticated attackers can arbitrarily update plugin settings and inject stored XSS payloads, potentially taking over the WordPress site or stealing administrator credentials.
Remediation
Fixed in 2.3.2.
Flexnet - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Flexnet"})Description
Flexnet is susceptible to Log4j JNDI remote code execution.
FlightPath - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1560589236" || service["http.body"] matches `(?i)FlightPath\.settings`Description
FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion.
Impact
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
FlightPath Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)flightpath"})Description
FlightPath login panel was detected.
Flock Safety Camera Admin Panel - Detect
Author: inokiiAdded: Dec 25, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flock Admin"})Description
Detected the Flock Safety camera admin panel.
Flowise 1.6.5 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2051052918"Description
The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability.
Impact
Attackers can bypass authentication and gain unauthorized access to the Flowise application and its data.
Remediation
Update Flowise to version 1.6.6 or later.
Flowise < 3.0.1 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "Flowise"})Description
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Impact
Successful exploitation allows attackers to execute arbitrary OS commands on the target server, potentially leading to complete system compromise, data theft, and lateral movement within the network.
Remediation
Update Flowise to the latest version that addresses this vulnerability. Implement proper input validation and sanitization for the customMCP endpoint parameters.
Flowise <= 1.8.2 Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2051052918"Description
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
Impact
Unauthenticated attackers can bypass authentication to access administrative API endpoints, gaining unauthorized access to restricted functionality, API keys, and administrative operations.
Remediation
Update Flowise to a version later than 1.8.2 to address the authentication bypass vulnerability.
Flowise <= 3.0.5 - Account Takeover
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flowise - Build AI Agents, Visually"})Description
Flowise versions 3.0.5 and earlier had a vulnerability in the forgot-password endpoint, which returned valid reset tokens without authentication—allowing attackers to reset passwords and take over accounts.
Impact
Unauthenticated attackers can obtain valid password reset tokens without authentication, enabling account takeover of any user including administrators through password reset attacks.
Remediation
Upgrade Flowise to version 3.0.6 or later that properly protects password reset token generation.
Flowise Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flowise - Build AI Agents, Visually"})Description
Flowise panel was detected. Flowise is an open-source drag-and-drop LLM flow builderand AI agent platform. Exposed instances may reveal AI workflow configurations, API keys, and connected data sources.
FlureeDB Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FlureeDB Admin Console"})Description
FlureeDB Admin Console login panel was detected.
Flyte Console <0.52.0 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)flyte.console"Description
FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur.
Impact
An attacker can exploit this vulnerability to perform unauthorized actions, such as accessing internal resources, bypassing security controls, or launching further attacks.
Remediation
The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole.
FootPrints Service Core Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FootPrints Service Core Login"})Description
FootPrints Service Core login panel was detected.
Forcepoint Appliance
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Forcepoint Appliance"})Forescout CounterACT 6.3.4.1 - Open Redirect
runzero-match
service["product"] matches "(?i)forescout.counteract"Description
Open redirect vulnerability in assets/login on the Forescout CounterACT NAC device before 7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the 'a' parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the latest security patches or upgrade to a newer version of Forescout CounterACT to fix the open redirect vulnerability.
ForgeRock OpenAM <7.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openam"})Description
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.
The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted
/ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)
found in versions of Java 8 or earlier.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade ForgeRock OpenAM to version 7.0 or later to mitigate this vulnerability.
Fork CMS - Installer
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)Install Fork CMS"Description
Fork CMS installer page was detected.
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/form-maker/"Description
The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE.
Impact
Unauthenticated attackers can exploit missing signature validation to upload arbitrary files and achieve remote code execution on WordPress installations running vulnerable Form-Maker plugins.
Remediation
Fixed in 1.15.20
FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/formlift/"Description
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to SQL Injection via the 'form_id' parameter in versions up to, and including, 7.5.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure or manipulation.
Remediation
Update to the latest version of FormLift for Infusionsoft Web Forms.
Formcraft3 <3.8.28 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "formcraft3"Description
Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.
Impact
An attacker can send crafted requests to the server, potentially leading to unauthorized access to internal resources or network scanning.
Remediation
Upgrade to Formcraft3 version 3.8.28 or later to fix the SSRF vulnerability.
Formidable Forms < 2.05.02 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)formidable" && service["http.body"] matches "wp-content/plugins"Description
Formidable Form Builder for WordPress versions before 2.05.03 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in form parameters like 'after_html', letting unauthenticated attackers inject and execute arbitrary scripts in victims' browsers
Impact
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to version 2.05.03 or later.
FortiADC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiadc"})Description
FortiADC login panel was detected.
FortiAP Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiap"})Description
FortiAP login panel was detected.
FortiAuthenticator - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1653412201"Description
The FortiAuthenticator panel was detected.
FortiClient EMS - Authentication Bypass
runzero-match
service["product"] contains "Fortinet:FortiClient Endpoint Management Server"Description
Detects whether Fortinet hotfix FG-IR-26-099 for CVE-2026-35616 is missing by comparing behavioral responses from a certificate-authenticated endpoint. The template sends X-SSL-CLIENT-VERIFY: SUCCESS without certificate material and checks whether this spoofed header changes server behavior.
Impact
If spoofing X-SSL-CLIENT-VERIFY changes backend behavior, Apache is likely not stripping the header before Django, indicating the target is still vulnerable.
Remediation
Apply Fortinet hotfix FG-IR-26-099 or upgrade to FortiClient EMS 7.4.7+.
FortiClient Endpoint Management Server Panel - Detect
Author: h4sh5Added: Mar 18, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-800551065"FortiOS - Insecure LDAP Configuration Detection
runzero-match
service["product"] matches "(?i)fortinet.fortios"Description
The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
Impact
Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet.
Remediation
Configure LDAP server settings properly and disable default configurations; update to the latest firmware version.
FortiOS Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "945408572" || service["http.body"] matches "(?i)/remote/login"Description
FortiOS admin login panel was detected.
FortiPortal - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "FortiPortal"Description
FortiPortal is susceptible to Log4j JNDI remote code execution. FortiPortal provides comprehensive security management and analytics within a multi-tenant, multi-tier management framework.
FortiRecorder Panel - Detect
Author: rxeriumAdded: Jun 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiRecorder"})Description
FortiRecorder Panel was discovered.
FortiWLM - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiWLM Login"})Description
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
Impact
Unauthenticated attackers can exploit path traversal through the imagename parameter in ezrf_lighttpd.cgi to read arbitrary files and potentially execute unauthorized code, compromising the entire Fortinet FortiWLM wireless LAN management system.
Remediation
Update Fortinet FortiWLM to version 8.6.6 or 8.5.5 or later that validates file paths in ezrf_lighttpd.cgi and prevents directory traversal attacks.
FortiWeb - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiweb - "})Description
FortiWeb 6.3.0 through 6.3.7 and versions before 6.2.4 contain an unauthenticated cross-site scripting vulnerability. Improper neutralization of input during web page generation can allow a remote attacker to inject malicious payload in vulnerable API end-points.
Impact
Successful exploitation of this vulnerability can result in the compromise of sensitive user information, session hijacking.
Remediation
Apply the latest security patches or updates provided by Fortinet to fix the XSS vulnerability in FortiWeb.
Fortinet FortiClientEMS 7.4.4 - SQL Injection
runzero-match
service["product"] contains "Fortinet:FortiClient Endpoint Management Server"Description
Fortinet FortiClientEMS version 7.4.4 and earlier contains an unauthenticated SQL injection vulnerability in the /api/v1/init_consts endpoint. The 'Site' HTTP header value is passed directly into the PostgreSQL search_path without sanitization, allowing remote unauthenticated attackers to inject arbitrary SQL commands. This can lead to information disclosure, database manipulation, or OS command execution when chained with PostgreSQL functions.
Impact
An unauthenticated remote attacker can execute arbitrary SQL queries against the backend PostgreSQL database, potentially extracting sensitive data, modifying database contents, or achieving remote code execution through PostgreSQL-specific functions (e.g., COPY, lo_import, pg_read_file).
Remediation
Upgrade FortiClientEMS to a patched version as recommended by Fortinet. As a workaround, restrict network access to the FortiClientEMS management interface and apply WAF rules to filter malicious Site header values.
Fortinet FortiDDoS Panel
Author: johnk3rAdded: May 26, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiddos"})Description
Fortinet FortiDDoS panel was detected.
Fortinet FortiMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortimail"})Description
Fortinet FortiMail login panel was detected.
Fortinet FortiNAC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortinac"})Description
Fortinet FortiNAC login panel was detected.
Fortinet FortiOS - Credentials Disclosure
runzero-match
service["http.body"] matches "(?i)/remote/login\" \"xxxxxxxx" || service["favicon.ico.image.mmh3"] == "945408572"Description
Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
Impact
An attacker can obtain sensitive information such as usernames and passwords.
Remediation
Apply the necessary patches or updates provided by Fortinet to fix the vulnerability.
Fortinet FortiOS - Open Redirect/Cross-Site Scripting
runzero-match
service["http.body"] matches "/remote/login\" \"xxxxxxxx"Description
FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.
Remediation
Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.
Fortinet FortiOS Management Interface Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "945408572" || service["http.body"] matches "(?i)/remote/login"Description
Fortinet FortiOS Management interface panel was detected.
Fortinet FortiSIEM - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1341442175" and service["http.body"] matches "(?i)var hst = location\\.hostname" and service["protocol"] contains "http" and service["service.transport"] contains "tcp"Description
FortiSIEM versions 6.4.0 through 7.1.1 contain an OS command injection vulnerability in the Phoenix Monitor service. The vulnerability exists in the XML parsing of TEST_STORAGE elements where the mount_point field is not properly sanitized before being passed to shell commands, allowing unauthenticated remote code execution.
Impact
Unauthenticated attackers can execute arbitrary commands on the FortiSIEM system, potentially leading to full system compromise, data exfilteration, lateral movement, and complete bypass of security monitoring capabilities.
Remediation
Update FortiSIEM to versions newer than 7.1.1. Implement network segmentation to restrict access to Phoenix Monitor service (TCP/7900) and monitor for suspicious connections to this port.
Fortinet FortiSIEM - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1341442175" and service["http.body"] matches "(?i)var hst = location\\.hostname" and service["service.transport"] contains "tcp" and service["protocol"] contains "http"Description
Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.
Impact
Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 7.3.1.
Fortinet FortiSandbox Panel - Detect
Author: Umut ÖZEN,rxeriumAdded: Apr 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiSandbox"})Description
Fortinet FortiSandbox login panel was discovered.
Fortinet FortiTester Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortitester"})Description
Fortinet FortiTester login panel was detected.
Fortinet FortiWLM Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)fortiwlm" || any(each(service["html.titles"]), {# matches "(?i)fortiwlm"})Description
Fortinet FortiWLM login panel was detected.
Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
runzero-match
any(each(service["html.titles"]), {# matches "FortiWLM"})Description
A improper neutralization of special elements used in an os command ('os
command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
Successful exploitation of this vulnerability could allow an attacker to
bypass authentication and gain unauthorized access to the affected system.
Impact
Unauthenticated attackers can exploit OS command injection to execute unauthorized commands on Fortinet FortiWLM systems, enabling complete system compromise and network infiltration.
Remediation
For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
Fortinet FortiWeb - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiWeb - "})Description
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
Impact
An attacker can exploit this vulnerability to execute unauthorized SQL commands, potentially leading to data exposure, data manipulation, or system compromise.
Remediation
Apply the latest security patches provided by Fortinet to fix the SQL injection vulnerability in FortiWeb.
Fortinet FortiWeb Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiweb - "})Description
Fortinet FortiWeb login panel was detected.
Fortinet Forticlient Endpoint Management Server - SQL Injection
runzero-match
service["service.transport"] == "tcp" and service["service.port"] == "8013" and asset["hw_vendor"] matches `(?i)Fortinet`Description
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
Impact
Unauthenticated attackers can execute arbitrary SQL commands through specially crafted network packets to the FortiClient Endpoint Management Server, potentially compromising the database, accessing sensitive endpoint data, and executing unauthorized code.
Remediation
Upgrade FortiClient EMS to version 7.2.3 or later for the 7.2.x series, or version 7.0.11 or later for the 7.0.x series.
Fortinet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FORTINET LOGIN"})Description
Fortinet login panel was detected.
Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)FileCatalyst file transfer solution, easily transfer large files"Description
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
Impact
Attackers can execute SQL injection to create administrative users, delete or modify application database content. Unauthenticated exploitation is possible if anonymous access is enabled.
Remediation
Update Fortra FileCatalyst Workflow to version 5.1.7 Build 136 or later to address the SQL injection vulnerability.
Fortra GoAnywhere MFT - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1484947000,1828756398,1170495932" || service["favicon.ico.image.mmh3"] == "1484947000" || service["http.body"] matches "(?i)goanywhere managed file transfer"Description
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Impact
Unauthenticated attackers can bypass authentication to create administrator accounts, leading to complete control over the GoAnywhere MFT system and access to all managed file transfers and sensitive data.
Remediation
Upgrade to Fortra GoAnywhere MFT version 7.4.1 or later.
Fortra GoAnywhere MFT - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1484947000"Description
Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Four-Faith F3x36 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Four-Faith"Description
Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests.
Impact
Attackers can gain unauthorized administrative access, potentially leading to full control over the device.
Remediation
Update to the latest firmware version provided by the vendor to fix hard-coded credential issues.
FoxCMS v.1.2.5 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)foxcms-(logo|container)"Description
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
Impact
Unauthenticated attackers can execute arbitrary code through the id parameter in the index.html component, leading to complete server compromise.
Remediation
Update to the latest version of FOXCMS if available. If no patch is available,implement WAF rules to block malicious requests to the /images/index.html endpoint with suspicious 'id' parameter values.
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Franklin Fueling Systems"Description
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.
Remediation
Apply the latest security patch or update provided by Franklin Fueling Systems to fix the LFI vulnerability.
Frappe Framework - Default Login Credentials
Author: DhiyaneshDkAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Login to Frappe|frappe(?:\.(?:csrf_token|boot)|-web\.bundle)`Description
Frappe Framework (and ERPNext) is accessible using the default credentials Administrator:admin. Successful login exposes full administrative access to the ERP/CRM system and underlying data.
Frappe Helpdesk Login Panel - Detect
Author: righettodAdded: Jan 19, 2025
runzero-match
service["http.body"] matches "(?i)window\\.frappe_version"Description
Frappe Helpdesk products was detected.
Frappe Panel - Detect
Author: Th3l0newolfAdded: May 3, 2025
runzero-match
service["http.body"] matches "(?i)Login to Frappe"Description
Frappe ERPNext Login Panel was discovered.
Free5gc 3.2.1 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)free5gc web console"})Description
Free5gc 3.2.1 is susceptible to information disclosure. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could result in unauthorized access to sensitive information.
Remediation
Apply the latest patch or upgrade to a patched version of Free5gc 3.2.1 to mitigate the vulnerability.
FreeIPA - XML Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Identity Management\" html:\"FreeIPA"})Description
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.
Remediation
Apply the latest security patches and updates provided by the vendor to fix the XML Entity Injection vulnerability in FreeIPA.
FreeIPA Identity Management Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)freeipa"Description
FreeIPA Identity Management login panel was detected.
FreePBX - CVE-2025-57819 Backdoor
Author: darsesAdded: Aug 28, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911" || service["favicon.ico.image.mmh3"] == "1574423538"Description
FreePBX backdoor cleanup script used in 0-day exploitation of CVE-2025-57819 was detected.
FreePBX - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1574423538" || any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911"Description
Detected FreePBX administration panel was using default admin credentials (admin:admin). An attacker could gain full administrative access to the PBX system, manage extensions, trunks, and call routing.
FreePBX Admin Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1574423538" || any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911"Description
FreePBX admin panel was detected.
FreshRSS Fever API - Exposure
Author: ritikchaddhaAdded: Jan 29, 2026
runzero-match
service["http.body"] matches "(?i)FreshRSS"Description
Detected an exposed FreshRSS instance with the Fever API enabled, which could allow unauthorized access to RSS feed data and user-related information via accessible Fever-compatible API endpoints.
FreshRSS Google Reader API Exposure
Author: DhiyaneshDkAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)FreshRSS"Description
Detected an exposed FreshRSS instance with the Google Reader API enabled, which could have allowed unauthorized access to RSS feeds and user-related data via accessible API endpoints.
Freshrss Panel - Detect
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Freshrss"})Description
Freshrss panel has been detected.
Friendica Panel - Detect
Author: righettodAdded: Jan 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)friendica"})Description
Friendica Login Panel was detected.
Fronius Datalogger Web - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Fronius Datalogger Web`Description
Fronius Datalogger Web is a web interface for Fronius solar inverter data loggers, providing real-time monitoring and configuration of photovoltaic systems.
Fronius Inverter - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Fronius Inverter"})Description
Fronius Inverter is the web interface for Fronius GEN24 and Symo series solar inverters, providing real-time monitoring, configuration, and energy management for photovoltaic systems.
Froxlor Server Management Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)froxlor server management panel"})Description
Froxlor Server Management login panel was detected.
Fuel CMS 1.4.7 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Fixed in version 115
Fuel CMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
Fuel CMS login panel was detected.
Fuji Xerox Printer Panel - Detect
runzero-match
service["http.body"] matches "(?i)Fuji Xerox Co\\., Ltd"Description
Fuji Xerox printer panel was detected.
Fujian Kelixin Communication - Command Injection
runzero-match
service["http.body"] matches "(?i)app/structure/departments\\.php"Description
A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwd_update.php.
Impact
Authenticated attackers can extract sensitive database information via time-based SQL injection in the usr_number parameter.
Remediation
Update Fujian Kelixin Communication Command and Dispatch Platform to a version newer than 20240318.
Fujitsu IP Series - Hardcoded Credentials
runzero-match
service["http.head.server"] matches "thttpd/2.25b 29dec2003\" content-length:1133"Description
Fujitsu Real-time Video Transmission Gear “IP series” use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. The credentials cannot be changed by the end-user and provide administrative access to the devices.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to the device, potentially resulting in further compromise of the network.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Fumasoft Cloud - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Fumeng Cloud"})Description
There is a SQL injection vulnerability in the AjaxMethod.ashx file of Fumasoft Cloud. Attackers can obtain server permissions through the vulnerability
Fumeng - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)孚盟云 "})Description
The Fumeng AjaxMethod.ashx file has an SQL injection vulnerability. Attackers can use this vulnerability to obtain server data.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement input validation and use parameterized queries to prevent SQL Injection attacks.
FusionAuth Admin Panel - Detect
Author: ritikchaddhaAdded: Nov 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fusionauth"})GE Proficy WebSpace - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Proficy WebSpace"Description
GE Proficy WebSpace is a thin-client delivery platform for GE Proficy
HMI/SCADA (iFIX, CIMPLICITY) applications over the web. It exposes
industrial HMI screens via browser on TCP/491 by default. The Server
header "WebSocket++/0.7.0" is a unique indicator.
GL.iNET SSID Key Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GL\\.iNet Admin Panel"})Description
An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key.
Impact
Unauthenticated attackers can retrieve Wi-Fi SSID and password information through the mesh status API endpoint, potentially allowing unauthorized access to the wireless network and intercepting network traffic.
Remediation
Update GL.iNET firmware to version 3.216 or later that requires authentication for the /api/router/mesh/status endpoint and protects Wi-Fi credentials.
GLPI 9.2/<9.5.6 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)setup glpi" || any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["favicon.ico.image.mmh3"] == "-1474875778"Description
GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Information disclosure vulnerability in GLPI versions 9.2 to <9.5.6 allows an attacker to access sensitive information.
Remediation
This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual GLPI functions.
GLPI < 10.0.17 - Pre-Auth SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GLPI"})Description
A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the dbEscapeRecursive function, allowing an attacker to inject SQL queries. This can lead to unauthorized access to sensitive information in the database, including user credentials and potential authentication bypass.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through XML requests to the Inventory feature, potentially extracting user credentials, bypassing authentication, and accessing sensitive database information.
Remediation
Upgrade to GLPI version 10.0.18 or later. If upgrading is not immediately possible, consider disabling the Inventory feature or restricting access to it.
GLPI <9.4.6 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "glpi"})Description
GLPI prior 9.4.6 contains an open redirect vulnerability based on a regexp.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade to version 9.4.6 or later.
GLPI <=10.0.2 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1474875778" || any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["http.body"] matches "(?i)setup glpi"Description
GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade GLPI to a version higher than 10.0.2 to mitigate this vulnerability.
GLPI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["favicon.ico.image.mmh3"] == "-1474875778"Description
GLPI panel was detected.
GNU Mailman Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mailing lists"})Description
GNU Mailman panel was detected. Panel exposes all public mailing lists on server.
GPT Academic v1.3.9 - Open Redirect
Author: DhiyaneshDKAdded: Jan 22, 2025
runzero-match
service["http.body"] matches "gpt_academic"Description
An open redirect vulnerability exists in GPT Academic v1.3.9, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs.
Impact
Unauthenticated attackers can redirect users to malicious URLs via the file parameter, facilitating phishing attacks and credential theft.
Remediation
Update GPT Academic to a version newer than v1.3.9.
GUDE - Default Login
runzero-match
service["http.body"] matches "(?i)Expert Net Control"Description
GUDE 2301 and 2302 default administrator login credentials (admin:admin) were detected.
GXD5 Pacs Connexion Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GXD5 Pacs Connexion utilisateur"})Description
GXD5 Pacs Connexion panel was detected.
GYRA Master Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| GYRA Master Admin"})Description
GYRA Master Admin login panel was detected.
Ganglia Web Interface (v3.7.3 - v3.7.5) - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ganglia_form\\.submit\\(\\)"Description
A cross-site scripting (XSS) vulnerability in the component /graph_all_periods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter.
Impact
Authenticated attackers can execute arbitrary JavaScript or HTML in victim browsers by injecting malicious payloads into the g parameter.
Remediation
Update Ganglia-web to version 3.7.6 or later to address the XSS vulnerability in the graph parameter.
Gargoyle Router Management Utility Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gargoyle Router Management Utility"})Description
Gargoyle Router Management Utility admin login panel was detected.
GenieACS => 1.2.8 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)genieacs" || service["favicon.ico.image.mmh3"] == "-2098066288"Description
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade to a patched version of GenieACS or apply the necessary security patches to mitigate the vulnerability.
GeoServer - Missing Authorization on REST API Index
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
GeoServer contains a missing authorization vulnerability that allows unauthorized access to the REST API Index page, potentially exposing sensitive configuration information.
Impact
Unauthenticated users can access the GeoServer REST API Index page, potentially exposing sensitive configuration information and available API endpoints.
Remediation
Upgrade to the latest GeoServer version that implements proper authorization checks for the REST API Index page.
GeoServer - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["http.body.mmh3"] == "1093634893" || service["favicon.ico.image.mmh3"] == "97540678" || service["http.body"] matches "(?i)/geoserver/"Description
GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.
Impact
Attackers can disclose sensitive files or cause denial of service by exploiting XML external entity processing.
Remediation
Update to GeoServer 2.25.6, 2.26.3, 2.27.0 or later.
GeoServer <1.2.2 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
GeoServer Demo Request Endpoint - Server Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "geoserver"})Description
It is possible to achieve Server Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the case of cloud instances, access to sensitive data.
Impact
An attacker can exploit this vulnerability to access internal resources, enumerate internal networks, and potentially access sensitive data in cloud environments through the server-side request forgery attack.
Remediation
Upgrade to a patched version of GeoServer or configure the Proxy Base URL properly to prevent unauthorized server-side requests through the TestWfsPost endpoint.
GeoServer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
GeoServer login panel was detected.
GeoServer RCE in Evaluating Property Name Expressions
Author: DhiyaneshDk,ryanborumAdded: Jul 3, 2024
runzero-match
service["http.head.server"] matches "GeoHttpServer"Description
In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
Impact
This vulnerability can lead to executing arbitrary code.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
GeoServer WFS - XXE Processing Vulnerability
runzero-match
any(each(service["html.titles"]), {# matches "geoserver"})Description
GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
Impact
Unauthenticated attackers can exploit XXE vulnerabilities in GeoServer WFS to perform OOB data exfiltration and SSRF attacks, potentially accessing internal services and sensitive data.
Remediation
Upgrade to the latest GeoServer version that properly disables external entity processing in WFS requests.
GeoServer WPS - Server Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "GeoServer"})Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
Impact
Unauthenticated attackers can exploit SSRF through the WPS service to make arbitrary HTTP requests and access internal network resources, potentially compromising the entire GeoServer infrastructure and accessing sensitive geospatial data.
Remediation
Update GeoServer to version 2.22.5 or 2.23.2 or later that validates URLs in WPS requests and restricts access to authorized external resources only.
GeoServer and GeoTools - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "geoserver"})Description
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
Impact
Unauthenticated attackers can execute arbitrary code remotely via XPath expression exploitation in GeoTools functionality.
Remediation
Update GeoServer and GeoTools to versions 31.2, 30.4, or 29.6 or later.
Geoserver - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "GeoServer"})Description
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
Apply the latest security patches or updates provided by the Geoserver project to mitigate the SSRF vulnerability.
Geoserver Admin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GeoServer: Welcome"})Description
Geoserver default admin credentials were discovered.
GetSimple CMS 3.3.13 - Open Redirect
runzero-match
service["product"] matches "(?i)get.simple.getsimplecms"Description
GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade to the latest version of GetSimple CMS to fix the open redirect vulnerability.
Geutebruck - Remote Command Injection
runzero-match
service["product"] matches "(?i)geutebrueck.cam.ebc"Description
Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device, leading to unauthorized access, data theft, or further compromise of the network.
Remediation
Apply the latest security patches or firmware updates provided by Geutebruck to mitigate the vulnerability.
Ghost CMS Content API - SQL Injection
runzero-match
service["product"] contains "Ghost:Ghost"Description
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
Impact
An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
Remediation
Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
Ghost CMS Installation Setup - Exposure
Author: 0x_AkokoAdded: Mar 20, 2026
runzero-match
service["product"] contains "Ghost:Ghost"Description
Detected Ghost CMS installation setup wizard accessible without authentication. An unauthenticated remote attacker can navigate to
/ghost/#/setup and complete the installation to gain full owner-level administrative control of the site.
Gibbon LMS <= v25.0.01 - File Upload to RCE
runzero-match
service["favicon.ico.image.mmh3"] == "-165631681"Description
Gibbon LMS versions 25.0.1 and earlier are vulnerable to an Arbitrary File Upload that can lead to Remote Code Execution (RCE). The issue stems from the rubrics_visualise_saveAjax.php endpoint, which, notably, does not require authentication. Because of this, unauthenticated attackers could potentially upload malicious PHP files and execute arbitrary code on the server.
Impact
Unauthenticated attackers can upload arbitrary PHP files through the rubrics_visualise_saveAjax endpoint to execute arbitrary code on the Gibbon LMS server, enabling complete application and server compromise.
Remediation
Fixed in v26.0.00; upgrade immediately, or restrict access to the vulnerable endpoint and implement WAF protection.
Gibbon v25.0.0 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-165631681"Description
Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Upgrade to a patched version of Gibbon or apply the necessary security patches to mitigate the LFI vulnerability.
Gira HomeServer 4 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gira HomeServer 4"})Description
Gira HomeServer 4 login panel was detected.
GitHub Enterprise - Encrypted SAML
Author: rootxharsh,iamnoooob,pdresearchAdded: Nov 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitHub Enterprise"})Description
This template checks if Encrypted SAML (Security Assertion Markup Language) is enabled on a GitHub Enterprise instance.
GitLab CE/EE - Hard-Coded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
GitLab CE/EE contains a hard-coded credentials vulnerability. A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML), allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Affected versions are 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized actions within the GitLab application.
Remediation
Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the reference section below.
GitLab CE/EE - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
GitLab CE/EE is susceptible to information disclosure. An attacker can access runner registration tokens using quick actions commands, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are from 12.10 before 14.6.5, from 14.7 before 14.7.4, and from 14.8 before 14.8.2.
Impact
An attacker can gain access to sensitive information stored in GitLab.
Remediation
Apply the necessary patches or updates provided by GitLab to fix the vulnerability.
GitLab CE/EE - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)gitlab-ci\\.yml" || any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition"Description
GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected GitLab instance.
Remediation
Upgrade to GitLab CE/EE version 13.10.3 or 13.11.1 to mitigate this vulnerability.
GitLab CI Lint API - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "GitLab"})Description
GitLab 10.5 and later contain a server-side request forgery caused by insecure handling of webhook requests, letting unauthenticated attackers exploit the server for arbitrary requests, exploit requires sending crafted webhook requests.
Impact
Unauthenticated attackers can perform arbitrary requests on internal network, potentially leading to information disclosure or internal network compromise.
Remediation
Update to the latest version of GitLab where the vulnerability is fixed.
GitLab Enterprise Edition - Server-Side Request Forgery
runzero-match
service["http.body"] matches "GitLab Enterprise Edition"Description
An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue.
Impact
Unauthenticated attackers can exploit blind SSRF to access internal services, potentially retrieving sensitive information or performing unauthorized actions on internal systems.
Remediation
Upgrade to GitLab Enterprise Edition 11.5.8, 11.6.6, 11.7.1 or later versions.
GitLab GraphQL API User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition" || service["http.body"] matches "(?i)gitlab-ci\\.yml"Description
An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
Impact
An attacker can enumerate valid usernames, which can be used for further attacks such as brute-forcing passwords or launching targeted phishing campaigns.
Remediation
Implement rate limiting or CAPTCHA on the GraphQL API to prevent user enumeration.
GitLab Instance Explore - Detect
Author: Sujal TuladharAdded: Oct 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
This template checks for GitLab instances by verifying if /explore and /api/v4/projects endpoints are accessible with a 200 response.
Gitblit - Default Login
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Gitblit"})Description
Gitblit Default login credentials were discovered.
Gitblit Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitblit"}) || service["http.body"] matches "(?i)gitblit"Description
Gitblit login panel was detected — a pure Java stack for managing, viewing, and serving Git repositories.
Gitea 1.4.0 - Remote Code Execution
Author: theamanrawatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Installation - Gitea: Git with a cup of tea"})Description
Gitea 1.4.0 is vulnerable to remote code execution.
Gitea < 1.21.0 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Gitea"})Description
Gitea before version 1.21.0 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs. The vulnerability exists in the redirect_to parameter used on the login page (/user/login). Due to improper validation of the redirect URL, an attacker can craft a malicious link that redirects authenticated users to an arbitrary external website after login.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade Gitea to version 1.21.0 or later to fix the open redirect vulnerability.
Gitea < 1.4.3 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Gitea"})Description
Gitea before version 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs. The vulnerability exists in the redirect_to parameter used on the login page (/user/login). Due to improper validation of the redirect URL, an attacker can craft a malicious link that redirects authenticated users to an arbitrary external website after login.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade Gitea to version 1.4.3 or later to fix the open redirect vulnerability.
Gitea <1.16.5 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Gitea"})Description
Gitea before 1.16.5 is susceptible to open redirect via GitHub repository go-gitea/gitea. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade Gitea to version 1.16.5 or later to fix the open redirect vulnerability.
Gitea Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)powered by gitea version" || any(each(service["html.titles"]), {# matches "(?i)gitea"})Description
Gitea login panel was detected.
Gitea Public Repository - Exposure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
service["product"] contains "Gitea:Gitea"Description
Detected publicly accessible Gitea instances exposing repository listings and user information without authentication.
Github Enterprise Authenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "GitHub Enterprise"})Description
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Impact
Authenticated attackers with organization owner privileges can exploit unsafe reflection to execute arbitrary code remotely, leading to complete compromise of the GitHub Enterprise Server instance and potential access to all repositories and data.
Remediation
Upgrade to GitHub Enterprise Server version 3.8.13, 3.9.8, 3.10.5, or 3.11.3 or later.
Github Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Setup GitHub Enterprise"})Description
Github Enterprise login panel was detected.
Gitlab CE/EE 10.5 - Server-Side Request Forgery
runzero-match
service["product"] contains "GitLab:GitLab"Description
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the system.
Remediation
Upgrade Gitlab CE/EE to a version that is not affected by the vulnerability (10.6 or higher).
Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"})Description
GitLab CE and EE 13.4 through 13.6.2 is susceptible to Information disclosure via GraphQL. User email is visible. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can gain unauthorized access to sensitive information.
Remediation
Upgrade Gitlab CE/EE to version 13.6.3 or later.
Gitlab Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GitLab"})Description
Gitlab default login credentials were discovered.
Gitlab Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"})Description
Gitlab login panel was detected.
Gitlab SAML - Detection
Author: rootxharsh,iamnoooob,pdresearchAdded: Oct 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition"Description
The presence of SAML-based authentication on GitLab instances. SAML is commonly used for Single Sign-On (SSO) integrations, which allows users to authenticate with GitLab using an external Identity Provider (IdP).
Gitness - Default Login
Author: 0x_AkokoAdded: Feb 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gitness"})Description
Detected Gitness instance was found using default admin credentials (admin/changeit).
GiveWP - PHP Object Injection
runzero-match
service["http.body"] contains "/wp-content/plugins/give/"Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
Impact
This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Remediation
Fixed in 3.14.2.
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
runzero-match
service["http.body"] matches "/wp-content/plugins/give/"Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which may allow them to execute arbitrary PHP code, depending on the presence of a suitable POP chain on the target system. This vulnerability could lead to full site compromise.
Impact
Unauthenticated attackers can inject serialized PHP objects to execute arbitrary PHP code through POP chains, potentially achieving full site compromise, complete server control, and access to all WordPress data.
Remediation
Update GiveWP plugin to version 3.16.2 or later to address the PHP object injection vulnerability.
Gladinet CentreStack & TrioFox - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack"})Description
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Impact
Unauthenticated attackers can disclose sensitive system files, potentially leading to information leakage.
Remediation
Update to a version later than 16.7.10368.56560 or the latest available version.
Gladinet CentreStack & Triofox - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack|Triofox"})Description
Gladinet CentreStack and Triofox < 16.12.10420.56791 contain a hardcoded credentials vulnerability caused by use of hardcoded AES cryptoscheme values, letting attackers perform arbitrary local file inclusion without authentication, potentially leading to full system compromise.
Impact
Attackers can exploit hardcoded AES keys to perform arbitrary local file inclusion, potentially leading to full system compromise.
Remediation
Update to version 16.12.10420.56791 or later.
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
runzero-match
service["favicon.ico.image.mmh3"] == "1163764264"Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution.
Impact
Unauthenticated attackers can exploit hard-coded machineKey values to deserialize malicious payloads, achieving remote code execution and complete server compromise.
Remediation
Upgrade to Gladinet CentreStack version 16.4.10315.56368 or later that uses secure, randomly generated machineKeys.
Glances - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "840398323" || any(each(service["html.titles"]), {# matches "(?i)Glances"})Description
Glances < 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges.
Impact
Remote attackers can access sensitive system information including credentials, risking data exposure and system compromise.
Remediation
Update to version 4.5.2 or later.
Glimpse Diagnostics - Sensitive Data Exposure
runzero-match
service["http.body"] matches "(?i)Glimpse\\.axd"Description
Detected Glimpse diagnostics endpoint. Glimpse is a .NET diagnostics tool that reveals detailed request information, server configuration, SQL queries, connection strings, and session data.
Glowroot - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Glowroot"})GnuBoard5 5.5.16 - Open Redirect
runzero-match
service["http.body"] matches "(?i)GnuBoard5"Description
Gnuboard5 5.5.16 contains an open redirect vulnerability caused by insufficient URL parameter verification in bbs/logout.php, letting remote attackers redirect users to arbitrary URLs, exploit requires crafted URL parameter.
Impact
Remote attackers can redirect users to malicious sites, potentially leading to phishing or information theft.
Remediation
Update to the latest version of Gnuboard5.
Go.Control Event Administration Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Go\\.Control"})Description
Detects the presence of the Go.Control Event Administration login panel.
GoAnywhere - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GoAnywhere"})Description
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
Impact
Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.
Remediation
Update to the latest version with the deserialization fix.
GoAnywhere Managed File Transfer - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "GoAnywhere Managed File Transfer"Description
GoAnywhere Managed File Transfer is vulnerable to a remote command execution (RCE) issue via the included Apache Log4j.
GoAnywhere Managed File Transfer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)GoAnywhere Managed File Transfer"Description
GoAnywhere Managed File Transfer login panel was detected.
GoCD Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)create a pipeline - go"}) || service["http.body"] matches "(?i)gocd version"Description
GoCD login panel was detected.
Gogs (Go Git Service) - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"})Description
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Apply the latest security patches and updates provided by the Gogs project to mitigate the SQL Injection vulnerability.
Gogs (Go Git Service) 0.11.66 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"})Description
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
This issue will be fixed by updating to the latest version of Gogs.
Gogs <= 0.13.3 - Remote Code Execution
runzero-match
service["product"] contains "Gogs:Gogs"Description
Gogs self-hosted Git service versions 0.13.3 and earlier contain a critical symlink bypass vulnerability that circumvents the fix for CVE-2024-55947. Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution. As of December 2025, this remains an unpatched zero-day with active exploitation ongoing. Approximately 1,400 exposed Gogs instances exist, with over 700 showing signs of compromise. The vulnerability stems from the API writing to file paths without checking if targets are symlinks pointing outside the repository. Gogs maintainers are working on a fix.
Impact
Local attackers can execute arbitrary code, potentially leading to full system compromise.
Remediation
Update to the latest version of Gogs.
Gogs Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "917966895" || service["favicon.ico.image.mmh3"] == "1935513730" || any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"}) || service["favicon.ico.image.mmh3"] == "-449283196"Description
Gogs login panel was detected.
Google ADK-Python - Unauthenticated Builder Endpoint
runzero-match
any(each(service["html.titles"]), {# matches "ADK\" http\\.component:\"uvicorn"})Description
Google Agent Development Kit (ADK) 1.7.0 through 1.28.1 and 2.0.0a1 through 2.0.0a2 on Python (OSS), Cloud Run, and GKE contains a code injection and missing authentication vulnerability, letting unauthenticated remote attackers execute arbitrary code on the server, exploit requires no authentication.
Impact
Unauthenticated remote attackers can execute arbitrary code on the server, leading to full system compromise.
Remediation
Upgrade to versions 1.28.1 and 2.0.0a2 or later and redeploy to production and local environments.
Google Earth Enterprise Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GEE Server"})Description
Google Earth Enterprise default login credentials were discovered.
Remediation
To reset the username and password:
sudo /opt/google/gehttpd/bin/htpasswd -c
/opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
Gophish Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gophish - Login"})Description
Gophish login panel was detected.
Gotify Login Panel - Detect
Author: righettodAdded: Feb 15, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gotify"})Description
Gotify login panel was detected.
Gradio - Absolute Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "Gradio"})Description
Gradio < 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server.
Impact
Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Upgrade to version 6.7 or later.
Gradio - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)__gradio_mode__" || any(each(service["html.titles"]), {# matches "(?i)gradio"})Description
Gradio's Dropdown component is vulnerable to Local File Inclusion (LFI) when the value is a dictionary controlled by an attacker. In the postprocess of components, if the value type is a dict, it flows to the async_move_files_to_cache function. When the dictionary is crafted with a "path" key, it causes local file inclusion allowing attackers to read arbitrary files.
Gradio - Open Redirect
Author: DhiyaneshDKAdded: Oct 7, 2024
runzero-match
service["http.body"] matches "__gradio_mode__"Description
Gradio allows an open redirect bypass via URL encoding, enabling attackers to redirect users to malicious sites. This can lead to phishing attacks and loss of trust in the application.
Impact
Attackers can craft malicious URLs with encoded redirects that send users to phishing sites or malicious domains, leading to credential theft and undermining trust in the Gradio application.
Remediation
Update Gradio to a version that addresses the open redirect vulnerability via URL encoding bypass.
Gradio - Open Redirect
runzero-match
service["http.body"] matches "__gradio_mode__"Description
An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.
Impact
Attackers can redirect users to malicious websites via open redirect, potentially enabling phishing attacks.
Remediation
Update Gradio to a version that patches the open redirect vulnerability.
Gradio - Server Side Request Forgery
runzero-match
service["http.body"] matches "__gradio_mode__"Description
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.
Impact
Unauthenticated attackers can perform SSRF attacks to scan and identify open ports within internal networks, potentially facilitating further attacks.
Remediation
Upgrade Gradio to version 3.33 or later (for Gradio < 3.x) or version 4.11 or later (for Gradio 4.x).
Gradio - Server-Side Request Forgery
runzero-match
service["http.body"] matches "__gradio_mode__"Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Impact
Unauthenticated attackers can force the server to make arbitrary requests via SSRF, potentially accessing internal services and cloud metadata endpoints.
Remediation
Update Gradio to a version later than 4.21.0 that patches the SSRF vulnerability.
Gradio 3.47 - 3.50.2 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "__gradio_mode__"Description
Gradio Full Read SSRF when auth is not enabled, this version should work for versions 3.47 - 3.50.2.
Gradio Image Component - Server-Side Request Forgery
runzero-match
service["http.body"] matches "__gradio_mode__"Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio image component allows an attacker to exploit SSRF using the path value in the `/queue/join` endpoint, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Gradle Develocity Build Cache Node Login Panel - Detect
Author: righettodAdded: Jul 11, 2024
runzero-match
service["http.body"] matches "(?i)Develocity Build Cache Node"Description
Gradle Develocity Build Cache Node login panel was detected.
Gradle Enterprise Build Cache Node Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Gradle Enterprise Build Cache Node"Description
Gradle Enterprise Build Cache Node login panel was detected.
Grafana & Zabbix Integration - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Impact
An attacker can obtain sensitive credentials, leading to unauthorized access and potential data breaches.
Remediation
Update to the latest version of the Grafana & Zabbix Integration plugin to fix the vulnerability.
Grafana - Exposes DingDing API Keys
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1.
Impact
Viewers can access DingDing alerting integration URLs containing access tokens through the alertmanager API, potentially enabling unauthorized message delivery and notification manipulation.
Remediation
Upgrade to Grafana version 12.0.2 or later that properly restricts access to DingDing integration settings.
Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
runzero-match
service["product"] matches "(?i)Grafana"Description
An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
Impact
Attackers can exploit path traversal to achieve open redirect, XSS, or SSRF attacks, potentially leading to internal data exposure or account takeover.
Remediation
Upgrade Grafana to the latest version that properly validates and sanitizes file paths in the render endpoint.
Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.
Remediation
Upgrade to 6.3.4 or higher.
Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the Grafana application.
Remediation
Upgrade to 8.2.3 or higher.
Grafana Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Grafana"})Description
Grafana default admin login credentials were detected.
Grafana Login Check
Author: parthmalhotra,pdresearchAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Checks for a valid login on self hosted Grafana instance.
Grafana Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana login panel was detected.
Grafana Snapshot - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default).
Impact
An attacker can bypass authentication and gain unauthorized access to Grafana Snapshot feature.
Remediation
This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Grafana v8.x - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
Remediation
Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
Grandstream GRP - Default Login
Author: DhiyaneshDKAdded: May 21, 2026
runzero-match
service["http.body"] matches "(?i)tl\\.account\\.ucm\\.js"Description
Grandstream GRP series devices use default credentials (admin/admin). The web UI login sends a SHA-256 hash of the password to /cgi-bin/access. Successful authentication returns a JSON response with a session token, indicating full admin access to the device management interface.
Remediation
Change the default administrator password immediately. Update firmware to the latest version which generates random passwords on factory reset.
Grandstream GRP Panel - Detect
Author: DhiyaneshDkAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)tl\\.account\\.ucm\\.js"Description
Detected the presence of a Grandstream GRP web management login panel. The React-based SPA loads characteristic JavaScript modules including tl.account.ucm.js and webpack chunks for UCM modules.
Grandstream UCM6200 - SQL Injection
runzero-match
service["product"] matches "(?i)Grandstream"Description
Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17.
Impact
Attackers can execute root shell commands or inject malicious HTML, leading to full device compromise or phishing attacks.
Remediation
Update to version 1.0.19.20 or later for root command execution fix, and version 1.0.20.17 or later for email injection fix.
GraphiQL - Exposure
Author: Vincent OlagbemideAdded: Mar 17, 2026
runzero-match
service["http.body"] matches "(?i)GraphiQL"Description
Detected publicly exposed GraphiQL consoles.
Graphite <=1.1.5 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)graphite"Description
Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to server-side request forgery (SSR)F. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
Impact
An attacker can exploit this vulnerability to access internal resources, potentially leading to unauthorized access, data leakage, or further attacks.
Remediation
Upgrade to a patched version of Graphite (>=1.1.6) or apply the necessary security patches.
Graphite Browser Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Graphite Browser"})Description
Graphite Browser login panel was detected.
Grav < 1.7 - Open Redirect
runzero-match
service["product"] matches "(?i)getgrav.grav"Description
Grav before 1.7 has an open redirect vulnerability via common/Grav.php. This is partially fixed in 1.6.23 and still present in 1.6.x.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade Grav CMS to version 1.7 or later to fix the open redirect vulnerability.
Gravity SMTP WordPress Plugin - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gravity(?:smtp|forms)"Description
Gravity SMTP WordPress plugin <= 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication.
Impact
Unauthenticated attackers can access detailed system and configuration data, potentially aiding further attacks or information leakage.
Remediation
Update to the latest version beyond 2.1.4.
Graylog (Log4j) - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Graylog Web Interface"})Description
Graylog is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Graylog - Default Login
runzero-match
service["product"] contains "Graylog:Graylog"Description
Graylog instance is accessible with default admin credentials (admin/admin). This provides full administrative access to the log management platform, including the ability to read all ingested logs, create inputs, configure pipelines, and manage users.
Impact
An attacker with admin access to Graylog can read all collected log data which may contain credentials, API keys, internal IPs, and sensitive business information. They can also create new inputs to intercept future log data or modify pipelines to redirect/suppress logs.
Remediation
Change the default root_password_sha2 in the Graylog server.conf configuration file. Use a strong, unique password for the admin account.
Graylog Login Panel - Detect
Author: righettodAdded: Mar 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Graylog Web Interface"})Description
Graylog login panel was detected.
Greenbone Security Assistant Panel - Detect
Author: pbuff07Added: Aug 24, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)greenbone security assistant"})Description
Greenbone Security Assistant Web Panel is detected
Grocy - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grocy"}) && service["http.body"] contains "grocy-version"Description
Detected Grocy was found using default credentials admin:admin.Successful authentication grants full access to the household management platform including all stock data, chores, recipes, and user settings.
Group-IB Managed XDR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Group-IB Managed XDR"})Description
Group-IB Managed XDR login panel was detected.
Growatt Shinelink - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Growatt Shinelink"})Description
Growatt Shinelink is a web-based data logger and monitoring interface for Growatt solar inverters, providing real-time solar energy production data and system configuration.
Gryphon Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gryphon"})Description
Gryphon router panel was detected.
Gurock TestRail Application files.md5 Exposure
runzero-match
service["http.body"] matches "(?i)testrail"Description
Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Impact
An attacker could use the exposed files.md5 to gain insight into the application's file structure and potentially identify vulnerabilities or sensitive information.
Remediation
Securely restrict access to the files.md5 file and ensure that it is not accessible to unauthorized users.
Güralp Systems FMUS Series - Unauthenticated Access
runzero-match
service["service.port"] == "4244" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)\s*Welcome\s+to\s+(FMUS|MINP?)-[A-Fa-f0-9]{4}[^,]+,\s*type\s+"help"\s+for\s+a\s+list\s+of\s+available\s+commands`Description
Güralp Systems FMUS Series Seismic Monitoring Devices expose an unauthenticated Telnet-based command line interface that allows attackers to modify hardware configurations, manipulate data, or factory reset the device.
Impact
Successful exploitation of this vulnerability could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
Remediation
Update to the latest firmware version or apply vendor recommended patches to secure Telnet access.
H2 Console Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h2 console"})Description
H2 Console Web login panel was detected.
H2O ImportFiles - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h2o flow"})Description
An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.
Impact
Unauthenticated attackers can read any file on the server via the ImportFiles endpoint, potentially exposing sensitive data including database contents and application code.
Remediation
Update H2O to a version that implements proper authentication and authorization controls for the ImportFiles endpoint.
H2O Wave ML Application Server - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)H2O Wave"})Description
H2O Wave was detected. H2O Wave was an open-source Python development framework for building real-time interactive AI and ML web applications. The Wave server hosted applications built on the platform.
H3C ER8300G2-X - Password Disclosure
runzero-match
service["http.body"] matches "(?i)icg_helpScript\\.js"Description
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
Impact
Unauthenticated attackers can access the router's administrative password via the management system interface.
Remediation
Update H3C ER8300G2-X router firmware to a version that addresses the password disclosure vulnerability.
H3c IMC - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/imc/javax\\.faces\\.resource/images/login_help\\.png\\.jsf\\?ln=primefaces-imc-new-webui"Description
H3c IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint.
HAL Management Console Panel
Author: DhiyaneshDKAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "(?i)HAL Management Console"Description
HAL Management Console login panel was discovered.
HCL BigFix Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BigFix"})Description
HCL BigFix login panel was detected.
HIKVISION applyCT Fastjson - Remote Command Execution
runzero-match
service["product"] matches "(?i)HIKVISION.iSecure.Center"Description
The HIKVISION comprehensive security management platform applyCT has a remote command execution vulnerability in a low version of Fastjson, through which an attacker can execute arbitrary commands to obtain server privileges
HOOBS Panel - Detect
Author: rxeriumAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HOOBS"})Description
HOOBS is a home automation platform that bridges HomeKit and non-HomeKit devices.
HP 1820-8G Switch J9979A Default Login
runzero-match
any(each(service["html.titles"]), {# matches "J9979A"})Description
HP 1820-8G Switch J9979A default admin login credentials were discovered.
HP Service Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hp service manager"})Description
HP Service Manager login panel was detected.
HP System Management Homepage (SMH) v2.x.x.x - Open Redirect
runzero-match
service["product"] matches "(?i)hp.system.management.homepage"Description
Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware.
Remediation
Apply the latest patches or updates provided by HP to fix the open redirect vulnerability.
HP Virtual Connect Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HP Virtual Connect Manager"})Description
HP Virtual Connect Manager login panel was detected.
HPE OfficeConnect Switch - Panel Detect
Author: pussycat0xAdded: Sep 18, 2025
runzero-match
service["http.body"] matches "(?i)HPE OfficeConnect"Description
The HPE OfficeConnect Switch was a network switch series built for small and medium businesses.It provided reliable connectivity, simple management, and PoE options to support growing networks.
HPE OneView - Panel Detect
Author: rxeriumAdded: Dec 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-1569311459"Description
HPE OneView is an infrastructure management platform that provides automated management, monitoring, and updates for HPE servers, storage, and networking resources through a unified interface.
HPE OneView - Remote Code Execution
Author: DhiyaneshDk,garciaizcoaAdded: Dec 19, 2025
runzero-match
service["http.body"] matches "HPE\" html:\"OneView"Description
HPE OneView contains a remote code execution vulnerability, letting remote attackers execute arbitrary code.
Impact
Remote attackers can execute arbitrary code, potentially leading to full system compromise.
Remediation
Update to the latest version.
HTTP File Server <2.3c - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "2124459909"Description
HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability.
HTTPBin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)httpbin\\.org"})Description
HTTPBin login panel was detected.
HYPERPLANNING Login Panel - Detect
Author: righettodAdded: Nov 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HYPERPLANNING"})Description
HYPERPLANNING products was detected.
Haivision Gateway Login Panel - Detect
Author: righettodAdded: Feb 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Haivision Gateway"})Description
Haivision Gateway login panel was detected.
Haivision Media Platform Login Panel - Detect
Author: righettodAdded: Feb 15, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Haivision Media Platform"})Description
Haivision Media Platform login panel was detected.
Halo ITSM - Pre-Authentication SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "489905671"Description
A Time-Based SQL Injection vulnerability in Halo ITSM allows unauthenticated attackers to execute malicious SQL queries by leveraging time delays, potentially leading to data exfiltration, privilege escalation, or full system compromise.
Hangfire Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)overview – hangfire dashboard"})Description
Hangfire Dashboard panel was detected.
Harbor Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "657337228"Description
Harbor login panel was detected.
Harbor Registry - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 24, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Harbor"})Description
Detected: The Harbor container registry was found to be using default administrator credentials (admin:Harbor12345). An attacker could have gained full administrative access to manage registries, projects, users, and stored container images.
HashiCorp Consul Web UI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)consul by hashicorp"})Description
HashiCorp Consul Web UI login panel was detected,
Hashicorp Consul Agent - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)consul by hashicorp"})Description
Hashicorp Consul Agent was detected.
Headlamp Kubernetes UI Panel - Detect
runzero-match
service["http.body"] matches "(?i)headlampBaseUrl"Description
Detected Headlamp Kubernetes Web UI panel exposed, which could lead to unauthorized access to Kubernetes cluster management if not properly secured.
Heimdall - Host Header Injection & Open Redirect
Author: DhiyaneshDkAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "Heimdall"Description
LinuxServer.io Heimdall 2.6.3-ls307 contains a host header injection caused by improper validation of user-supplied HTTP headers `X-Forwarded-Host` and `Referer`, letting unauthenticated remote attackers perform host header injection and open redirect attacks, exploit requires no special privileges.
Impact
Unauthenticated attackers can redirect users to malicious sites, enabling phishing, UI redress, and session theft.
Remediation
Update to the latest version of Heimdall.
Hestia Control Panel Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hestia control panel"}) || service["favicon.ico.image.mmh3"] == "-476299640"Description
Hestia Control Panel login was detected.
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hide-my-wp"Description
The Hide My WP Ghost plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
Impact
Unauthenticated attackers can discover and access the hidden WordPress login page through auth_redirect exploitation, bypassing the plugin's security obfuscation.
Remediation
Update Hide My WP Ghost plugin to version 5.2.02 or later to address the login page disclosure vulnerability.
HighMail Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)highmail"})Description
HighMail admin login panel was detected.
Hikvision IP ping.php - Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1830859634"Description
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
Impact
Unauthenticated attackers can execute arbitrary operating system commands via the jsondata[ip] parameter, potentially gaining complete control over the Hikvision Intercom Broadcasting System.
Remediation
Upgrade to Hikvision Intercom Broadcasting System version 4.1.0 or later.
Hitachi Pentaho Business Analytics Server - Bypass Authorization
runzero-match
service["favicon.ico.image.mmh3"] == "1749354953"Description
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Impact
Unauthenticated attackers can bypass authorization restrictions using non-canonical URL paths to access protected administrative endpoints in Hitachi Pentaho Business Analytics Server, potentially gaining unauthorized access to sensitive analytics data and configurations.
Remediation
Upgrade to Hitachi Vantara Pentaho Business Analytics Server version 9.4.0.1, 9.3.0.2 or later that properly validates canonical URL paths.
Hitachi Pentaho Business Analytics Server - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1749354953"Description
Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.
Remediation
Upgrade to 9.4 with Service Pack 9.4.0.1. For version 9.3, recommend updating to Service Pack 9.3.0.2.
HiveManager Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1604363273"Description
HiveManager login panel was detected.
Home Assistant Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Home Assistant"})Home Assistant Supervisor - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)home assistant"})Description
Home Assistant Supervisor is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered.This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected.
Impact
An attacker can bypass authentication and gain unauthorized access to the Home Assistant Supervisor, potentially leading to further compromise of the system.
Remediation
The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.
HomeAutomation 3.3.2 - Open Redirect
runzero-match
service["product"] matches "(?i)homeautomation"Description
HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link.
Impact
Attackers can redirect users to malicious external websites through crafted links, potentially facilitating phishing attacks or malware distribution.
Remediation
Upgrade to HomeAutomation version 3.3.3 or later, or apply vendor-provided security patches.
Homebridge - Default Admin Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Detected Homebridge UI was found using default administrator credentials (admin:admin). An attacker could have gained full access to manage HomeKit accessories, plugins, and server configuration.
Homebridge - Unfinished Installation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Homebridge instance with incomplete installation detected. The setup wizard is exposed, allowing anyone to create the first admin account and gain full control over the Homebridge instance. This can lead to unauthorized access to smart home devices and potential network compromise.
Homebridge Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Homebridge allows you to integrate with smart home devices that do not natively support HomeKit.
Homematic Panel - Detect
runzero-match
service["http.body"] matches "(?i)homematic"Description
Homematic panel was deetcted.
Homer Panel - Detect
Author: rxeriumAdded: Nov 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-417785140"Description
A simple static homepage was discovered
Honeywell Excel Web Control Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Honeywell XL Web Controller"})Description
Honeywell Excel Web Control login panel was detected.
Honeywell PM43 Printers - Command Injection
runzero-match
service["http.body"] matches "(?i)/main/login\\.lua\\?pageid="Description
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the username parameter in loadfile.lp, potentially gaining full control of Honeywell PM43 printers and intercepting print jobs containing sensitive documents.
Remediation
Update Honeywell PM43 printer firmware to version P10.19.050004 (MR19.5) or later that properly sanitizes input in loadfile.lp and prevents command injection attacks.
Hongjing e-HR 2020 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)人力资源信息管理系统"})Description
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the parentid parameter, potentially extracting sensitive database information including user credentials.
Remediation
Update Hongjing e-HR to a version newer than 2020 that addresses this SQL injection vulnerability.
Hookbot Rat Panel - Detect
Author: pussycat0xAdded: Jul 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hookbot"})Description
Hookbot panel were detected.
Hoppscotch <= 2026.2.1 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Hoppscotch"})Description
Hoppscotch <= 2026.2.1 is vulnerable to a DOM-based open redirect on the /enter page. The redirect query parameter is passed directly to windowz location.href with no origin validation. Requires one additional query parameter to trigger. Exploited via a crafted URL such as /enter?redirect=evil.com&foo=bar.
Impact
Phishing, credential theft, and OAuth token interception. Victims who click a crafted link see the legitimate Hoppscotch domain in the address bar before being silently redirected to an attacker-controlled site.
Remediation
Upgrade to Hoppscotch 2026.3.0 or later. The fix validates that the redirect URL is same-origin before performing the navigation.
Horde Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-741491222"Description
Horde login panel was detected.
Horde Webmail Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "2104916232"Description
Horde Webmail login panel was detected.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System login panel was detected.
Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/motopress-hotel-booking"Description
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
Impact
Unauthenticated attackers can exploit missing validation and authorization checks to download and delete arbitrary files on WordPress servers running Hotel Booking Lite.
Remediation
Fixed in 4.8.5
Hoteldruid v3.0.5 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hoteldruid"}) || service["favicon.ico.image.mmh3"] == "-1521640213"Description
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.
Impact
Successful exploitation could lead to unauthorized access to sensitive data or complete takeover of the affected system.
Remediation
Upgrade Hoteldruid to a patched version that addresses the SQL Injection vulnerability.
Hoteldruid v3.0.5 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hoteldruid"})Description
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.
Impact
Allows attackers to execute arbitrary SQL queries and potentially gain unauthorized access to the database.
Remediation
Update Hoteldruid to a patched version or apply vendor-supplied fixes to mitigate the SQL Injection vulnerability.
HuangDou UTCMS V9 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)usualtool"Description
A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection.The attack may be launched remotely. The exploit has been disclosed to the public and may be used.The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Unauthenticated attackers can execute arbitrary OS commands on the server through command injection in the cli.php file, achieving complete system compromise and potential access to sensitive data.
Remediation
Apply security patches from HuangDou for UTCMS V9 to address the OS command injection vulnerability in app/modules/ut-cac/admin/cli.php.
Huawei HG532e Default Credential
runzero-match
service["http.body"] matches "HG532e"Description
Huawei HG532e default admin credentials were discovered.
Huawei HG532e Router Panel - Detect
runzero-match
service["http.body"] matches "(?i)HG532e"Description
Huawei HG532e router login panel was detected. After installation, both the default username and default password are user.
Huawei HoloSens SDC - Panel
Author: darsesAdded: Jul 14, 2025
runzero-match
service["http.head.server"] matches "SDC Server" || service["http.body.mmh3"] == "-968212412"Description
Huawei HoloSens SDC Panel was discovered.
Hue Magic 3.0.0 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NODE-RED"})Description
Hue Magic 3.0.0 is susceptible to local file inclusion via the res.sendFile API.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Apply the latest security patch or update to a non-vulnerable version of Hue Magic.
Huginn Login Panel - Detect
Author: righettodAdded: Dec 10, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1951475503"Description
Huginn products was detected.
Huly Login Panel - Detect
Author: righettodAdded: Jan 14, 2025
runzero-match
service["http.body"] matches "(?i)Huly"Description
Huly products was detected.
Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hunk-companion/"Description
The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
Impact
Unauthenticated attackers can install and activate arbitrary WordPress plugins including vulnerable or malicious ones, leading to potential site compromise.
Remediation
Update Hunk Companion plugin to version 1.9.0 or later.
Hurrakify <= 2.4 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "wp-content/plugins/hurrakify"Description
The Hurrakify plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Impact
Unauthenticated attackers can make arbitrary HTTP requests from the server to internal or external services, potentially accessing internal resources or performing port scanning.
Remediation
Update Hurrakify plugin to version 2.5 or later to address the SSRF vulnerability.
Hybris - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Hybris"})Description
Hybris contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Hybris Administration Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hybris"})Description
Hybris Administration Console login panel was detected.
Hybris Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hybris"})Description
Hybris Management Console login panel was detected.
Hydra Router Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hydra router dashboard"})Description
Hydra router dashboard was detected.
HyperDX Panel - Detect
Author: righettodAdded: Aug 8, 2025
runzero-match
service["http.body"] matches "(?i)hyperdx"Description
HyperDX panel was discovered.
HyperTest Common Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HyperTest"})Description
HyperTest Common Dashboard was detected.
Hytec Inter HWL-2511-SS - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)index"}) && service["http.head.server"] contains "lighttpd/1.4.30"Description
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
Impact
Unauthenticated attackers can execute arbitrary commands on the Hytec Inter HWL-2511-SS cellular router through command injection in the popen.cgi endpoint, potentially gaining complete control over the device and connected network infrastructure.
Remediation
Update Hytec Inter HWL-2511-SS firmware to a version later than 1.05 that properly sanitizes command parameters in popen.cgi.
IBM Advanced System Management Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced System Management"})Description
IBM Advanced System Management panel was detected.
IBM BigFix Platform - Information Disclosure
runzero-match
service["http.head.server"] matches "^BigFixHTTPServer"Description
IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication.
Impact
Attackers can remotely gather sensitive update and fixlet deployment information, potentially aiding targeted attacks.
Remediation
Enable authenticated access for relay to prevent unauthorized information queries.
IBM Data Risk Manager - Authentication Bypass via SAML
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Data Risk Manager"})Description
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
Impact
Unauthenticated attackers can bypass authentication via SAML endpoint and gain full administrative access to IBM Data Risk Manager, compromising all managed data risk information.
Remediation
Apply the latest security updates and patches provided by Cisco for HyperFlex HX.
IBM Decision Center Business Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Decision Center \\| Business Console"})IBM Decision Center Enterprise Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
service["http.body"] matches "Decision Center Enterprise console"IBM Decision Center Enterprise Console - Panel Detection
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
service["http.body"] matches "(?i)Decision Center Enterprise console"Description
IBM Decision Center Enterprise Console panel was detected.
IBM Decision Server Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Rule Execution Server"})IBM Decision Server Console Panel - Detect
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rule Execution Server"})Description
IBM Decision Server Console panel was detected.
IBM Maximo Asset Management Information Disclosure - XML External Entity Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-399298961"Description
IBM Maximo Asset Management is vulnerable to an
XML external entity injection (XXE) attack when processing XML data.
A remote attacker could exploit this vulnerability to expose
sensitive information or consume memory resources.
Impact
The vulnerability can lead to unauthorized access to sensitive information or a denial of service.
Remediation
Apply the latest security patches or updates provided by IBM to mitigate the vulnerability.
IBM Maximo Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-399298961"Description
IBM Maximo login panel was detected.
IBM MobileFirst Foundation - Default Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MobileFirst Operations Console"})Description
Detected IBM MobileFirst Foundation Operations Console was found using default credentials. The administration REST API exposes full control over mobile application backends including adapter management, push notification infrastructure, OAuth security configuration, and application authenticity enforcement.
IBM OpenAdmin Tool - Panel
Author: DhiyaneshDKAdded: Aug 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "965982073"IBM Operational Decision Manager - JNDI Injection
runzero-match
service["http.body"] matches "IBM ODM"Description
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.
Impact
Unauthenticated attackers can execute arbitrary code via JNDI injection, potentially compromising the entire IBM ODM system.
Remediation
Update IBM Operational Decision Manager to a version that addresses CVE-2024-22319.
IBM Operational Decision Manager - Java Deserialization
runzero-match
service["http.body"] matches "IBM ODM"Description
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
Impact
Authenticated attackers can execute arbitrary code on the system through unsafe deserialization, potentially achieving complete system compromise.
Remediation
Update IBM Operational Decision Manager to a version that addresses CVE-2024-22320.
IBM Operational Decision Manager Panel - Detect
Author: DhiyaneshDK,righettodAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Decision Center \\| Business Console"})Description
IBM Operational Decision Manager panel was detected.
IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Arc for TM1"})Description
IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
Impact
Attackers can gain admin access and execute arbitrary code with SYSTEM privileges, leading to full system compromise.
Remediation
Update to the latest version or 2.0.9 or apply the security patches provided by IBM.
IBM Power HMC - Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "262502857"Description
IBM HMC default admin login credentials were discovered.
IBM Security Access Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Security Access Manager"})Description
IBM Security Access Manager login panel was detected.
IBM Security Verify Access Login - Panel
Author: johnk3rAdded: Jun 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Security Verify Access"})Description
IBM Security Verify Access login panel was detected.
IBM Service Assistant Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Service Assistant"})Description
IBM Service Assistant login panel was detected.
IBM WebSphere Application Server Community Edition Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1337147129"Description
IBM WebSphere Application Server Community Edition admin login panel was detected.
IBM WebSphere HCL Digital Experience - Server-Side Request Forgery
runzero-match
service["http.body"] matches "IBM WebSphere Portal"Description
IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass security controls, access internal resources, and potentially perform further attacks.
Remediation
Apply the latest security patches or updates provided by IBM to mitigate this vulnerability.
IBM WebSphere Java Object Deserialization - Remote Code Execution
runzero-match
service["http.body"] matches "IBM WebSphere Portal"Description
IBM Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default).
Impact
Successful exploitation of this vulnerability can lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by IBM to mitigate this vulnerability.
IBM WebSphere Portal Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ibm websphere portal"Description
IBM WebSphere Portal login panel was detected.
IBM iNotes Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM iNotes Login"})Description
IBM iNotes login panel was detected.
ICC PRO Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to ICC PRO system"})Description
ICC PRO login panel was detected.
ICE HRM Login - Detect
Author: Th3l0newolfAdded: Apr 18, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ice Hrm Login"})Description
The ICE HRM login panel was discovered.
ICT Protege WX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ict protege wx®"})ICTBroadcast - Command Injection
runzero-match
service["http.body"] matches "ICTBroadcast"Description
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
Impact
Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full server compromise.
Remediation
Update to a version later than 7.4 or the latest available version.
ICTBroadcast Login Panel - Detect
Author: rxeriumAdded: Oct 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-60395993"Description
ICTBroadcast login panel was detected.
IDEMIA BIOMetrics - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "IDEMIA"})Description
IDEMIA BIOMetrics application default login credentials were discovered.
ILIAS LMS - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 25, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to ILIAS"})Description
The ILIAS learning management system was found to be using default administrator credentials (root:homer). An attacker was able to gain full administrative access to manage courses, users, and system configuration.
ILIAS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ilias"Description
ILIAS login panel was detected.
ILIAS eLearning <7.16 - Open Redirect
runzero-match
service["http.body"] matches "ILIAS"Description
ILIAS eLearning before 7.16 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade to ILIAS eLearning version 7.16 or later to fix the open redirect vulnerability.
INTELBRAS TELEFONE IP TIP200 60.61.75.22 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/cgi-bin/cgiServer\\.exx"Description
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 is vulnerable to information disclosure, allowing unauthenticated attackers to access sensitive device information and configuration data via a direct request to the /cgi-bin/export_settings.sh endpoint.
Impact
Authenticated attackers can read arbitrary files from the device including configuration files and credentials, potentially leading to complete device compromise.
Remediation
Update the device firmware to the latest version provided by INTELBRAS.
IPS Community Suite - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)invision community"Description
IPS Community Suite is vulnerable to unauthenticated SQL injection via the filter[] parameter in the /index.php?/store/ endpoint, allowing attackers to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting or modifying sensitive database information.
Remediation
Update IPS Community Suite to a version that patches CVE-2024-30163.
IPdiva Mediation Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)IPdiva"Description
IPdiva Mediation login panel was detected.
IPeakCMS 3.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ipeak"Description
ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, data tampering, or full database compromise.
Remediation
Apply the latest security patches or update to a version that fixes this vulnerability.
IRISNext Login Panel - Detect
Author: righettodAdded: Feb 26, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)irisnext"})Description
IRISNext products was detected.
ISPConfig Admin - Default Password
Author: pussycat0xAdded: Aug 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ispconfig"})Description
ISPConfig Admin Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
ISPConfig Hosting Control Panel - Default Login
Author: ritikchaddhaAdded: Aug 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "ISPConfig"})Description
ISPConfig Hosting Control Panel Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
ITFlow Unfinished Installation
Author: 0x_AkokoAdded: Jan 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ITFlow"})Description
Detected ITFlow setup wizard was exposed with an unfinished installation, allowing attackers to configure the database and create an admin account.
IceWarp - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "icewarp"})Description
IceWarp open redirect vulnerabilities were detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Remediation
Fixed in 13.0.2.4.
IceWarp Email Client - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
IceWarp Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp login panel was detected.
IceWarp Mail Server - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "icewarp"})Description
IceWarp Mail Server contains an open redirect via the referer parameter. This can lead to phishing attacks or other unintended redirects.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by IceWarp to fix the open redirect vulnerability.
IceWarp Mail Server <=10.4.4 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
Remediation
Upgrade IceWarp Mail Server to a version higher than 10.4.4 or apply the vendor-provided patch to fix the LFI vulnerability.
IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "IceWarp"})Description
An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.
Impact
Attackers can craft malicious redirect URLs to phish IceWarp Mail Server users, potentially stealing email credentials by redirecting victims to attacker-controlled domains that mimic the legitimate login page.
Remediation
Update IceWarp Mail Server Deep Castle 2 to a version newer than 13.0.1.2 that validates redirect URLs and prevents open redirect attacks.
IceWarp Mail Server ≤11.4.0 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "IceWarp"})Description
IceWarp Mail Server version 11.4.0 and below contains an open redirect vulnerability that allows attackers to redirect users to arbitrary external domains through malicious URLs.
Impact
An attacker can craft malicious URLs to redirect users to external malicious websites, potentially leading to phishing attacks or credential theft.
Remediation
Update IceWarp Mail Server to a version newer than 11.4.0. Implement proper URL validation and restrict redirects to trusted domains only.
IceWarp WebClient - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp WebClient is susceptible to remote code execution.
IceWarp WebMail 11.4.5.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of IceWarp WebMail.
IceWarp Webmail Server v10.2.1 - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "2144485375" || any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
Impact
Unauthenticated attackers can inject malicious JavaScript through the color parameter to steal webmail user session cookies and access email communications.
Remediation
Update IceWarp to a version newer than 10.2.1 that properly sanitizes the color parameter and encodes output in the webmail interface.
Icinga Exposed Dashboard
Author: DhiyaneshDkAdded: Jan 9, 2026
runzero-match
service["http.body"] matches "(?i)icinga\" html:\"Statistics"Description
Icinga Dashboard was exposed.
Icinga Web 2 - Arbitrary File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Icinga"})Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing credentials, configuration files, and other sensitive data.
Remediation
This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Icinga Web 2 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icinga web 2 login"}) || any(each(service["html.titles"]), {# matches "(?i)icinga"})Description
Icinga Web 2 login panel was detected.
IdeaCMS <= 1.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1033616879"Description
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
Impact
Unauthenticated attackers can extract sensitive data from the database through SQL injection in the field parameter, potentially compromising user information and system credentials.
Remediation
Upgrade IdeaCMS to a version later than 1.7 that properly sanitizes SQL parameters in article and product query interfaces.
Ignite Realtime Openfire <4.42 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire admin console"})Description
Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.
Remediation
Upgrade Ignite Realtime Openfire to version 4.42 or later to mitigate this vulnerability.
Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "openfire admin console"})Description
Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.
Impact
An attacker can exploit this vulnerability to send crafted requests to internal resources, leading to unauthorized access or information disclosure.
Remediation
Upgrade to the latest version of Ignite Realtime Openfire (>=4.4.3) to fix this vulnerability.
Ilch CMS Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ilch"})Description
Ilch CMS admin login panel was detected.
ImageResizer Debug - Information Exposure
Author: ritikchaddhaAdded: Dec 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ImageResizer"})Description
The ImageResizer debug endpoint exposes sensitive server configuration and path information.
Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "imgproxy"Description
imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
Impact
Local services may be exposed to unauthorized access, risking information disclosure or local system compromise.
Remediation
The vulnerability has been fixed in imgproxy version 3.27.2. The fix involves updating the source address verification to also check for unspecified IP addresses (0.0.0.0) using the ip.IsUnspecified() function in addition to the existing ip.IsLoopback() check.
Imgproxy <= 3.14.0 - Server-side request forgery (SSRF)
runzero-match
service["http.head.server"] matches "imgproxy"Description
imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
Upgrade to a version of Imgproxy that is not affected by this vulnerability.
Immich Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-43504595"Description
Immich is a self-hosted photo and video backup solution
Import XML & RSS Feeds WordPress Plugin <= 2.0.1 Server-Side Request Forgery
runzero-match
service["http.body"] matches "import-xml-feed"Description
WordPress plugin Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 contains a server-side request forgery (SSRF) vulnerability via the data parameter in a moove_read_xml action.
Impact
Unauthenticated attackers can perform server-side request forgery to access internal resources, scan internal networks, or retrieve sensitive data from internal systems.
Remediation
Update to the latest version of the Import XML & RSS Feeds WordPress Plugin (2.0.2 or higher) to mitigate the vulnerability.
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
runzero-match
service["http.body"] matches "import-xml-feed"Description
The Import XML and RSS Feeds WordPress plugin before 2.1.5 allows unauthenticated attackers to execute arbitrary commands via a web shell.
Impact
Allows unauthenticated attackers to execute arbitrary code on the target system.
Remediation
Update the Import XML and RSS Feeds WordPress Plugin to the latest version to mitigate the vulnerability.
ImpressCMS < 1.4.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ImpressCMS"Description
ImpressCMS before 1.4.3 is vulnerable to SQL injection via the groups parameter in include/findusers.php, allowing unauthenticated attackers to execute arbitrary SQL queries.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via SQL injection, potentially extracting sensitive database contents or modifying data.
Remediation
Update ImpressCMS to version 1.4.3 or later.
ImpressCMS <1.4.3 - Incorrect Authorization
runzero-match
service["http.body"] matches "(?i)impresscms"Description
ImpressCMS before 1.4.3 is susceptible to incorrect authorization via include/findusers.php. An attacker can provide a security token and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can bypass authorization and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Upgrade to ImpressCMS version 1.4.3 or later to fix the vulnerability.
InduSoft Web Studio NTWebServer Directory Traversal Vulnerability
runzero-match
service["product"] contains "InduSoft:Web Studio"Description
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files.
Remediation
Apply updates per vendor instructions.
Inductive Automation Ignition - Gateway Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Ignition Gateway"})Description
Inductive Automation Ignition is a widely-deployed industrial SCADA/HMI
platform used in manufacturing, utilities, and process industries. The
Ignition Gateway web interface provides access to project management,
OPC-UA tag browsing, and system configuration. Exposed gateways may
allow unauthenticated access to project lists and system information.
Infinispan - Default Admin Login
Author: DhiyanesDkAdded: May 14, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "647951307"Description
The Infinispan REST API was found exposed with the default administrator credentials `admin:password`. An unauthenticated network attacker can authenticate via HTTP Digest and gain full read/write access to all cache managers, caches, and server administration endpoints.
InfluxDB <1.7.6 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)influxdb - admin interface"})Description
InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret (aka shared secret). An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can bypass authentication and gain unauthorized access to the InfluxDB database.
Remediation
Update Influxdb to version 1.7.6~rc0-1 or higher.
InfluxDB Admin Interface Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)influxdb - admin interface"})Description
InfluxDB admin interface panel was detected.
Infoblox NIOS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Infoblox"})Description
Infoblox NIOS login panel was detected.
Infoblox NetMRI < 7.6.1 - Remote Code Execution via Hardcoded Ruby Cookie Secret Key
runzero-match
any(each(service["html.titles"]), {# matches "netmri"})Description
Infoblox NetMRI virtual appliances before version 7.6.1 are vulnerable to remote code execution (RCE) due to the use of a hardcoded Ruby on Rails session cookie secret key. The Rails web component deserializes session cookies if the signing key is valid. Attackers with knowledge of this key can craft malicious session cookies that are deserialized by the application, leading to arbitrary code execution. This vulnerability is related to the known Ruby on Rails deserialization flaw (CVE-2013-0156). Infoblox did not assign a new CVE for this issue, as it is a result of the underlying Rails vulnerability.
Impact
An attacker can exploit this vulnerability to execute arbitrary commands on the NetMRI server, potentially leading to complete system compromise.
Remediation
Upgrade Infoblox NetMRI to version 7.6.1 or later to mitigate this vulnerability.
Inspur Clusterengine 4 - Default Admin Login
Author: ritikchaddhaAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TSCEV4\\.0"})Description
Inspur Clusterengine version 4 default admin login credentials were successful.
Inspur Clusterengine V4 SYSshell - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TSCEV4\\.0"})Description
Inspur Clusterengine V4 SYSshell was found and allows remote command execution by design.
InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/instawp-connect"Description
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can include and execute arbitrary PHP files through the instawp-database-manager parameter, allowing arbitrary code execution and potential complete server compromise.
Remediation
Update InstaWP Connect plugin to version 0.1.0.86 or later.
Integrate Google Drive <= 1.5.3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/integrate-google-drive"Description
File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress <= 1.5.3 contains sensitive information exposure caused by improper protection of the get_localize_data function, letting unauthenticated attackers extract Google OAuth credentials and account email addresses, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive Google OAuth credentials and email addresses, risking account compromise and data theft.
Remediation
Update to a version later than 1.5.3 or the latest available version.
Integrated Management Module - Default Login
runzero-match
service["http.body"] matches "(?i)ibmdojo"Description
Integrated Management Module default login credentials were discovered.
Intel Active Management - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)active management technology"})Description
Intel Active Management platforms are susceptible to authentication bypass. A non-privileged network attacker can gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability. A non-privileged local attacker can provision manageability features, gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology. The issue has been observed in versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for all three platforms. Versions before 6 and after 11.6 are not impacted.
Impact
An attacker can bypass authentication and gain unauthorized access to the Intel Active Management firmware, potentially leading to unauthorized control of the affected system.
Remediation
Update the Intel Active Management firmware to version 11.6.55, 11.7.55, 11.11.55, 11.0.25, 8.1.71, or 7.1.91 to mitigate the vulnerability.
Intelbras NPLUG 1.0.0.14 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)NPLUG"Description
Intelbras NPLUG 1.0.0.14 is vulnerable to authentication bypass through cookie manipulation. An attacker can bypass authentication by simply setting a cookie named "admin:".
Impact
Unauthenticated attackers can bypass authentication and download the router configuration file containing credentials, network settings, and sensitive information.
Remediation
Update the device firmware to the latest version.
Intelbras Router Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Intelbras"})Description
Intelbras router logjn panel was detected.
Intelbras Router Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intelbras"})Description
Intelbras router panel was detected.
Intelbras Switch - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intelbras"})Description
An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.
Impact
Unauthenticated attackers can exploit authentication bypass to download backup configuration files containing critical device information including credentials and network configuration from Intelbras Switch devices.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Intelbras WRN 150 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)WRN150"Description
Intelbras WRN 150 router is vulnerable to authentication bypass through cookie manipulation. An attacker can bypass authentication and download the router configuration file by manipulating the admin:language cookie.
Impact
Attackers can bypass authentication and download the router configuration file containing credentials, network settings, and sensitive information, potentially leading to complete network compromise.
Remediation
Update the router firmware to the latest version.
Intellian Aptus Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intellian aptus web"})Description
Intelllian Aptus Web login panel was detected.
Internet Multi Server Control Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)i-MSCP - Multi Server Control Panel"})Description
Internet Multi Server Control Panel was detected.
Invision Community <=5.0.6 Unauthenticated RCE via Template Injection
runzero-match
service["http.body"] matches "(?i)Invision"Description
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (/applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method, which is evaluated by the template engine. Accordingly, unauthenticated attackers can inject and execute arbitrary PHP code by providing crafted template strings.
Impact
Unauthenticated attackers can inject and execute arbitrary PHP code through the content parameter in themeeditor.php, achieving complete server compromise.
Remediation
Upgrade Invision Community to version 5.0.7 or later that properly sanitizes template strings before evaluation.
Issabel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Issabel"})Description
Issabel login panel was detected.
Issabel PBX 4.0.0-6 - Directory Listing
runzero-match
any(each(service["html.titles"]), {# matches "(?i)issabel"})Description
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
Impact
Exploiting this vulnerability could lead to unauthorized access to sensitive directories and files, compromising the confidentiality of the system.
Remediation
It is recommended to update to a patched version of issabel-pbx or apply necessary configuration changes to prevent directory listing.
Ivanti Cloud Services Appliance - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cloud services appliance"}) || any(each(service["html.titles"]), {# matches "(?i)landesk\\(r\\) cloud services appliance"})Description
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Impact
Unauthenticated attackers can exploit path traversal to access restricted administrative functionality, potentially gaining unauthorized control of the Ivanti Cloud Services Appliance and accessing sensitive user management features.
Remediation
Update Ivanti Cloud Services Appliance to version 4.6 Patch 519 or later to address the path traversal vulnerability.
Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
runzero-match
service["http.body"] matches "welcome\\.cgi\\?p=logo"Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Impact
Authenticated administrators can execute arbitrary OS commands on the Ivanti appliance, leading to complete system compromise.
Remediation
Update Ivanti Connect Secure and Policy Secure to versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 or later.
Ivanti Connect Secure - Stack-based Buffer Overflow
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code through IF-T TLS requests.
Impact
Unauthenticated attackers can exploit a stack-based buffer overflow to execute arbitrary code remotely on Ivanti Connect Secure devices, potentially compromising VPN infrastructure and accessing all connected networks.
Remediation
Upgrade to Ivanti Connect Secure version 22.7R2.5, Ivanti Policy Secure version 22.7R1.2, or Ivanti Neurons for ZTA version 22.7R2.3 or later.
Ivanti Connect Secure - XXE
Author: watchTowrAdded: Feb 9, 2024
runzero-match
service["http.body"] matches "welcome\\.cgi\\?p=logo"Description
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
Remediation
Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
Ivanti Connect Secure Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Ivanti Connect Secure provides a seamless, cost-effective SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources— anytime, anywhere.
Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForSingleFile endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
Impact
Unauthenticated attackers can coerce NTLM authentication from the EPM server via UNC paths, allowing credential theft through man-in-the-middle attacks.
Remediation
Update Ivanti Endpoint Manager (EPM) to a patched version that addresses CVE-2024-13161.
Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcard
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForWildcard endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
Impact
Unauthenticated attackers can coerce NTLM authentication from the EPM server via UNC paths, allowing credential theft through man-in-the-middle attacks.
Remediation
Update Ivanti Endpoint Manager (EPM) to a patched version that addresses CVE-2024-13160.
Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForWildcardRecursive endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
Impact
Unauthenticated attackers can coerce NTLM authentication from the EPM server via UNC paths, allowing credential theft through man-in-the-middle attacks.
Remediation
Update Ivanti Endpoint Manager (EPM) to a patched version that addresses CVE-2024-13159.
Ivanti EPM Cloud Services Appliance Code Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)landesk\\(r\\) cloud services appliance"})Description
Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512 is susceptible to a code injection vulnerability because it allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
Impact
Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
Remediation
Apply the latest security patches provided by Ivanti to mitigate this vulnerability.
Ivanti Endpoint Manager - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
Impact
Remote attackers can leak stored credential data, potentially compromising sensitive information.
Remediation
Update to version 2024 SU5 or later.
Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.
Remediation
Apply the latest security patches or updates provided by Ivanti to fix the authentication bypass vulnerability in Endpoint Manager Mobile (EPMM).
Ivanti Endpoint Manager Mobile - Unauthenticated Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. This leads to unauthenticated Remote Code Execution via unsafe userinput in one of the bean validators which is sink for Server-Side Template Injection.
Impact
Unauthenticated attackers can execute arbitrary code with elevated privileges through server-side template injection in bean validators, achieving complete system compromise.
Remediation
Apply the security patches as described in the Ivanti security advisory for Endpoint Manager Mobile.
Ivanti ICS - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Impact
Unauthenticated attackers can bypass authentication controls and access restricted administrative resources, potentially exposing sensitive configuration data.
Remediation
Upgrade Ivanti Connect Secure and Policy Secure to the latest patched versions as provided in the vendor advisory.
Ivanti Incapptic Connect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)incapptic"}) || service["favicon.ico.image.mmh3"] == "-1067582922"Description
Ivanti Incapptic Connect panel was detected.
Ivanti MobileIron (Log4j) - Remote Code Execution
runzero-match
service["http.body"] matches "MobileIron"Description
Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Remediation
From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Ivanti SAML - Server Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "welcome\\.cgi\\?p=logo"Description
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Impact
Unauthenticated attackers can perform SSRF attacks to access restricted internal resources and bypass authentication mechanisms.
Remediation
Update Ivanti Connect Secure, Policy Secure, and Neurons for ZTA to the latest patched versions.
Ivanti Sentry - Authentication Bypass
runzero-match
service["http.body"] matches "Note: Requires a local Sentry administrative user"Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the system.
Remediation
Apply the latest security patches or updates provided by Ivanti to fix the authentication bypass vulnerability.
Ivanti Traffic Manager Panel - Detect
Author: rxeriumAdded: Aug 25, 2024
runzero-match
service["http.body"] matches "(?i)Login \\(Virtual Traffic Manager"Description
An Ivanti Traffic Manager Login Panel was detected.
Ivanti(R) Cloud Services Appliance - Panel
Author: rxeriumAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloud Services Appliance"})Description
An Ivanti Cloud Services Appliance panel was detected.
JBoss SOA Platform Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)welcome to the jboss soa platform"})Description
JBoss SOA Platform login panel was detected.
JBoss WS JUDDI Console Panel - Detect
runzero-match
service["http.body"] matches "(?i)jboss ws"Description
The jUDDI (Java Universal Description, Discovery and Integration) Registry is a core component of the JBoss Enterprise SOA Platform. It is the product's default service registry and comes included as part of the product. In it are stored the addresses (end-point references) of all the services connected to the Enterprise Service Bus. It was implemented in JAXR and conforms to the UDDI specifications.
Remediation
Restrict access to the service if not needed.
JBoss jBPM Administration Console Default Login - Detect
runzero-match
service["http.body"] matches "JBossWS"Description
JBoss jBPM Administration Console default login information was detected.
JBoss jBPM Administration Console Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)jbossws"Description
JBoss jBPM Administration Console login panel was detected.
JEHC-BPM - Remote Code Execute
runzero-match
service["http.body"] matches "(?i)JEHC"Description
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the /server/executeExec endpoint due to missing authorization checks, achieving complete server compromise.
Remediation
Upgrade JEHC-BPM to a version later than 2.0.1 that implements proper authorization checks on the executeExec endpoint.
JFinalCMS v5.0.0 - Directory Traversal
runzero-match
service["http.body"] matches `(?i)content="JreCms`Description
An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the filekey parameter, potentially exposing database credentials, application configuration, and sensitive CMS content.
Remediation
Update JFinalCMS to a version newer than 5.0.0 that validates and sanitizes file paths in DownController.java to prevent directory traversal attacks.
JFrog Artifactory Artifacts Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jfrog"})Description
JFrog Artifactory Artifact repository was exposed.
JFrog Artifactory Build - Exposure
Author: theamanrawatAdded: Dec 29, 2025
runzero-match
service["product"] contains "JFrog:Artifactory"Description
Detected exposure of build information in JFrog Artifactory via unauthenticated API endpoints. Access to these endpoints may disclose sensitive data such as build names, numbers, CI/CD pipeline details, artifact paths, and internal infrastructure information.
JFrog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JFrog"})Description
JFrog login panel was detected.
JHipster Platform - Default Login
Author: ritikchaddhaAdded: Jan 15, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JHipster"})Description
Detects the presence of JHipster application dashboard or API endpoints that allow authentication using default credentials. JHipster applications by default are often configured with the username "admin" and password "admin", potentially exposing application management interfaces or sensitive APIs if not changed after deployment.
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
runzero-match
any(each(service["html.titles"]), {# matches "system dashboard - jira"})Description
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
Impact
Unauthenticated attackers can execute arbitrary code on the server, read arbitrary files, or cause denial of service, potentially leading to complete server compromise.
Remediation
Upgrade to JIRA Server version 6.3.0 or later.
JS Help Desk <= 2.8.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/js-support-ticket/"Description
The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of JS Help Desk, version 2.8.2 or later.
JS Help Desk <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/js-support-ticket/"Description
JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive database information, leading to data disclosure.
Remediation
Update to the latest version of JS Help Desk plugin.
Jaeger End-of-Life - Detect
Author: Shivam KambojAdded: Mar 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jaeger UI"})Description
Detected Jaeger versions that have reached End-of-Life (EOL) and no longer receive security updates.
Jalios JCMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)jalios jcms"Description
Jalios JCMS login panel was detected.
JamF (Log4j) - Remote Code Execution
runzero-match
service["http.body"] matches "JamF"Description
JamF is susceptible to remote code execution via the Apache log4j library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
JamF Pro - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Jamf Pro"})Description
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
Jamf MDM Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1262005940"Description
Jamf Mobile Device Management login panel was detected.
Jamf Pro Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jamf Pro"})Description
Jamf Pro login panel was detected.
Jamf Pro Setup Assistant Panel - Detect
runzero-match
service["http.body"] matches "(?i)Jamf Pro Setup"Description
Jamf Pro Setup Assistant panel was detected.
Jan v0.4.12 'readFileSync' - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-165268926"Description
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
Impact
Unauthenticated attackers can read arbitrary files from the system via path traversal in the readFileSync interface.
Remediation
Update Jan to a version later than v0.4.12 that patches the path traversal vulnerability.
Janitza GridVis Energy Management - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^GridVis"})Description
Janitza GridVis is an energy monitoring and management software platform by Janitza Electronics GmbH.
It provides real-time power quality analysis, energy data logging, and grid visualisation for industrial facilities.
Janitza UMG Power Meter - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Janitza UMG"Description
Janitza UMG series power meters and energy analyzers expose a web interface for energy monitoring and power quality analysis.
Javafaces LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"})Description
An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
Impact
Unauthenticated attackers can exploit local file inclusion through Java Server Faces resource handlers to read sensitive configuration files including WEB-INF/web.xml, exposing Oracle GlassFish, WebLogic, and JDeveloper application configurations.
Remediation
Apply the latest patches and updates for the affected software to fix the LFI vulnerability.
Jedox Web Login Panel - Detect
Author: Team Syslifters / Christoph MAHRL,Aron MOLNAR,Patrick PIRKER,Michael WEDLAdded: May 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jedox web - login"}) || any(each(service["html.titles"]), {# matches "(?i)jedox web login"})Description
Jedox is an Enterprise Performance Management software which is used for planning, analytics and reporting in finance and other areas such as sales, human resources and procurement.
JeePlus CMS - SQL Injection
runzero-match
service["http.body"] matches "(?i)jeeplus\\.js"Description
A SQL injection vulnerability exists in the JeePlus low-code development platform, allowing attackers to manipulate database queries.This can lead to unauthorized data access, modification, or potential compromise of the application.
Jeecg Boot <= 2.4.5 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeecg-boot"})Description
An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.
Impact
An attacker can exploit this vulnerability to gain sensitive information from the application.
Remediation
Upgrade Jeecg Boot to a version higher than 2.4.5 to mitigate the vulnerability.
Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeecg-boot"})Description
Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to unauthorized access or data leakage.
Remediation
Upgrade Jeecg Boot to version 2.4.6 or later to fix the vulnerability.
Jeecg P3 Biz Chat - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in Jeecg P3 Biz Chat.
Jeecg-Boot v3.5.1 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData in jeecg-boot v3.5.1.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement input validation and use parameterized queries to prevent SQL Injection attacks.
Jeecg-boot 3.5.0 qurestSql - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Jeecg-boot to a patched version or apply the necessary security patches provided by the vendor.
JeecgBoot 3.5.0 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
jeecg-boot 3.5.0 and 3.5.1 have a SQL injection vulnerability the id parameter of the /jeecg-boot/jmreport/show interface.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade JeecgBoot to a patched version or apply the necessary security patches provided by the vendor.
JeecgBoot JimuReport - Template injection
Author: Sumanth VankineniAdded: Jul 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Jeecg-Boot"})Description
A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Impact
Unauthorized api called /jmreport/queryFieldBySql led to remote arbitrary code execution due to parsing SQL statements using Freemarker.
Remediation
Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component.
JeecgBoot v3.7.1 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726" || service["favicon.ico.image.mmh3"] == "-250963920"Description
The JeecgBoot application is vulnerable to SQL Injection via the `getTotalData` endpoint. An attacker can exploit this vulnerability to extract sensitive information from the database by injecting SQL commands.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract sensitive information from the JeecgBoot database.
Remediation
Update JeecgBoot to a version that patches CVE-2024-48307.
Jeedom - Default Login
Author: ritikchaddhaAdded: Jun 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Jeedom"})Description
Jeedom default login has been detected.
Jeedom Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeedom"})Description
Jeedom login panel was detected.
Jellyfin 10.7.2 - Server Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Jellyfin"})Description
Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
Impact
This vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further exploitation of the target system.
Remediation
Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
Jellyfin <10.7.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Jellyfin"Description
Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk.
Impact
Successful exploitation could allow an attacker to read sensitive files on the server.
Remediation
This is fixed in version 10.7.1.
Jellyfin Console - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jellyfin"})Description
Weak Jellyfin credentials were discovered.
Jellyseerr Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-2017604252"Jenkins - Remote Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire Jenkins server.
Remediation
Apply the latest security patches and updates provided by Jenkins to mitigate this vulnerability.
Jenkins API Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins API panel was detected.
Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
runzero-match
service["product"] contains "Jenkins"Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces
an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers
to read arbitrary files on the Jenkins controller file system.
Remediation
Upgrade affected versions of Jenkins to the latest patched version. If unable to upgrade the affected system,
disabling CLI access can be implemented as a workaround.
Jenkins Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Jenkins"})Description
Jenkins credentials of admin:admin were discovered.
Jenkins GitHub Plugin <=1.29.1 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)jenkins.github"Description
Jenkins GitHub Plugin 1.29.1 and earlier is susceptible to server-side request forgery via GitHubTokenCredentialsCreator.java, which allows attackers to leverage attacker-specified credentials IDs obtained through another method and capture the credentials stored in Jenkins.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the network.
Remediation
Upgrade Jenkins GitHub Plugin to version 1.29.2 or later to mitigate the vulnerability.
Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
Jenkins Gitlab Hook 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected cross-site scripting vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
Remediation
Upgrade to the latest version of Jenkins Gitlab Hook plugin (>=1.4.3) to mitigate this vulnerability.
Jenkins Login Detected
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins is an open source automation server.
Remediation
Ensure proper access.
Jenkins Users - Exposure
Author: theamanrawatAdded: Dec 4, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Detected an exposed Jenkins asynchPeople endpoint that discloses user information (e.g., users, full names, and profile URLs) allowing user enumeration.
JetBrains TeamCity > 2023.11.3 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Impact
Unauthenticated attackers can bypass authentication to gain administrative access and potentially execute code on the TeamCity server.
Remediation
Update JetBrains TeamCity to version 2023.11.3 or later.
Jinhe OA - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)金和协同管理平台"})Description
SQL injection vulnerability in the ljc6/servlet/clobfield interface of Jinhe OA jc6. An attacker can obtain sensitive information.
Jinher OA - SQL Injection
runzero-match
service["http.body"] matches "(?i)/jc6/platform/sys/login"Description
jinher jinher_oa is an office automation software that facilitates workflow management and collaboration within organizations. It sits in the enterprise layer of the tech stack, is typically deployed as self_hosted, and—within the information_technology industry—serves the business_apps domain.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
Remediation
Update to the latest version.
Jira <8.4.0 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)Atlassian.Jira"Description
Jira before 8.4.0 is susceptible to server-side request forgery. The /plugins/servlet/gadgets/makeRequest resource contains a logic bug in the JiraWhitelist class, which can allow an attacker to access the content of internal network resources and thus modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
Remediation
Upgrade Jira to version 8.4.0 or later to mitigate the SSRF vulnerability.
Jitsi Meet - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Jitsi Meet"})Description
Jitsi Meet is susceptible to Log4j JNDI remote code execution. Jitsi is a collection of free and open-source multiplatform voice, video conferencing and instant messaging applications for the Web platforms.
Joget Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1343712810"Description
Joget panel was detected.
JoomSport <= 5.7.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1546880397"Description
The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause.
Impact
Unauthenticated attackers can extract any data from the WordPress database including admin credentials, user emails, and plugin-stored secrets via time-based blind SQL injection.
Remediation
Update to JoomSport version 5.7.8 or later, which implements column whitelist validation.
Joomla HTTP Header Unauthenticated - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015
Impact
Attackers can execute arbitrary PHP code on the server through PHP object injection, leading to complete server compromise and potential data breach.
Remediation
Update to Joomla 3.4.6 or later immediately.
Joomla! <3.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the entire Joomla! website.
Remediation
Upgrade Joomla! to version 3.7.1 or later to mitigate the SQL Injection vulnerability.
Joomla! Core SQL Injection
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
A SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Joomla! CMS.
Remediation
Apply the latest security patches and updates provided by Joomla! to mitigate the SQL Injection vulnerability.
Joomla! Panel
Author: its0x08Added: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Joomla! Webservice - Password Disclosure
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Impact
The vulnerability can lead to unauthorized access to user passwords, compromising the confidentiality of user accounts.
Remediation
Upgrade to Joomla! version 4.2.8 or later.
JoomlaUX JUX Real Estate 3.4.0 - Reflected XSS
runzero-match
service["http.body"] matches "(?i)joomlaux"Description
A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. The manipulation of the argument Itemid/jp_yearbuilt leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Attackers can inject malicious JavaScript through the Itemid and jp_yearbuilt parameters, potentially stealing user session cookies, redirecting users to malicious sites, or performing unauthorized actions in the context of authenticated users.
Remediation
Upgrade to the latest patched version of JUX Real Estate that properly sanitizes user input.
Joplin Server Login - Panel
Author: pussycat0xAdded: Jun 15, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Joplin Server"})Description
Joplin Server login panel detected.
Jorani 1.0.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-2032163853"Description
Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade Jorani to a patched version or apply the necessary security patches.
Jorani Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Login - Jorani"Description
Jorani login panel was detected.
Journyx - XML External Entities Injection (XXE)
runzero-match
service["favicon.ico.image.mmh3"] == "-109972155"Description
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Impact
Unauthenticated attackers can exploit XXE to read local files, perform SSRF attacks, and cause denial of service by overwhelming server resources.
Remediation
Update Journyx to version 11.5.5 or later to address the XXE vulnerability.
Journyx 11.5.4 - Reflected Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)Journyx"Description
Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application.
Impact
Attackers can craft malicious URLs with XSS payloads in the error_description parameter to execute arbitrary JavaScript when victims click the link.
Remediation
Update Journyx to version 11.5.5 or later to address the reflected XSS vulnerability.
JshERP Boot Panel - Detect
Author: DhiyaneshDkAdded: Jun 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1298131932"JumpServer - Open Redirect via Referer Header
runzero-match
service["http.body"] matches "JumpServer 开源堡垒机"Description
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability.
Impact
An attacker can craft a malicious link that, when clicked by a victim, redirects them toan attacker-controlled website. This can be used to steal credentials through phishing or to distribute malware.
Remediation
Upgrade JumpServer to version 3.10.19 or later (for v3.x) or version 4.10.5 or later (for v4.x).
JumpServer > 3.6.4 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jumpserver"})Description
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Impact
The vulnerability allows an attacker to gain sensitive information from the JumpServer application.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
JumpServer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'JumpServer'"})Description
JumpServer Open Source Bastion Host login panel was detected.
Juniper J-Web - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)juniper web device manager"})Description
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Juniper J-Web Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Juniper Web Device Manager"})Description
Juniper J-Web panel was detected.
Juniper Web Device Manager - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Juniper Web Device Manager"})Description
Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Juniper Networks to mitigate this vulnerability.
Jupyter Notebook - Remote Command Execution
Author: HuTa0Added: Jul 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jupyter notebook"})Description
Jupyter Notebook is an interactive Notebook, computer application is a web based visualization, Jupyter Notebook API/terminals path there are loopholes in the remote command execution.
Jupyter Notebook Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)JupyterHub"Description
Jupyter Notebook login panel was detected.
JupyterHub Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "JupyterHub"})Description
JupyterHub is a multi-user server for Jupyter notebooks
Jupyterhub - Default Admin Discovery
runzero-match
any(each(service["html.titles"]), {# matches "JupyterHub"})Description
Jupyterhub default admin credentials were discovered.
JustBoil.me Images Plugin - Exposed Image Upload
Author: 0xr2rAdded: Sep 23, 2025
runzero-match
service["http.body"] matches "(?i)/plugins/generic/tinymce/plugins/justboil\\.me/"Description
JustBoil.me Images Plugin for TinyMCE contains an exposed dialog interface that could lead to potential security vulnerabilities. The plugin's dialog-v4.htm file is accessible without proper access controls, which may allow unauthorized access to image upload functionality.
KACO New Energy Solar Inverter - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-890342445" || any(each(service["html.titles"]), {# matches "KACO new energy"})Description
KACO new energy is a solar inverter manufacturer. Their inverters include a built-in web server
that serves compressed HTML over HTTP for monitoring inverter status and energy production data.
Devices are commonly deployed on residential and commercial solar installations.
KLog Server - Default Login
Author: s4e-ioAdded: Feb 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "KLog Server"})Description
KLog Server contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
KR-Web <=1.1b2 - Remote File Inclusion
runzero-match
service["product"] matches "(?i)gianni.tommasi.kr.php"Description
KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
Impact
An attacker can exploit this vulnerability to include arbitrary files from remote servers, leading to remote code execution or information disclosure.
Remediation
Upgrade to a patched version of KR-Web or apply the necessary security patches to fix the remote file inclusion vulnerability.
Kaeser Sigma Air Manager - Panel
Author: Th3l0newolfAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "SIGMA AIR MANAGER"})Description
Detected exposed Kaeser Sigma Air Manager login panel
Kafka UI 0.7.1 Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1477045616"Description
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
Impact
Authenticated attackers can inject and execute arbitrary commands via Groovy script injection in the filterQueryType parameter.
Remediation
Upgrade Kafka UI to version 0.7.2 or later.
Kanboard - Default Login
runzero-match
service["http.body.mmh3"] == "1605834045"Description
Kanboard contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Kanboard Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "2056442365"Description
Kanboard login panel was detected.
Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
runzero-match
service["favicon.ico.image.mmh3"] == "-1445519482"Description
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
Impact
Unauthenticated attackers can obtain Agent_Guid and AgentPassword credentials via the download page, gaining authenticated access to execute further attacks against Kaseya VSA.
Remediation
Update to version 9.5.7 or later to remediate this vulnerability.
Kaseya Virtual System Administrator - Open Redirect
runzero-match
service["product"] matches "(?i)kaseya.virtual.system.administrator"Description
Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Impact
Attackers can redirect users to malicious sites, facilitating phishing attacks and potential credential theft.
Remediation
Update to version 7.0.0.29, 8.0.0.18, 9.0.0.14, or 9.1.0.4 or later.
Kasm Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-2144699833"Description
Kasm workspaces login panel was detected.
Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
runzero-match
service["http.body"] matches "kaswara"Description
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
Impact
Unauthenticated attackers can perform unauthorized actions including file uploads, deletions, and data import, potentially leading to site compromise.
Remediation
Deactivate and delete the plugin from the server
Kavita Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kavita"})Description
Kavita login panel was detected.
Kemp LoadMaster Load Balancer - Unauthenticated Command Injection
runzero-match
service["http.body"] matches "Kemp Login Screen"Description
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: LoadMaster: 7.2.40.0 and above. ECS: All versions.Multi-Tenancy: 7.1.35.4 and above.
Impact
Unauthenticated attackers can execute arbitrary OS commands on the LoadMaster load balancer through command injection, achieving complete system compromise with potential to pivot to backend infrastructure.
Remediation
Apply security updates from Kemp Technologies as specified in their security advisory for LoadMaster versions 7.2.40.0 and above, ECS all versions, and Multi-Tenancy 7.1.35.4 and above.
Kentico - Installer Privilege Escalation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kentico database setup"})Description
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 are susceptible to a privilege escalation attack. An attacker can obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
Impact
An attacker can gain administrative privileges on the Kentico CMS system.
Remediation
Upgrade to the latest version of Kentico CMS to fix the privilege escalation vulnerability.
Kentico CMS 8.2 - Open Redirect
runzero-match
service["product"] matches "(?i)kentico.cms"Description
Kentico CMS 8.2 contains an open redirect vulnerability via GetDocLink.ashx with link variable. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Apply the latest security patches or upgrade to a newer version of Kentico CMS.
Kerio Connect Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kerio Connect Client"})Description
Kerio Connect login panel was detected.
Kerio Controle Panel - Detect
Author: johnk3rAdded: Feb 13, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-631002664"Description
Protect your network from viruses, malware and malicious activity with GFI KerioControl, the easy-to-administer yet powerful all-in-one security solution.
Kettle - Default Login
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Kettle'})Description
Kettle contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Kettle Panel - Detect
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Kettle'})Description
Kettle panel was detected.
KeyCloak - Information Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)keycloak"}) || service["http.body"] matches "(?i)keycloak" || service["favicon.ico.image.mmh3"] == "-1105083093"Description
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
Impact
The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.
Remediation
Apply the latest security patches or updates provided by the KeyCloak vendor.
KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution
runzero-match
service["product"] matches "(?i)keysight.sensor.management.server"Description
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
Impact
Unauthenticated attackers can control database content, potentially leading to data tampering or execution of malicious code.
Remediation
Implement validation and sanitization of the database file path parameter to restrict to trusted locations.
Keycloak - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "keycloak"})Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Impact
Attackers can redirect users to malicious URLs and capture sensitive information such as authorization codes and session tokens, potentially leading to session hijacking and account compromise.
Remediation
Update Keycloak configuration to avoid using localhost or 127.0.0.1 as Valid Redirect URIs, and apply security patches addressing the open redirect vulnerability.
Keycloak <= 12.0.1 - request_uri Blind Server-Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "keycloak"Description
Keycloak 12.0.1 and below allows an attacker to force the server to request an unverified URL using the OIDC parameter request_uri. This allows an attacker to execute a server-side request forgery (SSRF) attack.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, data leakage, or further attacks.
Remediation
Upgrade Keycloak to a version higher than 12.0.1 to mitigate this vulnerability.
Keycloak Admin Console Configuration Disclosure
Author: 0x_AkokoAdded: Jan 5, 2026
runzero-match
service["product"] contains "RedHat:Keycloak"Description
Detected Keycloak admin console configuration was exposing realm name, client ID, SSL requirements, and authentication server URL enabling reconnaissance and targeted authentication attacks.
Keycloak Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1105083093" || any(each(service["html.titles"]), {# matches "(?i)keycloak"}) || service["http.body"] matches "(?i)keycloak"Description
Keycloak admin login panel was detected.
Keystone 6 Login Page - Open Redirect and Cross-Site Scripting
runzero-match
service["product"] matches "(?i)keystonejs.keystone"Description
On the login page, there is a "from=" parameter in URL which is vulnerable to open redirect and can be escalated to reflected XSS.
Impact
Attackers can redirect users to malicious websites or inject malicious JavaScript via the from parameter, potentially facilitating phishing attacks or stealing user credentials.
Remediation
Please upgrade to @keystone-6/auth >= 1.0.2, where this vulnerability has been closed. If you are using @keystone-next/auth, we strongly recommend you upgrade to @keystone-6
Kiali - Detect
Author: righettodAdded: Aug 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kiali"})Description
kiali panel was detected.
Kibana - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Impact
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to potential information disclosure and further attacks.
Remediation
Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
Kibana Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana login panel was detected.
Kibana Timelion - Arbitrary Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Impact
Arbitrary code execution can result in unauthorized access, data leakage, and system compromise.
Remediation
Apply the latest security patches or upgrade to a patched version of Kibana to mitigate the vulnerability.
Kiteworks PCN Panel - Detect
Author: righettodAdded: Oct 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1215318992"Description
Kiteworks PCN Login Panel was detected.
KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/kivicare-clinic-management-system"Description
The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the visit_type parameter in the tax_calculated_data action to extract the complete clinic database including patient records, medical history, and appointment data.
Remediation
To remediate this vulnerability, validate and sanitize all user inputs on the server side before using them in SQL queries. Use prepared statements or stored procedures, and ensure that data is properly escaped.
Kiwi TCMS Information Disclosure
Author: act1on3Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kiwi TCMS - Login"})Description
Internal info exposed in Kiwi TCMS.
Kiwi TCMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kiwi tcms - login"})Description
Kiwi TCMS login panel was detected.
KoboldAI Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)KoboldAI Lite"})Description
KoboldAI was detected. KoboldAI was an AI text adventure and story generation interface that supports multiple local and remote language models including koboldcpp and AI Horde.
Koel Panel - Detect
Author: rxeriumAdded: Feb 27, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Koel"})Description
Personal audio streaming service that works.
Kong Manager OSS/Admin - Exposure
Author: Krishna JaishwalAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kong Manager"})Description
Exposed Kong Manager (OSS/Admin) interface accessible without authentication.
Kopano WebApp Login Panel - Detect
Author: righettodAdded: Feb 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kopano WebApp"})Description
Kopano WebApp login panel was detected.
Kraken Cluster Monitoring Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kraken dashboard"})Description
Kraken Cluster Monitoring Dashboard was detected.
KubeOperator Foreground `kubeconfig` - File Download
runzero-match
service["http.body"] matches "(?i)kubeoperator"Description
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.
Impact
An attacker can download sensitive files from the KubeOperator Foreground kubeconfig file, potentially leading to unauthorized access or exposure of sensitive information.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
KubePi <= v1.6.4 LoginLogsSearch - Unauthorized Access
runzero-match
service["http.body"] matches "(?i)kubepi"Description
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.
Impact
An attacker can gain unauthorized access to sensitive information.
Remediation
Upgrade KubePi to a version higher than v1.6.4 to mitigate the vulnerability.
KubePi JwtSigKey - Admin Authentication Bypass
runzero-match
service["http.body"] matches "(?i)kubepi"Description
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access and control of the Kubernetes cluster.
Remediation
The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.
KubeView <=0.1.31 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubeview"}) || service["favicon.ico.image.mmh3"] == "-379154636"Description
KubeView through 0.1.31 is susceptible to information disclosure. An attacker can obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication and retrieves certificate files that can be used for authentication as kube-admin. An attacker can thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Unauthenticated attackers can access Kubernetes certificate files through the unauthenticated api/scrape/kube-system endpoint, potentially obtaining kube-admin credentials and gaining complete control over the Kubernetes cluster.
Remediation
Upgrade KubeView to a version higher than 0.1.31 to mitigate the information disclosure vulnerability (CVE-2022-45933).
KubeView Dashboard - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-379154636" || any(each(service["html.titles"]), {# matches "(?i)kubeview"})Description
KubeView dashboard was detected.
Kubeflow Pipelines Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Kubeflow Pipelines"})Description
Kubeflow Pipelines is an open-source platform for building and deploying portable, scalable ML workflows.
It provides a web UI for managing ML pipelines, experiments, and runs on Kubernetes.
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
runzero-match
service["product"] contains "Kubernetes:Kubernetes"Description
The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption (Billion Laughs attack), leading to API server crash.
Impact
Attackers can cause the API server to crash or become unavailable by consuming excessive CPU or memory resources.
Remediation
Upgrade to Kubernetes v1.13.12, v1.14.8, v1.15.5, v1.16.2 or later versions with fixed input validation.
Kubernetes Enterprise Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
Kubernetes Enterprise Manager panel was detected.
Kubernetes Local Cluster Web View Panel- Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
Kubernetes local cluster web view panel discovered.
Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/kubio/"Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
Unauthenticated attackers can include and execute arbitrary files through the kubio_hybrid_theme_load_template function, allowing arbitrary PHP code execution and potential complete server compromise.
Remediation
Fixed in 2.5.2
Kyocera Printer d-COPIA253MF - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-50306417"Description
Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server.
Impact
An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.
Remediation
Apply the latest firmware update provided by Kyocera to fix the directory traversal vulnerability.
Kyocera TASKalfa printer - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-50306417"Description
CCRX has a Path Traversal vulnerability. Path Traversal is an attack on web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
Impact
Unauthenticated attackers can manipulate file path values to access sensitive file system resources including source code and critical system configuration files.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
LDAP Account Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LDAP Account Manager"})Description
LDAP Account Manager login panel was detected.
LG Supersign EZ CMS - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "LG SuperSign"})Description
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Impact
Unauthenticated attackers can execute arbitrary system commands on LG SuperSign CMS servers via the sourceUri parameter, leading to complete server compromise and potential access to connected digital signage systems.
Remediation
Upgrade to a patched version of LG SuperSign CMS that addresses CVE-2018-17173.
LM Studio Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "LM Studio Chat"})Description
LM Studio is a desktop application for discovering, downloading, and running local
LLMs
LMDeploy - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)internlm.lmdeploy"Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in the vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal or private IP addresses, allowing unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources via the image_url parameter in /v1/chat/completions requests.
Impact
An unauthenticated attacker can force the LMDeploy server to make HTTP requests to arbitrary internal or external addresses, leading to cloud credential theft via metadata APIs, internal service enumeration, and information disclosure.
Remediation
Upgrade LMDeploy to version 0.12.3 or later where URL validation via _is_safe_url() blocks requests to non-globally-routable IP addresses.
LOYTEC LGATE-902 6.3.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)LGATE-902"Description
LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the device, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest firmware update provided by LOYTEC to fix the LFI vulnerability.
LaRecipe < 2.8.1 Remote Code Execution via SSTI
runzero-match
service["http.body"] matches "(?i)/binarytorch/larecipe/"Description
LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations.
Impact
Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration.
Remediation
Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
LabKey Server Community Edition <18.3.0 - Open Redirect
runzero-match
service["http.head.server"] matches "Labkey"Description
LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade LabKey Server Community Edition to version 18.3.0 or later to mitigate the vulnerability.
LabKey Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in: /home"})Description
LabKey Server login panel was detected.
Label Studio - Login Panel
Author: DhiyaneshDKAdded: Jul 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1649949475"Description
Detects the presence of the Label Studio Login Page.
Labstack Echo 4.8.0 - Open Redirect
runzero-match
service["product"] matches "(?i)labstack.echo"Description
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.
Remediation
Download and install 4.9.0, which contains a patch for this issue.
Laminas Project laminas-http - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)laminas"Description
Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
Impact
Attackers can execute arbitrary code remotely by controlling serialized content during deserialization.
Remediation
Update to laminas-http 2.14.2 or later; note that Zend Framework is no longer supported.
Lancom Router Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)LANCOM Systems GmbH"Description
Lancom router login panel was detected.
Landray OA Datajson S Bean - Remote Code Execution
Author: SleepingBag945Added: Aug 29, 2023
runzero-match
service["product"] matches "(?i)Landray.OA系统"Description
Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system.
Landray OA Treexml.tmpl - Remote Code Execution
runzero-match
service["product"] matches "(?i)Landray.OA系统"Description
There is a remote command execution vulnerability in Lanling OA treexml.tmpl. An attacker can obtain server permissions by sending a specific request package.
Landray-OA - Remote Code Execution
Author: SleepingBag945Added: Aug 21, 2023
runzero-match
service["product"] matches "(?i)Landray.OA系统"Description
Landray-OA `erp_data.jsp` is vulnerable to remote code execution vulnerability.
LangSmith Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^LangSmith"})Description
LangSmith panel was detected. LangSmith is LangChain's platform for debugging, testing, evaluating, and monitoring LLM applications.
Langflow - Broken Access Control
runzero-match
service["http.body"] matches "(?i)Langflow"Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.
Impact
Unauthenticated attackers can access sensitive user data and perform destructive actions, risking data loss and privacy breaches.
Remediation
Update to version 1.7.0.dev45 or later.
Langflow < 1.9.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1727196746" || service["http.body"] matches "(?i)Langflow"Description
Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
Impact
Remote attackers can execute arbitrary Python code without authentication, leading to full system compromise.
Remediation
Update to version 1.9.0 or later.
Langflow AI - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Langflow"Description
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Impact
Unauthenticated attackers can execute arbitrary code through crafted POST requests to the /api/v1/validate/code endpoint, achieving complete server compromise.
Remediation
Upgrade to Langflow version 1.3.0 or later that properly validates user input before passing it to code execution functions.
Langflow AI <= 1.6.9 - CORS Misconfiguration
runzero-match
service["product"] contains "Langflow:Langflow"Description
Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint.
Impact
An attacker can steal authentication tokens via CORS and execute arbitrary code on the server.
Remediation
Upgrade to Langflow version 1.7.0 or later which restricts CORS origins properly.
Langfuse Panel - Detect
Author: ChrisJr404Added: May 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Langfuse"})Description
Langfuse panel was detected. Langfuse is an open-source LLM engineering platform for observability, evaluations, prompt management and analytics. Exposed instances may reveal LLM prompts, traces, evaluations, and connected API keys.
Lansweeper Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lansweeper - login"})Description
Lansweeper login panel was detected.
Lansweeper Unauthenticated SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lansweeper - login"})Description
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
Impact
This vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire Lansweeper system.
Remediation
Apply the latest security patch or update provided by Lansweeper to fix the SQL Injection vulnerability.
Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
runzero-match
service["product"] matches "(?i)lantronix.premierwave.firmware"Description
Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or complete compromise of the affected device.
Remediation
Apply the latest firmware update provided by Lantronix to mitigate the vulnerability.
Laravel Backpack Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Backpack Admin"})Description
Laravel Backpack admin login panel was detected.
Laravel Filemanager v2.5.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Laravel Filemanager"Description
Laravel Filemanager (aka UniSharp) through version 2.5.1 is vulnerable to local file inclusion via download?working_dir=%2F.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, sensitive data exposure, and remote code execution.
Remediation
Upgrade to a patched version of Laravel Filemanager v2.5.1 or apply the recommended security patches provided by the vendor.
Laravel Login - Panel Detection
Author: ProjectDiscoveryAIAdded: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches `(?i)Login\s*[\p{Pd}|]?\s*Laravel`})Description
A Laravel login panel was detected.
Leantime - Detect
Author: icarotAdded: Mar 9, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Leantime"})Description
Detects a Leantime server, a project management system for non-project managers.
LearnDash LMS < 4.10.2 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.
Impact
Unauthenticated attackers can access the LearnDash API to obtain sensitive quiz materials, questions, and course content that should be restricted to enrolled learners.
Remediation
Fixed in 4.10.2
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
Impact
Unauthenticated attackers can access the LearnDash API to obtain uploaded student assignments and coursework that should be restricted to instructors and enrolled learners.
Remediation
Fixed in 4.10.2
LearnDash LMS < 4.10.3 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
Impact
Unauthenticated attackers can access the LearnDash API to obtain quiz questions, answer options, and point values, compromising the integrity of course assessments.
Remediation
Fixed in 4.10.3
LearnPress < 4.2.6.8.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
LearnPress – WordPress LMS Plugin contains a sensitive information exposure caused by incorrect implementation of get_items_permissions_check function in all versions up to 4.2.6.8, letting unauthenticated attackers extract user emails and basic information.
Impact
Unauthenticated attackers can access sensitive user information, including emails, leading to privacy breaches.
Remediation
Update to version 4.2.6.9 or later.
LearnPress < 4.2.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
Impact
Unauthenticated attackers can exploit SQL injection through the c_fields parameter to extract sensitive database information including user credentials, course data, and personal information from the LearnPress LMS.
Remediation
Update the LearnPress plugin to version 4.2.7.1 or later.
LearnPress < 4.2.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress"Description
The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
LearnPress < 4.2.7.4 - Course Material - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
LearnPress – WordPress LMS Plugin contains a sensitive information exposure caused by insecure handling in class-lp-rest-material-controller.php, letting unauthenticated attackers extract paid course material, exploit requires no authentication.
Impact
Unauthenticated attackers can access and extract sensitive paid course content, leading to intellectual property theft and privacy breaches.
Remediation
Update to the latest version beyond 4.2.7.3 or apply security patches provided by the vendor.
LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Impact
Unauthenticated attackers can access sensitive admin curriculum, quiz answers, and course materials, compromising educational content confidentiality.
Remediation
Update to the latest version beyond 4.2.9.4.
LearnPress < 4.3.2 - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts.
Impact
Unauthenticated attackers can view sensitive order statistics including revenue and order status, leading to information disclosure.
Remediation
Update to a version later than 4.3.1 or the latest available version.
LearnPress <= 4.2.5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress" || service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the order_by parameter to extract the complete WordPress database including user credentials and course data.
Remediation
Fixed in version 4.2.5.8
LearnPress Plugin < 4.2.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress"Description
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, remote code execution, or information disclosure.
Remediation
Upgrade to the latest version of LearnPress Plugin (4.2.0 or higher) to mitigate this vulnerability.
LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress" || service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the order_by parameter in the LearnPress courses archive endpoint, potentially extracting sensitive database information including user credentials, course data, and student information.
Remediation
Update LearnPress plugin to version 4.2.0 or later that properly sanitizes and parameterizes the order_by parameter.
Lenovo Fan Power Controller Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)fan and power controller"Description
Lenovo Fan Power Controller login panel was detected.
Leostream Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Leostream"})Description
Leostream default admin credentials were discovered.
Leostream Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Leostream"})Description
Leostream login panel was detected.
Letta Letta 0.7.12 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Letta"})Description
Letta 0.7.12 is vulnerable to remote code execution via POST /v1/tools/run in letta.server.rest_api.routers.v1.tools.run_tool_from_source, allowing attackers to execute arbitrary Python and OS commands via crafted tool source code.
Impact
Unauthenticated attackers can execute arbitrary Python code through crafted tool source code in the /v1/tools/run endpoint, achieving remote code execution.
Remediation
Upgrade Letta to a version later than 0.7.12 that properly validates and sandboxes tool source code execution.
Letta Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Letta$"})Description
Letta (formerly MemGPT) is an open-source framework for building stateful LLM agents with long-term memory.
Lexmark Printers - Command Injection
runzero-match
service["http.head.server"] matches "Lexmark_Web_Server"Description
Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the affected device.
Remediation
Apply the latest firmware update provided by Lexmark to mitigate the command injection vulnerability.
LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header
runzero-match
service["product"] contains "LibreChat:LibreChat"Description
danny-avila/librechat 0.7.9 contains a stored XSS caused by improper sanitization of the Accept-Language header, letting logged-in users inject arbitrary HTML into the html lang= tag, exploit requires user to be logged in.
Impact
Logged-in attackers can inject arbitrary HTML leading to cross-site scripting attacks, potentially compromising user sessions or data.
Remediation
Update to the latest version where this issue is fixed.
LibreChat Login Panel - Detection
Author: KazgangapAdded: Dec 31, 2025
runzero-match
service["product"] contains "LibreChat:LibreChat"Description
Detected LibreChat login panel. LibreChat is an open-source, self-hosted AI chat interface.
LibreNMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)librenms"})Description
LibreNMS login panel was detected.
LibrePhotos Panel - Detect
Author: ritikchaddhaAdded: Nov 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LibrePhotos"})LibreSpeed Panel - Detect
Author: ritikchaddhaAdded: Nov 8, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LibreSpeed"})Description
LibreSpeed is a very lightweight speed test implemented in Javascript, using XMLHttpRequest and Web Workers.
Liferay Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "129457226"Description
Liferay login panel was detected,
Liferay Portal - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "129457226"Description
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
Impact
Attackers can redirect users to arbitrary external URLs, potentially leading to phishing or malware distribution.
Remediation
Update to the latest supported versions of Liferay Portal and DXP, applying all security patches.
Liferay Portal Unauthenticated < 7.2.1 CE GA2 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "129457226"Description
Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Impact
Unauthenticated attackers can execute arbitrary code via JSON web services, leading to complete server compromise and access to all portal data.
Remediation
Upgrade Liferay Portal to version 7.2.1 CE GA2 or later to mitigate the vulnerability.
Ligeo Archives Ligeo Basics - Server Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Ligeo"})Description
Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features.
Impact
The impact of this vulnerability is significant as it can result in unauthorized access to sensitive data or systems.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the Server Side Request Forgery vulnerability.
Lightdash version <= 0.510.3 Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lightdash"})Description
packages/backend/src/routers in Lightdash before 0.510.3
has insecure file endpoints, e.g., they allow .. directory
traversal and do not ensure that an intended file extension
(.csv or .png) is used.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing user credentials, database credentials, and other confidential data.
Remediation
Upgrade Lightdash to a version higher than 0.510.3 to mitigate the vulnerability.
LimeSurvey - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 25, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LimeSurvey"})Description
Detected the LimeSurvey survey management platform was found to be using default administrator credentials (admin:password). An attacker was able to gain full administrative access to manage surveys, responses, and user accounts.
Lin CMS Spring Boot - Default JWT Token
runzero-match
service["http.body"] matches "(?i)心上无垢,林间有风"Description
An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.
Impact
Unauthenticated attackers can access backend administrative information and functions using a hardcoded default JWT token, potentially gaining complete control over the Lin CMS Spring Boot application including user management and content administration.
Remediation
Update Lin CMS Spring Boot to a version later than 0.2.1 that uses unique JWT secret keys, removes hardcoded tokens, and implements proper token rotation.
LinShare Login Panel - Detect
Author: righettodAdded: Feb 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LinShare"})Description
LinShare login panel was detected.
Linear eMerge E3-Series - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Linear eMerge"Description
Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or update provided by the vendor to fix the XSS vulnerability in the Linear eMerge E3-Series.
Linear eMerge E3-Series - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)linear emerge"}) || any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are susceptible to information disclosure. Admin credentials are stored in clear text at the endpoint /test.txt in situations where the default admin credentials have been changed. An attacker can obtain admin credentials, access the admin dashboard, control building access and cameras, and access employee information.
Impact
An attacker can exploit this vulnerability to gain sensitive information from the device.
Remediation
Apply the latest firmware update provided by the vendor to fix the vulnerability.
Linkerd Panel - Detect
runzero-match
service["http.body"] matches "(?i)data-controller-namespace"Description
Linkerd panel was detected.
Linksys Smart Wi-Fi Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Linksys Smart WI-FI"})Description
Linksys Smart Wi-Fi login panel was detected.
Linkwarden Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1726765983" || any(each(service["html.titles"]), {# matches "(?i)Linkwarden"})Description
Linkwarden (linkwarden.app / github.com/linkwarden/linkwarden) is a popular open-source self-hosted bookmark and link archiving manager. Default Docker port 3000. Exposed instances may reveal users' archived link collections, screenshots, and PDFs.
ListSERV Maestro <= 9.0-8 RCE
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of ListSERV Maestro that is not affected by this vulnerability.
ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/listingpro"Description
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin.
Impact
Unauthenticated attackers can arbitrarily install, activate or deactivate plugins, potentially installing malicious plugins to gain complete site control.
Remediation
Upgrade to ListingPro version 2.6.1 or later.
ListingPro < 2.6.1 - Sensitive Data Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/listingpro"Description
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts.
Impact
Unauthenticated attackers can extract sensitive user data including usernames, email addresses, phone numbers, and physical addresses from all registered users.
Remediation
Upgrade to ListingPro version 2.6.1 or later.
LiteLLM - Server-Side Request Forgery
Author: pdresearch,iamnoooob,rootxharsh,lambdasawaAdded: Jul 22, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "439373620"Description
LiteLLM vulnerable to Server-Side Request Forgery (SSRF) vulnerability Exposes OpenAI API Keys.
Impact
Attackers can exploit SSRF to send requests to arbitrary URLs with OpenAI API keys in the Authorization header, potentially exposing API credentials.
Remediation
Update LiteLLM to the latest version that addresses the SSRF vulnerability in the chat/completions endpoint.
LiteLLM API - Swagger UI Detection
Author: rxeriumAdded: Feb 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LiteLLM API - Swagger UI"})Description
Detects exposed LiteLLM API Swagger UI interface. LiteLLM is a unified API for 100+ LLM providers (OpenAI, Azure, Anthropic, etc.).
Live Helper Chat Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)live helper chat"})Description
Live Helper Chat admin login panel was detected.
LiveZilla Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)livezilla"Description
LiveZilla login panel was detected.
Lobe Chat <= v0.150.5 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "1975020705"Description
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
Impact
Unauthenticated attackers can force the server to make arbitrary requests, potentially accessing internal services and sensitive data.
Remediation
Update Lobe Chat to version 0.150.6 or later.
LocalAI - Partial Local File Read
runzero-match
service["favicon.ico.image.mmh3"] == "-976853304"Description
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
Impact
Attackers can exploit SSRF to access internal HTTP services and partially read local files through error messages, potentially exposing sensitive information.
Remediation
Update LocalAI to version 2.17 or later to address the SSRF and LFI vulnerabilities.
LocalGPT Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "LocalGPT"})Description
LocalGPT is an open-source project that allows users to chat with their documents
locally using LLMs with no data leaving their device
LockSelf Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LockSelf"})Description
LockSelf login panel was detected.
Locklizard Web Viewer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Locklizard Web Viewer"Description
Locklizard Web Viewer login panel was detected.
Login as User or Customer < 3.3 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/login-as-customer-or-user"Description
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
Impact
Unauthenticated attackers can obtain valid admin sessions by exploiting missing authorization checks in the Login as User or Customer plugin, potentially gaining complete control over the WordPress site and all user accounts.
Remediation
Fixed in version 3.3
Logitech Harmony Pro Installer Portal Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Logitech Harmony Pro Installer"})Description
Logitech Harmony Pro Installer Portal login panel was detected.
Logstash - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "logstash"Description
Logstash is susceptible to Log4j JNDI remote code execution. Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash."
LolLMS < 2.2.0 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "lollms"})Description
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via _download_image_to_temp() in backend/routers/files.py without any validation, allowing an unauthenticated attacker to supply arbitrary URLs (e.g. cloud metadata endpoints or internal services) that the server will fetch, enabling internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
Impact
Attackers can access internal network services, cloud metadata, and potentially execute remote code.
Remediation
Update to version 2.2.0 or later.
Lomnido Panel - Detect
Author: righettodAdded: Jan 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lomnido Login"})Description
Lomnido was detected.
Looker Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)lookerVersion"Description
Looker login panel was detected.
LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/lottiefiles"Description
LottieFiles LottieFiles <= 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges.
Impact
Attackers can bypass authorization to access or modify restricted resources, potentially leading to data exposure or unauthorized actions.
Remediation
Update to the latest version beyond 3.0.0.
Loxone Intercom Video Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Loxone Intercom Video"})Description
Loxone Intercom Video panel was detected.
Loxone WebInterface Panel - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
service["http.body"] matches "(?i)<title>Webinterface</title>"Loytec PLC - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1081604898"Description
Identified Loytec PLC web interfaces that were accessible using default credentials (admin:loytec4u). These devices were commonly deployed in building automation and industrial control environments. When left unchanged, default credentials could have allowed unauthorized users to gain administrative access to the system.
Lucee - Default Login
runzero-match
service["http.body"] matches "Lucee"Description
Lucee admin panel using the default login password was discovered.
Lucee - Unset Credentials
runzero-match
service["http.body"] matches "(?i)Lucee"Description
The Lucee admin panel has a first-time setup page which allows any user to set the administrator password.
Lucee < 6.0.1.59 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lucee"})Lucee Web and Lucee Server Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lucee"})Description
Lucee admin login panels were detected in both Web and Server tabs.
LumisXP <10.0.0 - Blind XML External Entity Attack
runzero-match
service["product"] matches "(?i)lumis.experience.platform"Description
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, server compromise, or further attacks on internal systems.
Remediation
Upgrade LumisXP to version 10.0.0 or above to mitigate the vulnerability.
LyLme spage v1.9.5 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "-282504889"Description
LyLme spage v1.9.5 is vulnerable to server-side request forgery (SSRF) via the url parameter in apply/index.php. An attacker can force the server to make arbitrary requests, potentially accessing internal resources.
Impact
Unauthenticated attackers can force the server to make arbitrary requests via the url parameter, potentially accessing internal resources.
Remediation
Update LyLme spage to a version later than v1.9.5 that patches the SSRF vulnerability.
M-Bus Converter Web Interface - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JC-e converter webinterface"})M-Files Web Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)m-files web"Description
M-Files Web login panel was detected.
MAG Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MAG Dashboard Login"})Description
MAG Dashboard login panel was detected.
MCMS 5.2.4 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
MCMS 5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.4.
MCMS 5.2.5 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
MCMS 5.2.5 contains a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.5.
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MCP Inspector"})Description
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio.
Impact
Unauthenticated attackers can launch arbitrary MCP commands over stdio due to lack of authentication between Inspector client and proxy, enabling remote code execution.
Remediation
Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
MCPJam Inspector - Remote Code Execution
runzero-match
service["product"] matches "(?i)mcpjam"Description
MCPJam inspector is the local-first development platform for MCP servers. The Latest version 1.4.2 and earlier are vulnerable to a remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE.
Impact
An unauthenticated attacker can remotely execute arbitrary system commands via the exposed /api/mcp/connect endpoint. Successful exploitation leads to full compromise of the affected host.
Remediation
Upgrade MCPJam Inspector to version 1.4.3 or later. Restrict the service to listen on 127.0.0.1.
MISP Threat Intelligence Sharing Platform Panel - Detect
Author: johnk3r,darsesAdded: May 31, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-137577333" || any(each(service["html.titles"]), {# matches "(?i)users - misp"}) || any(each(service["html.titles"]), {# matches "(?i)errors - misp"})MLFlow < 2.8.1 - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mlflow"})Description
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
Impact
An attacker can access sensitive information stored in MLFlow.
Remediation
Upgrade MLFlow to a version that has patched CVE-2023-43472.
MLflow Absolute Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mlflow"})Description
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
Impact
This vulnerability can lead to unauthorized access to sensitive information stored on the server.
Remediation
Upgrade to a patched version of MLflow to mitigate the Absolute Path Traversal vulnerability.
MLflow Job API - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MLflow"})Description
MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
Impact
Unauthenticated attackers can execute jobs remotely, potentially leading to remote code execution, denial of service, or data exposure.
Remediation
Update to the latest version with fixed authentication enforcement on job endpoints.
MLflow Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "MLflow"})Description
MLflow is an open-source platform for managing the end-to-end machine learning
lifecycle including experimentation, reproducibility, and deployment. This template
detects exposed MLflow tracking server UI instances.
MOFI4500-4GXeLTE-V2 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^MOFI4500"})Description
Mofi Network MOFI4500-4GXELTE wireless router default admin credentials were discovered.
MOVEit Transfer - SQL Injection
runzero-match
service["product"] contains "Progress Software:MOVEit MFT"Description
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Impact
Attackers can modify and disclose sensitive database content, leading to data breach and potential system compromise.
Remediation
Update to fixed versions: 2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, or latest available version.
MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal
runzero-match
service["http.body"] matches "(?i)MPDV"Description
MPDV Mikrolab GmbH HYDRA X, MIP 2, and FEDRA 2 <= Maintenance Pack 36 with Servicepack 8 (week 36/2025) contain an unauthenticated local file disclosure vulnerability caused by improper validation of the "Filename" parameter in the public $SCHEMAS$ resource, letting attackers read arbitrary Windows OS files, exploit requires local access.
Impact
Attackers can read arbitrary files on the Windows operating system, potentially exposing sensitive information.
Remediation
Update to Maintenance Pack 36 with Servicepack 8 (week 36/2025) or later.
MPFTVC Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AdminLogin - MPFTVC"})Description
MPFTVC admin login panel was detected.
MSNSwitch Firmware MNT.2408 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2073748627"Description
MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations.
Impact
Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability.
MSPControl Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MSPControl - Sign In"})Description
MSPControl login panel was detected.
MStore API < 3.9.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind SQL injection via the product_id parameter.
Impact
Allows an attacker to extract sensitive data from the database
Remediation
Update MStore API WordPress Plugin to the latest version to mitigate the vulnerability
MStore API <= 3.9.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Impact
Attackers can log in as any user, including administrators, potentially gaining full control over the site.
Remediation
Update to version 3.9.2 or later.
MStore API <= 3.9.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Impact
An attacker can bypass authentication and gain unauthorized access to the MStore API, potentially leading to data breaches or unauthorized actions.
Remediation
Upgrade to a patched version of MStore API (version 3.9.3 or above) to mitigate the authentication bypass vulnerability.
MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
Impact
Attackers can log in as any user and escalate privileges, potentially leading to full account compromise.
Remediation
No patch available yet; monitor for updates from the developer and apply patches as soon as they are released.
MachForm Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MachForm Admin Panel"})Description
MachForm Admin panel was detected.
Maestro LISTSERV - Detect
Author: righettodAdded: Sep 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LISTSERV Maestro"})Description
Maestro LISTSERV panel was detected.
Maestro LuCI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Maestro - LuCI"})Description
Maestro LuCI login panel was detected.
Mage AI - Insecure Default Authentication Setup
runzero-match
service["http.body"] matches "(?i)<title>Mage</title>"Description
A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it.
Impact
Attackers can exploit insecure default authentication configuration to gain unauthorized access to Mage AI installations, potentially leading to remote code execution and complete system compromise.
Remediation
Implement proper authentication configuration by following the vendor's security hardening guidelines.
Mage AI Panel - Detect
Author: ChrisJr404Added: May 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mage"})Description
Mage AI (mage.ai / github.com/mage-ai/mage-ai) is an open-source data pipeline + orchestration platform with a notebook-style UI. Self-hosted instances default to TCP 6789 and historically have shipped without authentication. Exposed instances may reveal pipeline source, secrets, and provide an authenticated path to arbitrary code execution via custom blocks.
MagicMirror <= 2.35.0 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "MagicMirror"})Description
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (VAR_NAME), enabling exfiltration of server-side secrets.
Impact
A remote unauthenticated attacker can force the MagicMirror server to request localhost, internal network, and cloud metadata endpoints. In affected configurations, the endpoint can return server-side responses to the attacker.
Remediation
Upgrade MagicMirror to version 2.36.0 or later.
Magnolia CMS Default Login - Detect
runzero-match
service["http.body"] matches "Magnolia is a registered trademark"Description
Magnolia CMS default login credentials were detected.
Magnolia CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Magnolia is a registered trademark"Description
Magnolia CMS login panel was detected.
MagnusBilling - Default Login
Author: DhiyaneshDkAdded: May 20, 2025
runzero-match
service["http.body"] matches "MagnusBilling"Description
MagnusBilling installs with a default administrative account using the credentials root / magnus. If unchanged, these credentials grant full access to the system, allowing attackers to manage billing data, modify configurations, and potentially execute arbitrary code or commands via exposed interfaces.
Impact
An unauthenticated attacker can gain full administrative control over the MagnusBilling platform, leading to compromise of billing systems, data leakage, and potential pivoting into internal infrastructure.
MagnusBilling - Login Panel
Author: DhiyaneshDKAdded: May 20, 2025
runzero-match
service["http.body"] matches "(?i)MagnusBilling"Description
Identified an exposed MagnusBilling login panel.
Mail Mint < 1.19.5 - Unauthenticated Email Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mail-mint/"Description
Mail Mint WordPress plugin < 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication.
Impact
Unauthenticated attackers can retrieve email addresses of users, leading to privacy breaches and potential phishing attacks.
Remediation
Update to version 1.19.5 or later.
MailEnable Mail Service < v10 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MailEnable"})Description
Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component.
Impact
Attackers can execute arbitrary JavaScript in victim browsers through the state parameter in failure.aspx, potentially leading to session hijacking and credential theft.
Remediation
Upgrade to MailEnable version 10 or later that properly sanitizes user input in the failure.aspx component.
MailHog Panel - Detect
runzero-match
service["http.body"] matches "(?i)mailhog"Description
MailHog panel was detected.
MailWatch Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MailWatch Login Page"})Description
MailWatch login panel was detected.
Mailpit < 1.28.3 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mailpit"})Description
Mailpit <= 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests.
Impact
Attackers can access internal network services and APIs, potentially exposing sensitive internal resources.
Remediation
Update to version 1.28.1 or later.
MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mainwp"Description
MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
Impact
Unauthenticated attackers can inject scripts that execute in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to the latest version of the plugin that addresses this vulnerability.
MajorDoMo - Unauthenticated RCE
runzero-match
service["http.body"] matches "(?i)templates/application\\.html"Description
MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
Impact
Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version with the fix for the include order bug and proper exit after redirect.
MajorDoMo thumb.php - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1903390397"Description
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
Impact
Unauthenticated attackers can execute arbitrary OS commands via shell metacharacters in the thumb.php transport parameter, potentially compromising the entire system.
Remediation
Update MajorDoMo to a version newer than commit 0662e5e which addresses the command injection vulnerability.
Maltrail <= v0.54 - Unauthenticated OS Command Injection
Author: pussycat0xAdded: Aug 21, 2023
runzero-match
service["http.head.server"] matches "(?i)Maltrail"Description
The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.
An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.
Remediation
Fixed in 0.55 Version
Maltrail <=0.54 Username Parameter - Remote Command Execution
Author: SeungAh-HongAdded: Aug 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Maltrail"})Description
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the username parameter in the login endpoint, achieving complete server compromise.
Remediation
Upgrade Maltrail to version 0.55 or later that properly sanitizes user input in authentication handling.
Maltrail Panel - Detect
Author: ritikchaddhaAdded: Aug 19, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Maltrail"})Description
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name, URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value.
Malwared (Build Your Own Botnet) - Detect
Author: pdteamAdded: Aug 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "487145192"Description
Detects the presence of the Malwared - Build Your Own Botnet tool on the target system.
Malwared BYOB - Unauthenticated Remote Code Execution
Author: pdteamAdded: Aug 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "487145192"Description
Malwared BYOB - Unauthenticated RCE allows remote code execution.
Impact
Potential unauthorized access and control of the target system by threat actors.
Remediation
Remove any instances of the Malwared - Build Your Own Botnet tool from the target system and conduct a thorough security audit.
Manage Engine Desktop Central - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "ManageEngine Desktop Central"})Description
Manage Engine Endpoint Central (formerly Desktop Central) is susceptible to Log4j JNDI remote code execution. Endpoint Central is a Unified Endpoint Management (UEM) & Endpoint protection suite that helps manage and secure various network devices
ManageEngine - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "ManageEngine"})Description
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
ManageEngine Applications Manager - Default Credentials
Author: 0midC13Added: Mar 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Applications Manager Login Screen"})Description
Default credentials grants administrative access to ManageEngine Applications Manager, which can be later escalated into a RCE via DB queries.
ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Impact
An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage.
Remediation
Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches.
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized password resets and unauthorized administrative access.
Remediation
Upgrade MantisBT to a version higher than 2.30 to mitigate this vulnerability.
MantisBT Default Admin Login
runzero-match
any(each(service["html.titles"]), {# matches "MantisBT"})Description
A MantisBT default admin login was discovered.
MantisBT Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
MantisBT login panel was detected.
MapSVG < 6.2.20 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mapsvg/"Description
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute SQL injection via REST API endpoint to extract database contents or execute arbitrary commands, potentially compromising the entire WordPress database.
Remediation
Upgrade to MapSVG version 6.2.20 or later.
MapTiler Tileserver-php v2.0 - Unauthenticated File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TileServer-php"})Description
MapTiler Tileserver-php v2.0 contains a directory traversal caused by improper sanitization of GET parameters in renderTile function, letting attackers read arbitrary files on the server, exploit requires crafted web requests
Impact
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to the latest version of MapTiler Tileserver-php.
MapTiler Tileserver-php v2.0 - Unauthenticated XSS
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TileServer-php"})Description
MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter \"layer\" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers.
Impact
Unauthenticated attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking or phishing.
Remediation
Update to the latest version of MapTiler Tileserver-php.
Marimo Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "marimo"})Description
Marimo is an open-source reactive Python notebook and app framework that replaces Jupyter
with git-friendly, reproducible notebooks.
MasterSAM Star Gate v11 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)MasterSAM"Description
MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the server, potentially exposing sensitive configuration data, credentials, and system files.
Remediation
Contact MasterSAM for a patched version of Star Gate v11 that addresses the directory traversal vulnerability.
MasterStudy LMS WordPress Plugin <= 3.2.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/masterstudy-lms-learning-management-system/"Description
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can extract sensitive information from the database including usernames, passwords, and other confidential data via time-based SQL injection.
Remediation
Update MasterStudy LMS plugin to version 3.2.6 or later.
Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learning-management-system/"Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
Impact
An unauthenticated attacker can access course progress and user learning data without logging in.
Remediation
Update the Masteriyo LMS plugin to the latest version and enforce proper authentication and authorization checks on REST API endpoints.
Mastodon - Open Redirect
runzero-match
service["http.body"] matches "mastodon-"Description
Mastodon version < 4.5.8, < 4.4.15, < 4.3.21 is vulnerable to unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments.
Impact
Redirect users to external domain.
Remediation
Update Mastodon to versions 4.5.8, 4.4.15, 4.3.21.
Matomo Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-2023266783"Description
google analytics alternative that protects your data and your customers privacy.
Mattermost Login - Panel
Author: darsesAdded: Jun 10, 2025
runzero-match
service["http.body"] matches "(?i)'content=\"Mattermost\"'"Description
Mattermost Login Panel was discovered.
MeTube Instance Detected
Author: rxeriumAdded: Aug 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MeTube"})Description
A MeTube instance was detected.
Mealie Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mealie"})Description
Detected Mealie was a self-hosted recipe manager and meal planner with a Vue/Nuxt frontend and FastAPI backend.
Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/media-library-assistant"Description
Media Library Assistant plugin for WordPress before 2.82 contains a local file inclusion caused by unsanitized mla_gallery link parameter, letting attackers include arbitrary local files, exploit requires access to the vulnerable link.
Impact
Attackers can include arbitrary local files, potentially leading to information disclosure or code execution.
Remediation
Update to version 2.82 or later.
Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
runzero-match
service["http.body"] matches "wp-content/plugins/media-library-assistant"Description
A vulnerability in the Wordpress Media-Library-Assistant plugins in version < 3.09 is vulnerable to a local file inclusion which leading to RCE on default Imagegick installation/configuration.
Impact
Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to local files.
Remediation
Fixed in version 3.09
Meduza Stealer Panel - Detect
Author: dwisiswant0Added: Feb 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Meduza Stealer"})Description
Meduza Stealer panel were detected.
Memos 0.13.2 - Cross-Site Scripting & SSRF
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Memos"})Description
An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
Impact
Attackers can inject malicious scripts and perform SSRF attacks, compromising user data and accessing internal resources.
Remediation
Update Memos to version 0.13.3 or later.
Memos 0.13.2 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Memos"})Description
An SSRF vulnerability exists at the `/api/resource` that allows authenticated users to enumerate the internal network.
Impact
Attackers can force the server to make requests to arbitrary destinations, potentially accessing internal services or sensitive data.
Remediation
Update Memos to version 0.13.3 or later.
Memos 0.13.2 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Memos"})Description
SSRF vulnerabilities exist in the memos API service `/o/get/httpmeta` that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
Impact
Attackers can make the server perform requests to arbitrary internal or external resources, potentially accessing sensitive data or internal services.
Remediation
Update Memos to version 0.13.3 or later.
Memos Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)memos"})Description
Memos is a privacy-first, lightweight note-taking service
MeshCentral Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)meshcentral - login"})Description
MeshCentral login panel was detected.
Mesop AI Sandbox <= 1.2.2 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Mesop"Description
Mesop <= 1.2.2 contains an unrestricted remote code execution caused by unauthenticated ingestion and execution of base64-encoded Python code in the /exec-py endpoint of ai/testing module, letting attackers execute arbitrary commands on the host, exploit requires HTTP access to the server.
Impact
Attackers can execute arbitrary commands on the host, leading to full system compromise.
Remediation
Upgrade to version 1.2.3 or later.
MetInfo CMS <= 8.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MetInfo"})Description
MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.
Impact
Remote attackers can execute arbitrary code, gaining full control over the affected server.
Remediation
Update to the latest version beyond 8.1.
Metabase - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded.
Impact
The vulnerability can result in unauthorized access to sensitive files or execution of arbitrary code on the affected system.
Remediation
This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Metabase - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Metabase"})Description
Metabase is susceptible to remote code execution due to an incomplete patch in Apache Log4j 2.15.0 in certain non-default configurations. A remote attacker can pass malicious data and perform a denial of service attack, exfiltrate data, or execute arbitrary code.
Metabase < 0.46.6.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.
Metabase Installer - Exposure
Author: 0x_AkokoAdded: Dec 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Metabase"}) && service["http.body"] contains "setup"Description
Detected Metabase installer page, allowing unauthorized database setup and configuration.
Metabase Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase login panel was detected.
Metaflow UI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Metaflow UI"})Description
Metaflow is an open-source ML platform created by Netflix for building and managing real-life data science projects.
The Metaflow UI provides a web interface for monitoring and managing Metaflow runs and flows.
Metasploit Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metasploit"}) || any(each(service["html.titles"]), {# matches "(?i)metasploit - setup and configuration"})Description
Metasploit Web Panel is detected
Metasploit Setup and Configuration Page - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metasploit - setup and configuration"}) || any(each(service["html.titles"]), {# matches "(?i)metasploit"})Description
Metasploit setup and configuration page was detected.
MeterSphere < 2.5.0 SSRF
runzero-match
service["http.body"] matches "metersphere"Description
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.
Impact
An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade MeterSphere to version 2.5.0 or later to mitigate the SSRF vulnerability.
MeterSphere Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)metersphere"Description
MeterSphere login panel was detected.
Metersphere - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)metersphere"Description
Metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1
Impact
This vulnerability can lead to unauthorized access to sensitive information, such as configuration files, credentials, and other sensitive data.
Remediation
Users are advised to upgrade. There are no known workarounds for this vulnerability.
Micro Focus Application Lifecycle Management - Panel
Author: righettodAdded: May 21, 2024
runzero-match
service["http.body"] matches "(?i)Micro\u00a0Focus\u00a0Application\u00a0Lifecycle\u00a0Management"Description
Micro Focus Application Lifecycle Management login panel was detected.
Micro Focus Filr Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)micro focus filr"Description
Micro Focus Filr login panel was detected.
Micro Focus Operations Bridge Reporter - Remote Code Execution
runzero-match
service["product"] matches "(?i)microfocus.operation.bridge.reporter"Description
Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
Impact
Unauthenticated attackers can execute arbitrary commands on the Operations Bridge Reporter server, leading to complete system compromise and access to all monitoring data.
Remediation
Apply the latest security patches or updates provided by Micro Focus to mitigate this vulnerability.
Micro Focus Vibe Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)micro focus vibe"Description
Micro Focus Vibe login panel was detected.
Microsoft Exchange - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)outlook"}) || service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Server Information Disclosure Vulnerability. This vulnerability enables an attacker to bypass authentication and gain access to the Exchange Server's internal.
Impact
Unauthenticated attackers can bypass authentication using a SecurityToken cookie, gaining access to Exchange Server's internal API endpoints and sensitive information.
Remediation
Apply security updates provided by Microsoft to fix the authentication bypass vulnerability.
Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
runzero-match
service["product"] contains "Microsoft:Exchange Server"Description
Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise or data breach
Remediation
Apply the latest security patches and updates provided by Microsoft for Exchange Server
Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
runzero-match
service["product"] contains "Microsoft:Exchange Server"Description
Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise or data breach
Remediation
Apply the latest security patches and updates provided by Microsoft for Exchange Server
Microsoft Exchange Admin Center Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119" || any(each(service["html.titles"]), {# matches "(?i)outlook"})Description
Microsoft Exchange Admin Center login panel was detected.
Microsoft Exchange Server End-of-Life - Detect
Author: Shivam KambojAdded: Mar 3, 2026
runzero-match
service["product"] contains "Microsoft:Outlook Web Access"Description
Detected Microsoft Exchange Server versions that have reached End-of-Life (EOL) and no longer receive security updates.
Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.
Remediation
Apply the latest security updates provided by Microsoft to mitigate this vulnerability.
Microsoft Exchange Server SSRF Vulnerability
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119"Description
This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or further compromise of the affected system.
Remediation
Apply the appropriate security update.
Microsoft Exchange Web Service - Detect
Author: bhutch,userdehghaniAdded: Feb 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)outlook"}) || service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Web Services was detected.
Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection
runzero-match
any(each(service["html.titles"]), {# matches "Outlook"})Description
Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.
Impact
An attacker can exploit this vulnerability to trick users into visiting malicious websites, leading to potential phishing attacks.
Remediation
Apply the necessary security patches or upgrade to a newer version of Microsoft Exchange Server.
Microsoft Windows 'HTTP.sys' - Remote Code Execution
runzero-match
service["http.head.server"] matches `(?i)microsoft-iis`Description
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Impact
Attackers can execute arbitrary code remotely on Windows servers running vulnerable HTTP.sys, potentially leading to complete system compromise and data breach.
Remediation
Apply Microsoft security update MS15-034 immediately to patch the vulnerability.
Microsys Promotic SCADA - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "PROMOTIC"})Description
Microsys Promotic is a SCADA/HMI software platform widely deployed in central European
industrial and building automation applications. The embedded web server exposes a
runtime panel accessible over HTTP on non-standard ports.
Microweber < 1.2.11 - Open Redirection
runzero-match
service["favicon.ico.image.mmh3"] == "780351152"Description
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
Impact
Attackers can redirect users to malicious websites through the redirect_to parameter, potentially facilitating phishing attacks or malware distribution.
Remediation
Upgrade to Microweber version 1.2.11 or later.
Microweber <1.1.20 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)microweber" || service["favicon.ico.image.mmh3"] == "780351152"Description
Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Upgrade Microweber to version 1.1.20 or later to mitigate the vulnerability.
Microweber <1.2.15 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "780351152"Description
Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
MikroTik Router OS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mikrotik routeros > administration"})Description
MikroTik Router OS login panel was detected.
MikroTik RouterOS Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mikrotik routeros > administration"})Description
MikroTik RouterOS admin login panel was detected.
Milesight Routers - Information Disclosure
runzero-match
service["http.body"] matches "(?i)rt_title"Description
A critical security vulnerability has been identified in Milesight Industrial Cellular Routers, compromising the security of sensitive credentials and permitting unauthorized access. This vulnerability stems from a misconfiguration that results in directory listing being enabled on the router systems, rendering log files publicly accessible. These log files, while containing sensitive information such as admin and other user passwords (encrypted as a security measure), can be exploited by attackers via the router's web interface. The presence of a hardcoded AES secret key and initialization vector (IV) in the JavaScript code further exacerbates the situation, facilitating the decryption of these passwords. This chain of vulnerabilities allows malicious actors to gain unauthorized access to the router.
Impact
Unauthenticated attackers can access publicly exposed log files containing encrypted admin and user passwords, then decrypt them using the hardcoded AES key found in JavaScript code, gaining full administrative access to industrial cellular routers.
Remediation
Update Milesight Industrial Cellular Router firmware to disable directory listing, restrict access to log files, and remove hardcoded cryptographic keys from the web interface.
MinIO Browser API - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "minio browser"})Description
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to make arbitrary requests on behalf of the server, potentially leading to unauthorized access or data leakage.
Remediation
Apply the latest security patches or updates provided by MinIO to fix this vulnerability.
MinIO Browser Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)minio browser"}) || any(each(service["html.titles"]), {# matches "(?i)minio console"})Description
MinIO Browser login panel was detected.
MinIO Cluster Deployment - Information Disclosure
runzero-match
service["http.body"] matches "(?i)symfony profiler" || any(each(service["html.titles"]), {# matches "(?i)minio console"}) || any(each(service["html.titles"]), {# matches "(?i)minio browser"})Description
MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.
Impact
An attacker can gain unauthorized access to sensitive information stored in the MinIO cluster.
Remediation
All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
MinIO Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MinIO Console"})Description
MinIO Console login panel was detected.
MindsDB -DNS Rebinding SSRF Protection Bypass
runzero-match
any(each(service["html.titles"]), {# matches "mindsdb"})Description
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks.
Impact
SSRF Protection Bypass via DNS Rebinding
Remediation
Upgrade to mindsdb version 23.12.4.2 or later
Mingsoft MCMS - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or update to the latest version.
Mingsoft MCMS 5.2.9 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to the latest version of Mingsoft MCMS or apply security patches that sanitize input parameters.
Mingsoft MCMS v5.2.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
Mingsoft MCMS v5.2.7 contains an SQL injection vulnerability via /cms/content/list that allows unauthenticated attackers to execute arbitrary SQL commands on the affected database server.
Impact
Unauthenticated attackers can execute arbitrary SQL commands through the categoryId parameter in /cms/content/list, potentially extracting sensitive database information, modifying data, or compromising the entire Mingsoft MCMS database.
Remediation
Upgrade Mingsoft MCMS to version 5.2.8 or later, which contains patches for this vulnerability.
Minio Default Login
runzero-match
service["http.body"] matches "symfony Profiler"Description
Minio default admin credentials were discovered.
Mirantis Kubernetes Engine Panel - Detect
runzero-match
service["http.body"] matches "(?i)Mirantis Kubernetes Engine"Description
Mirantis Kubernetes Engine panel was detected.
Mirth Connect - Default Admin Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mirth Connect"})Description
Detected Mirth Connect was using default credentials admin:admin. Mirth Connect is a widely used healthcare integration engine for HL7, FHIR, and other medical data standards.
MistServer Installation Wizard - Exposure
Author: DhiyaneshDkAdded: Mar 24, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MistServer"})Description
MistServer installation/setup wizard is publicly accessible, allowing unauthorized users to create admin accounts and take full control of the streaming server. This is a first-user-wins vulnerability.
Impact
An attacker can create an admin account on unconfigured MistServer instances,
gaining full control over the streaming server configuration and content.
Mitel 6000 - Default Login
Author: matejsmyckaAdded: Sep 29, 2025
runzero-match
service["http.head.server"] matches "Aragorn Mitel"Description
This template detects the use of default credentials (admin:22222) on Mitel 6000 devices, which may allow unauthorized access to system information.
Mitel 6000 - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1940372141"Description
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. This template should be run on port 49249/tcp.
Impact
Unauthenticated attackers can execute arbitrary commands, potentially disclosing or modifying sensitive data and disrupting device operation.
Remediation
Update to the latest Mitel firmware version beyond 6.4 SP4.
Mitel Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)mitel networks"Description
Mitel login panel was detected.
Mitel MiCollab - Arbitary File Read
runzero-match
service["http.body"] matches "(?i)Mitel Networks"Description
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
Impact
Unauthenticated attackers can bypass authentication and exploit path traversal to read arbitrary files from the MiCollab server, exposing sensitive configuration, credentials, and system data.
Remediation
Update Mitel MiCollab according to MISA-2024-0029 advisory to address the authentication bypass and path traversal vulnerabilities.
Mitel MiCollab - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Mitel Networks"Description
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
Impact
Unauthenticated attackers can exploit path traversal to access sensitive user data, system configurations, and corrupt or delete information.
Remediation
Update Mitel MiCollab to a version later than 9.8 SP1 FP2 that patches CVE-2024-41713.
Mitel MiCollab - Information Disclosure & Denial of Service
runzero-match
service["http.body"] matches "(?i)MiCollab End User Portal"Description
Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contain a vulnerability in the TP-240 component caused by improper handling, letting remote attackers obtain sensitive information and cause denial of service, exploit requires remote access.
Impact
Attackers can retrieve sensitive information and cause performance degradation or denial of service, including DDoS attacks.
Remediation
Update to version 9.4 SP1 FP1 or later for MiCollab, and latest version for MiVoice Business Express.
Mitel MiCollab <= 9.8.0.33 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Mitel\" html:\"MiCollab"Description
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
Impact
Unauthenticated attackers can execute arbitrary SQL queries to access sensitive information and execute arbitrary database and management operations.
Remediation
Update Mitel MiCollab to a version later than 9.8.0.33.
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)Mitel\" html:\"MiCollab"Description
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
Impact
An attacker can exploit this vulnerability to view, modify, or delete arbitrary files on the system, potentially leading to unauthorized access or data leakage.
Remediation
Apply the latest security patches or updates provided by Mitel to mitigate the vulnerability and prevent unauthorized access.
Mitel MiCollab Login Panel - Detect
Author: righettod,darsesAdded: Apr 7, 2024
runzero-match
service["http.body"] matches "(?i)MiCollab End User Portal" || service["favicon.ico.image.mmh3"] == "-1922044295"Description
Mitel MiCollab login panel was detected.
Mitel NuPoint Unified Messaging Panel - Detect
Author: s4e-ioAdded: Sep 10, 2025
runzero-match
service["http.body"] matches "(?i)mitel networks" || service["favicon.ico.image.mmh3"] == "-1922044295" || service["http.body"] matches "(?i)micollab end user portal"Description
Mitel NuPoint Unified Messaging login panel was detected.
Mobile Management Platform Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)移动管理平台-企业管理"})Description
Mobile Management Platform panel was detected.
MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "967636089"Description
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier contain a vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the MobileIron infrastructure.
Remediation
Upgrade MobileIron Core & Connector and Sentry to versions above v10.6 & v9.8 respectively
MobileIron Core - Remote Unauthenticated API Access
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain.
Impact
Remote attackers can exploit this vulnerability to gain unauthorized access to sensitive data and perform malicious actions.
Remediation
Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM)
MobileIron Sentry Panel - Detect
Author: pdteamAdded: Jul 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "967636089"Description
MobileIron Sentry panel was detected.
Mobotix - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Mobotix"})Description
Mobotix contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Modoboa < 2.1.0 - Improper Authorization
runzero-match
service["favicon.ico.image.mmh3"] == "1949005079" || service["http.body"] matches "(?i)modoboa"Description
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
Impact
Unauthenticated attackers can access sensitive configuration parameters including default passwords and authentication settings through the API endpoint, potentially compromising the entire email management system.
Remediation
Update Modoboa to version 2.1.0 or later that implements proper authorization checks for the parameters API endpoint.
Modoboa Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)modoboa" || service["favicon.ico.image.mmh3"] == "1949005079"Description
Modoboa login panel was detected.
Modular DS - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/plugins/modular-connector/"Description
Modular DS = 2.5.1 contains a broken access control vulnerability caused by incorrect privilege assignment, letting attackers escalate their privileges, exploit requires no special conditions.
Impact
Attackers can escalate their privileges, potentially gaining unauthorized access to sensitive functions or data.
Remediation
Update to the latest version beyond 2.5.1.
Molgenis - Default Login
Author: ritikchaddhaAdded: Jul 8, 2025
runzero-match
service["http.body"] contains "MOLGENIS" || service["last.http.body"] contains "MOLGENIS"Description
Attempts to login to Molgenis using the default credentials (admin/admin). Successful login may indicate a security risk due to unchanged default credentials.
MongoDB Ops Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MongoDB Ops Manager"})Description
MongoDB Ops Manager login panel was detected.
Mongoose - NoSQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mongoose"})Description
NoSQL injection vulnerability in Mongoose < 8.9.5 affecting the populate() function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operators like $and, allowing execution of arbitrary JavaScript code on MongoDB server, bypassing authentication, and accessing sensitive administrative data.
Impact
Attackers can bypass authentication and execute arbitrary JavaScript code on MongoDB servers through nested $where operators in the populate() function, potentially accessing sensitive administrative data and compromising database integrity.
Remediation
Upgrade to Mongoose version 8.9.5 or later that properly blocks nested $where operators.
Mongoose < 8.8.3 - Remote Code Execution
runzero-match
service["http.head.server"] matches "Mongoose"Description
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Impact
Unauthenticated attackers can execute arbitrary code by exploiting NoSQL injection in the $where clause, allowing remote code execution via crafted query parameters.
Remediation
Update Mongoose to version 8.8.3 or later to address the NoSQL injection vulnerability.
Monitorr Panel - Detect
Author: ritikchaddhaAdded: Apr 25, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-211006074"Monsta FTP - Detect
Author: rxeriumAdded: Nov 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Monsta FTP"})Description
Detects Monsta FTP web-based file manager interface.
Monstra Admin Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "419828698"Description
Monstra admin panel was detected.
Moodle LTI module Reflected - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Moodle"})Description
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
Impact
Attackers can inject malicious JavaScript through the LTI module that executes in educators' or students' browsers, potentially stealing Moodle session credentials and accessing sensitive course information.
Remediation
Update Moodle to a patched version that properly sanitizes user input in the LTI module and prevents execution of injected scripts.
Moodle Workplace Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
service["http.body"] matches "(?i)moodle"Description
Moodle workplace login panel was detected.
Morningstar ProStar MPPT Solar Charge Controller - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Prostar MPPT - Live Data"})Description
Morningstar ProStar MPPT is a solar charge controller with a built-in web server providing
live data monitoring for off-grid and industrial solar installations.
The exposed interface displays real-time array, battery, and load data without authentication.
Mosparo < 1.0.2 - Open Redirect
runzero-match
service["product"] matches "(?i)mosparo"Description
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.
Impact
Unauthenticated attackers can exploit open redirect through the targetPath parameter to redirect users to malicious websites for phishing attacks.
Remediation
Update to the latest version of mosparo.
Motorola Baby Monitors - Remote Command Execution
runzero-match
service["product"] matches "(?i)binatoneglobal.halo\\+.camera.firmware"Description
Motorola Baby Monitors contains multiple interface vulnerabilities could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data theft, or further compromise of the network.
Remediation
Apply the latest firmware update provided by Motorola to mitigate the vulnerability and ensure the device is not accessible from untrusted networks.
Movable Type Pro Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)サインイン \\| movable type pro"})Description
Movable Type Pro login panel was detected.
MovableType - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "サインイン \\| movable type pro"})Description
MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType.
Moxa MXview One - Network Management Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "MXview One Central Manager"})Description
Moxa MXview One is a network management platform for industrial Ethernet
infrastructure, OT network monitoring, and topology visualisation. It is
widely used in manufacturing, energy, and transportation to manage industrial
switches and routers.
Multiple Shipping Address Woocommerce < 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/multiple-shipping-address-woocommerce"Description
The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
Impact
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially exposing sensitive WooCommerce customer and order data.
Remediation
Update the Multiple Shipping Address Woocommerce plugin to version 2.0 or later.
Munin Monitoring Dashboard - Exposure
Author: 0x_AkokoAdded: Dec 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Munin"})Description
Detected Munin monitoring dashboard, exposing system metrics and server statistics.
MyBB - Full Path Disclosure
Author: 0x_AkokoAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)MyBB"Description
Detected MyBB forum software exposed the server's full filesystem path through PHP fatal errors when files that implemented interfaces were accessed without dependencies.
MyBB Installation Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mybb"})Description
MyBB installation panel was detected.
MyBB Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mybb"})Description
MyBB login panel was detected.
MyQ Print Server Panel - Detect
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-924708843" || any(each(service["html.titles"]), {# matches "(?i)MyQ"}) || service["favicon.ico.image.mmh3"] == "864100810" || service["favicon.ico.image.mmh3"] == "784616151" || service["favicon.ico.image.mmh3"] == "-2012429205"MyStrom Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)myStrom"})Description
Mystrom panel was detected.
Mystic Stealer Panel - Detect
Author: pussycat0xAdded: Jul 7, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mystic Stealer"})Description
Mystic Stealer panel were detected.
N-able N-central < 2024.2 - Authentication Bypass Detection
runzero-match
service["product"] contains "N-able:N-central"Description
N-central server versions prior to 2024.2 contain an authentication bypass in the user interface, letting attackers access restricted areas without proper credentials, exploit requires no specific conditions.
Impact
Attackers can access sensitive user interface features, potentially leading to unauthorized data access or control.
Remediation
Update to version 2024.2 or later.
N-central - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)N-central Login"})Description
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
Impact
Attackers can hijack sessions without authentication, potentially leading to unauthorized access.
Remediation
Update to version 2025.4 or later.
N-central - XML External Entities Injection
Author: DhiyaneshDK,horizon3aiAdded: Nov 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "N-central Login"})Description
N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure.
Impact
Attackers can disclose sensitive information by exploiting XML External Entities injection.
Remediation
Update to version 2025.4 or later.
N-central Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)N-central Login"})Description
N-central login panel was detected.
N8n - Config
Author: icarotAdded: Sep 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)n8n.io*workflow automation"})Description
The `/rest/settings` endpoint in N8n was publicly exposed, which could have disclosed internal configuration details and sensitive application information.
NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NAKIVO"})Description
NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlying system.
Impact
Unauthenticated attackers can read arbitrary files from the NAKIVO Backup & Replication server.
Remediation
Update NAKIVO Backup & Replication to a version that patches CVE-2024-48248.
NConf Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nconf"})Description
NConf login panel was detected.
NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
runzero-match
service["product"] matches "(?i)netgear.jgs516pe.firmware"Description
NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NETGEAR Routers - Authentication Bypass
runzero-match
service["http.head.wwwAuthenticate"] matches `(?i)^Basic realm="NETGEAR`Description
NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server.
Impact
Successful exploitation of this vulnerability can lead to unauthorized configuration changes, network compromise, and potential exposure of sensitive information.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NETGEAR Routers - Remote Code Execution
runzero-match
service["http.head.wwwAuthenticate"] matches `(?i)^Basic realm="NETGEAR`Description
NETGEAR routers R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly others allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to unauthorized access, data theft, or network compromise.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NETGEAR WNAP320 Access Point Firmware - Remote Command Injection
runzero-match
service["product"] matches "(?i)netgear.wnap320.firmware"Description
NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NI Web-based Configuration & Monitoring - Detect
Author: DhiyaneshDK,matejsmyckaAdded: Sep 24, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NI Web-based Configuration & Monitoring"}) || service["favicon.ico.image.mmh3"] == "1192389544"NP Data Cache Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NP Data Cache"})Description
NP Data Cache panel was detected.
NPS - Authentication Bypass
Author: SleepingBag945Added: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)window\\.nps"Description
This will reveal all parameters configured on the NPS, including the account username and password of the proxy.
NPort Web Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NPort Web Console"})Description
NPort Web Console login panel was detected.
NS-ASG Application Security Gateway 6.3 - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)“NS-ASG”"})Description
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Impact
Authenticated attackers can extract sensitive database information via SQL injection in the NS-ASG Application Security Gateway.
Remediation
Update NS-ASG Application Security Gateway to a version newer than 6.3.
NSQ Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nsqadmin"})Description
NSQ admin panel was detected.
NUUO NVRmini - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NUUO"})Description
NUUO NVRmini is vulnerable to unauthenticated remote command execution through the upgrade_handle.php file. The vulnerability allows an attacker to execute arbitrary commands by manipulating the uploaddir parameter.
Impact
Unauthenticated attackers can execute arbitrary commands on the NUUO NVRmini device by manipulating the uploaddir parameter in upgrade_handle.php, leading to complete device compromise and potential unauthorized access to video surveillance systems and recordings.
Remediation
Update NUUO NVRmini to a patched version later than the 2016 firmware that properly validates the uploaddir parameter and restricts command execution.
NZBGet Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)nzbget"Description
NZBGet login panel was detected.
Nacos - Information Disclosure
Author: s4e-ioAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nacos"})Description
Nacos unauthorized download of configuration information.
NagVis Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)nagvis"Description
NagVis login panel was detected.
Nagios Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nagios Core"})Description
Nagios default admin credentials were discovered.
Nagios Log Server - Detect
Author: ritikchaddhaAdded: Oct 24, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1460499495"Description
Detects the presence of Nagios Log Server by identifying specific response patterns, HTTP headers, or unique page elements.
Nagios Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios"})Description
Nagios login panel was detected.
Nagios XI <5.8.5 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "nagios xi"})Description
Nagios XI through 5.8.5 contains an open redirect vulnerability in the login function. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade Nagios XI to version 5.8.5 or later to mitigate the vulnerability.
Nagios XI Default Admin Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "Nagios XI"})Description
Nagios XI default admin login credentials were detected.
Nagios XI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
Nagios XI login panel was detected.
NagiosXI <= 5.4.12 - SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 `commandline.php` SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 logbook.php SQL injection
runzero-match
service["favicon.ico.image.mmh3"] == "1460499495" || any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 menuaccess.php - SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
Navicat On-Prem Server Panel - Detect
Author: ritikchaddhaAdded: Aug 21, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "598296063"Description
Navicat On-Prem Server is an on-premise solution that provides you with the option to host a cloud environment for storing Navicat objects internally at your location. In our On-Prem environment, you can enjoy complete control over your system and maintain 100% privacy. It is secure and reliable that allow you to maintain a level of control that the cloud often cannot.
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
runzero-match
service["http.body"] matches "(?i)content=\"Navidrome"Description
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
Impact
Attackers can bypass authentication using non-existent usernames and empty password hashes to gain read-only access to user playlists and other data through Subsonic API endpoints.
Remediation
Upgrade to Navidrome version 0.54.5 or later that properly validates authentication credentials.
Ncast busiFacade - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)高清智能录播系统"})Description
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
Impact
Allows remote attackers to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Neo4j Browser - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)neo4j browser"})Description
The Neo4j Browser has been detected.
Neobox Web Server Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)NeoboxUI"Description
Neobox Web Server login panel was detected.
NestJS DevTools Integration - Remote Code Execution
runzero-match
service["product"] matches "(?i)devtools.nestjs.com"Description
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
Impact
Malicious websites visited by developers can execute arbitrary code on their local machine through the unprotected /inspector/graph/interact endpoint due to improper sandboxing.
Remediation
This is fixed in version 0.2.1.
NetAlert X - Arbitary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netalert x"})Description
A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18 - v24.9.12.
Impact
This vulnerability allows remote attackers to list directories on the affected system. Successful exploitation could enable unauthorized users to explore the system’s internal structure.
Remediation
Fixed in v24.10.12
NetBox - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetBox"}) && service["http.body"] contains "netbox-community"Description
Detected that NetBox was using the default credentials admin:admin. The official netbox-docker deployment set SUPERUSER_NAME=admin and SUPERUSER_PASSWORD=admin by default.
NetMRI < 7.6.1 - Authentication Bypass via Hardcoded Credentials
runzero-match
service["favicon.ico.image.mmh3"] == "-319724102"Description
An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur.
Impact
Attackers can bypass authentication using hardcoded credentials to access administrative functions and read sensitive system files including /etc/shadow.
Remediation
Upgrade to Infoblox NetMRI version 7.6.1 or later and change all default credentials immediately.
NetMRI Unauthenticated SQL Injection via skipjackUsername
runzero-match
service["favicon.ico.image.mmh3"] == "-319724102"Description
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Impact
Unauthenticated attackers can extract sensitive data including encrypted passwords through SQL injection in the skipjackUsername parameter, potentially leading to complete system compromise.
Remediation
Upgrade to Infoblox NetMRI version 7.6.1 or later that properly sanitizes SQL input parameters.
NetMizer LogManagement System Data - Directory Exposure
Author: DhiyaneshDkAdded: Aug 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetMizer"})Description
Directory Exposure vulnerability in the NetMizer log management system of Beijing Lingzhou Network Technology Co., Ltd. Due to the loose control of /data, attackers can use this vulnerability to obtain sensitive information.
NetMizer LogManagement System cmd.php - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetMizer"})Description
Remote Command Execution vulnerability in the NetMizer log management system cmd.php, and the attacker can execute the command by passing in the cmd parameter.
NetSUS Server Default Login
runzero-match
any(each(service["html.titles"]), {# matches "NetSUS Server Login"})Description
NetSUS Server default admin credentials were discovered.
NetSUS Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetSUS Server Login"})Description
NetSUS Server login panel was detected.
NetScaler Console - Panel
Author: DhiyaneshDkAdded: Apr 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Console"})Description
NetScaler Console login panel was discovered.
NetScaler Console - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Gateway"})Description
Sensitive information disclosure in NetScaler Console
Impact
Attackers can access sensitive information including session secrets and administrative credentials from the NetScaler Console without proper authentication.
Remediation
Apply the patches specified in Citrix advisory CTX677998 to address the information disclosure vulnerability in NetScaler Console.
Netdata Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netdata dashboard"})Description
Netdata Dashboard panel was detected.
Netdata Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netdata dashboard"}) || any(each(service["html.titles"]), {# matches "(?i)Netdata Console"}) || service["http.head.server"] matches "netdata embedded http server"Description
Netdata panel was discovered.
Netdisco Admin - Default Login
Author: ritikchaddhaAdded: Oct 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Netdisco"})Description
Detects use of hard-coded credentials in Netdisco.
Impact
Attackers can potentially exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Update the application to remove hard-coded credentials and implement secure credential management practices.
Netentsec NS-ICG - Default Login
runzero-match
service["http.head.server"] matches "(?i)netentsec"Description
Netentsec NS-ICG contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Netflix Conductor UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)conductor ui"})Description
Netflix Conductor UI panel was detected.
Netflow Analyzer - Default Login
Author: DhiyaneshDKAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "Login - Netflow Analyzer"Description
Netflow Analyzer default login was discovered.
Netflow Analyzer Login - Panel
Author: DhiyaneshDkAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "(?i)Login - Netflow Analyzer"Netgear DGN2200 - Improper Authentication
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DGN2200"})Description
A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the requested url, it will be recognized as passing the authentication.
Impact
Attackers on the local network can bypass authentication by appending '?x=1.gif' to URLs, gaining unauthorized access to administrative functions and router configuration.
Remediation
Update Netgear DGN2200 router to firmware version later than v1.0.0.46 that addresses the authentication bypass vulnerability.
Netgear R6850 V1.1.0.88 - Command Injection
runzero-match
service["product"] matches "(?i)NETGEAR"Description
Netgear R6850 router firmware version V1.1.0.88 suffers from a command injection vulnerability in the ping_test functionality. An unauthenticated attacker can inject arbitrary system commands through the c4_IPAddr parameter, resulting in remote code execution as root.
Impact
Attackers can execute arbitrary commands on the router, leading to complete device compromise.
Remediation
Update Netgear R6850 firmware to a version that patches the command injection vulnerability.
Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
runzero-match
service["product"] matches "(?i)netgear.rax43.firmware"Description
Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.
Impact
Authenticated attackers can execute arbitrary commands on the router, potentially compromising all network traffic and connected devices.
Remediation
Upgrade to newer release of the RAX43 firmware.
Netgear WNR614 - Improper Authentication
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WNR614"})Description
A vulnerability in the Netgear WNR614 router permits unauthorized individuals to bypass the authentication. When adding "%00currentsetting.htm" to the the requested url, it will be recognized as passing the authentication.
Netgear-WN604 downloadFile.php - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netgear"})Description
There is an information leakage vulnerability in the downloadFile.php interface of Netgear WN604. A remote attacker using file authentication can use this vulnerability to obtain the administrator account and password information of the wireless router, causing the router's background to be controlled. The attacker can initiate damage to the wireless network or further threaten it.
Impact
Unauthenticated attackers can download configuration files containing administrator account and password information, enabling complete router compromise.
Remediation
Update Netgear WN604 to the latest firmware version that addresses the information disclosure vulnerability in downloadFile.php.
Netis MW5360 V1.0.1.3031 - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "netis router"})Description
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
Impact
Unauthenticated attackers can execute arbitrary OS commands via the password parameter, potentially compromising the entire Netis router.
Remediation
Update Netis MW5360 firmware to a version newer than V1.0.1.3031.
Netis Wifi Router - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netis"})Description
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component.
Impact
Unauthenticated attackers can access sensitive router configuration information including network settings and credentials.
Remediation
Update affected Netis router models to versions that patch the information disclosure vulnerability.
Netmaker - Hardcoded DNS Secret Key
runzero-match
service["http.body"] matches "(?i)netmaker"Description
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints.
Impact
Unauthenticated attackers can access DNS API endpoints using the hardcoded secret key, potentially manipulating DNS configurations and redirecting WireGuard network traffic in the Netmaker VPN infrastructure.
Remediation
Update Netmaker to version 0.17.1 or 0.18.6 or later that removes hardcoded credentials and implements proper authentication for DNS API endpoints.
Netris Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netris Dashboard"})Description
Netris Dashboard panel was detected.
Netsparker Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sign in to Netsparker Enterprise"})Description
Netsparker login panel was detected.
Netsweeper 3.0.6 - Open Redirection
runzero-match
service["product"] matches "(?i)netsweeper"Description
An open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the open redirection vulnerability.
Network Technologies Inc ENVIROMUX - Default Login
Author: M.Sarmad ShafiqAdded: May 14, 2025
runzero-match
service["http.body"] matches "ENVIROMUX"Description
The ENVIROMUX environment monitoring system from Network Technologies Inc was found to be using its default login credentials. This default configuration could have allowed unauthorized users to gain access to the web management interface without authentication, potentially leading to information disclosure or unauthorized control over environmental monitoring systems.
Newspaper Theme 6.4–6.7.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)wp-content/themes/mTheme-Unus/"Description
Newspaper Theme versions 6.4 to 6.7.1 for WordPress lacked proper options access control through td_ajax_update_panel, which led to a Privilege Escalation vulnerability.
Impact
Unauthenticated attackers can escalate their privileges to administrator level, allowing complete control over the WordPress site including content manipulation, user management, and potential site takeover.
Remediation
Update to Newspaper Theme version 6.7.2 or later.
Next Terminal - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Next Terminal"})Description
Next Terminal default login was discovered.
Next.js - Server Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "/_next/static"Description
Next.Js, inferior to version 14.1.1, have its image optimization built-in component prone to SSRF.
Impact
Unauthenticated attackers can force the Next.js server to make requests to arbitrary internal or external resources.
Remediation
Update Next.js to version 14.1.1 or later.
Next.js <1.2.3 - Open Redirect
runzero-match
service["http.body"] matches "/_next/static"Description
Next.js contains an open redirect via “_next/image” due to improper path parsing.
Remediation
Upgrade to Next.js version 1.2.3 or higher.
Next.js <9.3.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/_next/static"Description
Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
This issue is fixed in version 9.3.2.
Next.js Cache Poisoning
Author: Ice3man543Added: Apr 23, 2025
runzero-match
service["http.body"] matches "(?i)/_next/static"Description
Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
Next.js Middleware - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)zeit.next.js"Description
In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
Impact
Attackers can manipulate request headers to perform SSRF attacks by forcing the server to make requests to arbitrary internal or external URLs when middleware passes headers unsafely.
Remediation
Upgrade Next.js to version 14.2.32, 15.4.7, or later that properly validates and sanitizes request headers in NextResponse.next().
NextChat - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "NextChat,\"ChatGPT Next Web"})Description
NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.
Impact
Unauthenticated attackers can perform SSRF attacks to access internal services, scan internal networks, or exfiltrate sensitive information from systems that should not be accessible externally.
Remediation
Upgrade to NextChat version 2.12.4 or later that includes proper validation of the endpoint parameter.
NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/nextgen-gallery/"Description
The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin.
Impact
Unauthenticated attackers can perform unauthorized actions within the NextGEN Gallery plugin.
Remediation
Update NextGEN Gallery to version 3.60 or later.
NextGen Healthcare Mirth Connect - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "mirth connect administrator"})Description
Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1.
Impact
Successful exploitation could result in unauthorized access and potential compromise of sensitive data.
Remediation
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
NextGen Mirth Connect - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "mirth connect administrator"})Description
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
Impact
Unauthenticated attackers can exploit XML deserialization vulnerabilities to execute arbitrary code on the Mirth Connect server, potentially compromising sensitive healthcare data and integration workflows.
Remediation
Update NextGen Mirth Connect to version 4.4.1 or later that properly validates XML input and prevents unsafe deserialization attacks.
NextcloudPi Login - Panel
Author: ritikchaddhaAdded: Jun 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NextcloudPi"})Description
Detects the presence of a NextcloudPi login page. NextcloudPi is a ready-to-use Nextcloud instance for Raspberry Pi.
Nexus Default Login
runzero-match
service["http.head.setCookie"] contains "NXSESSIONID"Description
Nexus default admin credentials were discovered.
Nexus Login Panel - Detect
Author: righettodAdded: Mar 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sonatype Nexus Repository"})Description
Nexus login panel was detected.
Nexus Repository Manager - Anonymous Access Enabled
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nexus Repository Manager"})Description
Detected Nexus Repository Manager instance with anonymous access enabled, allowing unauthenticated users to list and browse repositories containing private artifacts including source code, packages, and Docker images.
Nginx Admin Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginx admin manager"})Description
Nginx Admin Manager login panel was detected.
Nginx Proxy Manager - Default Login
Author: barttran2000Added: Sep 16, 2024
runzero-match
service["http.body"] matches "Nginx Proxy Manager"Description
Default Nginx Proxy Manager credentials was discovered.
Nginx Proxy Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nginx Proxy Manager"})Description
Nginx Proxy Manager login panel was detected.
Nginx UI - Broken Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nginx UI"})Description
Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.
Impact
An unauthenticated attacker with a valid MCP session ID can inject arbitrary nginx configurations,create reverse proxies for credential theft, and achieve remote code execution via nginx config primitives.
Remediation
Upgrade to nginx-ui v2.3.4 or later which adds AuthRequired() to /mcp_message.
Nginx UI < 2.3.3 - Information Disclosure
runzero-match
service["product"] contains "Nginx UI:Nginx UI"Description
Nginx UI < 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups.
Impact
Unauthenticated attackers can access and decrypt full system backups, exposing sensitive data including credentials and private keys.
Remediation
Upgrade to version 2.3.3 or later.
Nginx UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginx ui"})Description
Nginx UI panel was detected.
Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read
Author: xbow,DhiyaneshDkAdded: Jul 15, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ninja-tables/"Description
The Ninja Tables plugin for WordPress (versions < 4.1.9) is vulnerable to an unauthenticated arbitrary file download vulnerability. The issue exists due to the improper validation of the 'url' parameter in the 'ninja_table_force_download' AJAX action.
Impact
An unauthenticated attacker can download sensitive files from the server, such as '/etc/passwd' or '/wp-config.php', potentially exposing sensitive information including database credentials.
Remediation
Update the Ninja Tables plugin to version 4.1.9 or later.
NoEscape Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NoEscape - Login"})Description
NoEscape login panel was detected.
NocoBase - Default Login
Author: Fur1na, icarotAdded: Apr 22, 2025
runzero-match
any(each(service["http.bodies"]), {# matches "'NOCOBASE_'"})Description
NocoBase default login was discovered.
NocoDB Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "206985584"Description
NocoDB Login panel was discovered.
NocoDB version <= 0.106.1 - Arbitrary File Read
runzero-match
service["favicon.ico.image.mmh3"] == "-2017596142"Description
NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing user credentials, database contents, and other confidential data.
Remediation
Upgrade NocoDB to a version higher than 0.106.1 to mitigate the vulnerability.
Node RED Dashboard <2.26.2 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Node-RED"})Description
NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.
Node-Red - Default Login
Author: savikAdded: Jan 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "321591353"Description
Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials.
Node.JS System Information Library <5.3.1 - Remote Command Injection
runzero-match
service["product"] matches "(?i)systeminformation"Description
Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade to version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected
Node.js REPL History Disclosure
Author: pussycat0xAdded: Dec 18, 2025
runzero-match
service["http.body"] matches "(?i)\\.node_repl_history"Description
The Node.js REPL history file (.node_repl_history) was exposed, which had contained a log of commands entered into the Node.js interactive shell.
NodeBB XML-RPC Request xmlrpc.php - XML Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nodebb"})Description
A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.
Impact
Unauthenticated attackers can inject arbitrary PHP code through crafted XML-RPC requests to the xmlrpc.php endpoint, potentially gaining full control over the NodeBB forum server and accessing user data.
Remediation
Update NodeBB to version 1.18.6 or later that properly validates and sanitizes XML-RPC input to prevent code injection attacks.
Nodejs Squirrelly - Remote Code Execution
runzero-match
service["product"] matches "(?i)squirrelly"Description
Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Update to the latest version of Nodejs Squirrelly template engine to mitigate the vulnerability.
Nodogsplash - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenWRT"})Description
Nodogsplash product was affected by a directory traversal vulnerability that also impacted the OpenWrt product. This vulnerability was addressed in Nodogsplash version 5.0.1. Exploiting this vulnerability, remote attackers could read arbitrary files from the target system.
Impact
An attacker can exploit this vulnerability to view, modify, or delete sensitive files on the system, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Noptin < 1.6.5 - Open Redirect
runzero-match
service["product"] matches "(?i)noptin"Description
Noptin < 1.6.5 is susceptible to an open redirect vulnerability. The plugin does not validate the "to" parameter before redirecting the user to its given value, leading to an open redirect issue.
Impact
An attacker can trick users into visiting malicious websites, leading to phishing attacks.
Remediation
Update to Noptin plugin version 1.6.5 or later.
Nordex Control Wind Farm Portal Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Nordex Control"Description
Nordex Control Wind Farm Portal login panel was detected.
Normhost Backup Server Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Normhost Backup server manager"})Description
Normhost Backup server manager panel was detected.
Nortek Linear eMerge E3-Series - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Linear eMerge"})Description
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter.
Impact
Unauthenticated attackers can exploit SQL injection in the idt parameter to extract sensitive access control data including badge information, user credentials, and building security configurations from the eMerge access control system.
Remediation
Update Nortek Linear eMerge E3-Series firmware to a patched version that uses parameterized queries and properly sanitizes the idt parameter.
Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"}) || any(each(service["html.titles"]), {# matches "(?i)linear emerge"})Description
Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability.
Nortek Linear eMerge Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Nortek Linear eMerge panel was detected.
NotificationX <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/notificationx"Description
The NotificationX - Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can extract sensitive database information including usernames, passwords, and other confidential data via time-based SQL injection.
Remediation
Update NotificationX plugin to version 2.8.3 or later.
NotificationX Dropshipping < 4.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-dropshipping"Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection
Impact
Unauthenticated attackers can exploit time-based SQL injection through the REST endpoint to extract sensitive WooCommerce data including customer information, order details, and payment records.
Remediation
Update NotificationX Dropshipping plugin to version 4.4 or later that properly sanitizes and escapes parameters in REST endpoints.
Nova noVNC - Open Redirect
runzero-match
service["product"] matches "(?i)openstack.nova"Description
Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the open redirect vulnerability in the Nova noVNC application.
Novius OS 5.0.1-elche - Open Redirect
runzero-match
service["product"] matches "(?i)novius.os.novius.os"Description
Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the latest security patches or upgrade to a newer version of Novius OS.
Nozomi Guardian Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Please Login \\| Nozomi Networks Console"})Description
Nozomi Guardian login panel was detected.
Nsfocus - Arbitrary User Login
Author: ritikchaddhaAdded: Sep 10, 2024
runzero-match
service["http.body"] matches "(?i)/needUsbkey\\.php\\?username="Description
Nsfocus bastion host has an arbitrary user login vulnerability. Attackers can use the vulnerability to log in any user by including www/local_user.php
Nuxeo Platform Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nuxeo Platform"})Description
Nuxeo Platform login panel was detected.
O2 Router Setup Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)O2 Easy Setup"})Description
O2 router setup panel was detected.
O2OA - Default Login
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "O2OA"})Description
O2OA is an open source and free enterprise and team office platform. It provides four major platforms portal management, process management, information management, and data management. It integrates many functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration. Meet various management and collaboration needs of enterprises.
OCS Inventory Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OCS Inventory"})Description
OCS Inventory login panel was detected.
OKIOK S-Filer Portal Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)S-Filer"})Description
OKIOK S-Filer Portal login panel was detected.
OLT Web Management Interface Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OLT Web Management Interface"})Description
OLT Web Management Interface login panel was detected.
OLYMPIC Banking System Login Panel - Detect
Author: righettodAdded: Oct 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)olympic banking system"})Description
OLYMPIC Banking System was detected.
OPNsense <=20.1.5 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "opnsense"})Description
OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could allow an attacker to redirect users to malicious websites, leading to phishing attacks or the disclosure of sensitive information.
Remediation
Upgrade OPNsense to a version higher than 20.1.5 to mitigate the vulnerability.
OPNsense Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1148190371" || service["favicon.ico.image.mmh3"] == "-1068289244" || any(each(service["html.titles"]), {# matches "(?i)\\| OPNsense"}) || service["http.head.server"] matches "OPNsense"Description
OPNsense panel was detected.
OSASI Login - Panel
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["http.body"] matches "(?i)/css/osasiasp\\.css"Description
OSASI Login panel was discovered.
OSASI PLC - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-268676052"Description
Detected OSASI PLC web interface accessible with default credentials, potentially allowing unauthorized administrative access to industrial control systems.
OSIsoft PI Vision - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^PI Vision"})Description
OSIsoft PI Vision (now AVEVA PI Vision) is a web-based data visualisation
platform for the PI System, widely used in energy, utilities, oil and gas,
and manufacturing for real-time operational data monitoring. Exposed instances
may provide access to sensitive operational technology data.
OSNEXUS QuantaStor Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OSNEXUS QuantaStor Manager"})Description
OSNEXUS QuantaStor Manager login panel was detected.
OTOBO Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)otobo"})Description
OTOBO login panel was detected.
OcoMon Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ocomon"Description
a tiny helpdesk system written in php
OctoberCMS - Default Admin Discovery
runzero-match
service["favicon.ico.image.mmh3"] == "3823102"Description
OctoberCMS default admin credentials were discovered.
Odoo - Database Manager Discovery
Author: __Fazal,R3dg33kAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Description
Odoo database manager was discovered.
Odoo - Panel Detect
Author: DhiyaneshDK,righettodAdded: May 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Odoo <= 8.0-20160726 & 9.0 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "Odoo"})Description
An Open Redirect vulnerability in Odoo versions <= 8.0-20160726 and 9.0. This issue allows an attacker to redirect users to untrusted sites via a crafted URL.
Impact
Successful exploitation can redirect users to malicious sites, potentially leading to phishing attacks or information theft.
Remediation
Update Odoo to the latest patched version provided by the vendor.
Odoo Apps - Cross-Site Scripting via Prototype Pollution
runzero-match
service["http.body"] matches "(?i)Odoo"Description
jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
Impact
Attackers can modify Object.prototype, leading to potential security issues like property overwrites and application behavior manipulation.
Remediation
Update to the latest version of jquery-bbq that addresses this vulnerability or apply patches to prevent prototype pollution.
Odoo OpenERP Database Selector Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Description
Odoo OpenERP database selector panel was detected.
Office Web Apps Server Full Read - Server Side Request Forgery
runzero-match
service["http.body"] matches "Provide a link that opens Word"Description
Office Web Apps Server Full Read is vulnerable to SSRF.
Office Web Apps Server Panel - Detect
runzero-match
service["http.body"] matches "(?i)provide a link that opens word"Description
Microsoft Office Web App Login Panel was discovered.
OfficeKeeper Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-800060828"Description
OfficeKeeper admin login panel was detected.
Okta - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Okta"})Description
Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.
Okta Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)okta"})Description
Okta login panel was detected.
Ollama - Remote Code Execution
Author: kaks3cAdded: Jul 8, 2024
runzero-match
service["product"] matches "(?i)ollama"Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Impact
Attackers can exploit improper digest validation to achieve remote code execution on Ollama servers.
Remediation
Update Ollama to version 0.1.34 or later.
Omnia MPX 1.5.0+r1 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Omnia MPX Node \\| Login"})Description
Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of Omnia MPX.
Omnia MPX Node Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Omnia MPX"Description
Omnia MPX Node login panel was detected.
Omnissa Workspace ONE UEM - Path Traversal
Author: DhiyaneshDK,slcyberAdded: Aug 30, 2025
runzero-match
service["http.body"] matches "(?i)/airwatch/default\\.aspx"Description
Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
Impact
Malicious actors can access sensitive information by exploiting path traversal in API endpoints.
Remediation
Update to the latest version.
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery
runzero-match
service["http.body"] matches "/wp-content/plugins/qt-kentharadio"Description
Onair2 < 3.9.9.2 and KenthaRadio < 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.
Impact
Remote File Inclusion/Server-Side Request Forgery vulnerability allows an attacker to include arbitrary files or make requests to internal resources, leading to potential data leakage, unauthorized access.
Remediation
Update Onair2 to version 3.9.9.2 or higher and KenthaRadio to version 2.0.2 or higher to mitigate the vulnerability.
OneDev < 4.0.3 - User Access Token Leak
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OneDev"})Description
OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/{id}, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions.
Impact
Attackers can access sensitive user data and tokens, leading to impersonation, data leaks, and potential full account compromise.
Remediation
Update to version 4.0.3 or later where user info is removed from the REST API.
OneDev Panel - Detect
Author: vultzaAdded: Oct 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OneDev"})Description
OneDev is a Git Server with CI/CD, Kanban, and Packages.
OneDev.io < 11.0.9 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)onedev\\.io"Description
Files on the host computer can be accessed by directory traversal.
Impact
An attacker would be able to view the contents of a file on the computer.
Remediation
Update to version 11.0.9.
Open Bulletin Board (OpenBB) v1.0.6 - Open Redirect/XSS
runzero-match
service["product"] matches "(?i)openbb"Description
Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php.
Impact
Successful exploitation of these vulnerabilities could lead to unauthorized access, phishing attacks, and potential data theft.
Remediation
Upgrade to a patched version of Open Bulletin Board (OpenBB) or apply necessary security patches to mitigate the vulnerabilities.
Open Game Panel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Open Game Panel"})Description
Open Game Panel login panel was detected.
Open Redirect in Host Authorization Middleware
runzero-match
service["product"] matches "(?i)rubyonrails.rails"Description
Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impact
This vulnerability can lead to phishing attacks, where users are tricked into visiting malicious websites and disclosing sensitive information.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the Open Redirect vulnerability in the Host Authorization Middleware.
Open Virtualization Userportal & Webadmin Panel Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ovirt-Engine"})Description
Open Virtualization Userportal & Webadmin panels were detected. Open Virtualization Manager is an open-source distributed virtualization solution designed to manage enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.
Open Web Analytics Login - Detect
Author: DhiyaneshDKAdded: Sep 17, 2024
runzero-match
service["http.body"] matches "(?i)OWA CONFIG SETTINGS"Description
Detects the presence of Open Web Analytics login page.
Open WebUI - Default Login
Author: matejsmyckaAdded: Nov 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-286484075"Description
Detected the presence of an OpenWebUI panel with default credentials (admin@localhost/admin). Successful authentication using these default credentials allows attackers to access the admin interface and potentially perform remote code execution by defining a custom "tool".
OpenAM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openam"})Description
OpenAM login panel was detected.
OpenBMCS 2.4 - Server-Side Request Forgery / Remote File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1550906681"Description
OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
OpenBao Web UI Panel - Detect
Author: ritikchaddhaAdded: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenBao"})Description
Detects the presence of the OpenBao web console.
OpenBullet 2 - Panel
Author: MaStErChOAdded: Jun 25, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1264095219"Description
Openbullet was detected.
OpenCATS - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencats"})Description
OpenCATS contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
OpenCATS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencats"})Description
OpenCATS login panel was detected.
OpenCMS 14 & 15 - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencms"})Description
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
Impact
Unauthenticated attackers can inject malicious JavaScript through multiple parameters in OpenCMS Mercury template pages to steal user session cookies and execute attacks against OpenCMS users.
Remediation
Update to version OpenCMS 16
OpenCart Core 4.0.2.3 'search' - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenCart"})Description
Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenCart Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)opencart"Description
OpenCart login panel was detected.
OpenCms 14 & 15 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "opencms"})Description
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template
Impact
Unauthenticated attackers can redirect users to malicious external sites via the uri parameter, potentially facilitating phishing attacks or malware distribution.
Remediation
Update OpenCMS to version 16 or later.
OpenCode < 1.0.216 - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)opencode"Description
OpenCode versions prior to 1.0.216 contain an unauthenticated remote code execution vulnerability. The application exposes session and shell execution endpoints without proper authentication, allowing remote attackers to create sessions and execute arbitrary shell commands on the underlying server.
Impact
Unauthenticated attackers can execute arbitrary commands on the server, potentially leading to full system compromise.
Remediation
Upgrade OpenCode to version 1.0.216 or later.
OpenDreambox 2.0.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Dreambox WebControl"})Description
OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches or upgrade to a patched version of OpenDreambox.
OpenEMR - Default Admin Discovery
runzero-match
service["http.body"] matches "OpenEMR"Description
OpenEMR default admin credentials were discovered.
OpenEMR Product Registration Panel - Detect
runzero-match
service["http.body"] matches "(?i)openemr" || any(each(service["html.titles"]), {# matches "(?i)openemr"}) || service["favicon.ico.image.mmh3"] == "1971268439"Description
OpenEMR Product Registration panel was detected.
OpenEdge Login Panel - Detect
Author: rxeriumAdded: Aug 13, 2024
runzero-match
service["http.body"] matches "(?i)Welcome to Progress Application Server for OpenEdge"Description
An OpenEdge login panel was detected.
OpenEnergyMonitor emonCMS - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Emoncms - user login"})Description
emonCMS is an open-source energy monitoring web application by OpenEnergyMonitor,
used in homes and small businesses to track electricity, gas, and temperature.
The login page is commonly exposed on port 80, 443, or 8010.
OpenHands Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenHands"})Description
OpenHands (formerly OpenDevin) was detected. OpenHands is an open-source AI software engineering agent platform that can write code, run commands, and perform development tasks autonomously. Exposed instances may allow unauthenticated access to the agent.
OpenLiteSpeed WebAdmin - Default Login
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenLiteSpeed WebAdmin"})Description
Detected OpenLiteSpeed WebAdmin Console was using default credentials.
OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
runzero-match
service["http.body"] matches "OpenMRS"Description
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
Impact
Unauthenticated attackers can execute arbitrary system commands via insecure object deserialization, leading to complete server compromise and access to sensitive patient data.
Remediation
Upgrade to OpenMRS Platform version 2.24.0 or later.
OpenMediaVault - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "OpenMediaVault"})OpenMetadata - Admin User Enumeration
Author: icarotAdded: Sep 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenMetadata"})Description
Enumerates the admin users registered on OpenMetadata server.
OpenMetadata - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "733091897"Description
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
Impact
Unauthenticated attackers can bypass authentication and gain unauthorized access to the OpenMetadata platform and its resources.
Remediation
Update OpenMetadata to a version that patches CVE-2024-28255.
OpenNMS - JNDI Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "OpenNMS Web Console"})Description
OpenNMS JNDI is susceptible to remote code execution via Apache Log4j 2.14.1 and before. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
OpenObserve Login Panel - Detect
Author: righettodAdded: Dec 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenObserve"})Description
OpenObserve products was detected.
OpenPLC Webserver v3 - Default Login
Author: machevalia,shriyanssAdded: Jun 25, 2025
runzero-match
service["http.body"] matches "(?i)OpenPLC"Description
Identifies default credentials (openplc:openplc) on OpenPLC Webserver v3, allowing unauthorized access to the web interface.
OpenProject - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenProject"})Description
Detected OpenProject was found using the default administrator credentials admin:admin. An attacker could gain full administrative control, including user management, project data, and system configuration.
OpenProject < 12.5.4 - Project Identifiers Exposure
runzero-match
service["http.body"] matches "(?i)OpenProject"Description
OpenProject versions before 12.5.6 generate a publicly accessible robots.txt file revealing project identifiers, even if the instance is set to 'Login required', letting attackers gather project info, exploit requires no authentication.
Impact
Attackers can enumerate project identifiers, potentially aiding targeted attacks or information gathering.
Remediation
Upgrade to version 12.5.6 or later, or apply the provided patch to versions above 10.0.
OpenSCADA - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^OpenSCADA"})Description
OpenSCADA is an open-source SCADA (Supervisory Control and Data Acquisition)
system. Exposed instances may provide access to industrial control interfaces
and operational technology (OT) data without authentication.
OpenSIS 7.3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensis"})Description
OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Apply the latest security patch or upgrade to a patched version of OpenSIS.
OpenSIS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensis"})Description
OpenSIS login panel was detected.
OpenSearch Dashboard Panel - Detect
Author: ritikchaddhaAdded: Jun 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenSearch"})Description
OpenSearch Dashboard is a visualization and management tool for OpenSearch. This template detects the presence of the OpenSearch Dashboard login panel, which is the default authentication interface for accessing the dashboard.
OpenShift - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "OpenShift"})Description
OpenShift is susceptible to Log4j JNDI remote code execution. OpenShift is a unified platform to build, modernize, and deploy applications at scale.
OpenSign Login Panel - Detect
Author: righettodAdded: Jun 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensign"})Description
OpenSign Login panel was discovered.
OpenTSDB <=2.4.0 - Remote Code Execution
runzero-match
service["http.body"] matches "OpenTSDB"Description
OpenTSDB 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade OpenTSDB to a version higher than 2.4.0 to mitigate this vulnerability.
OpenText Content Server Login Panel - Detect
Author: righettodAdded: Feb 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Content Server"})Description
OpenText Content Server products was detected.
OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect
runzero-match
service["product"] matches "(?i)opentext.documentum.administrator"Description
OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator.
OpenVPN Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn-admin"}) || service["http.body"] matches "(?i)router management - server openvpn"Description
OpenVPN Admin login panel was detected.
OpenVPN Connect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
OpenVPN Connect panel was detected.
OpenVPN Server Router Management Panel - Detect
runzero-match
service["http.body"] matches "(?i)router management - server openvpn" || any(each(service["html.titles"]), {# matches "(?i)openvpn-admin"})Description
OpenVPN Server Router Management Panel was detected.
OpenVZ Web Panel Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1898583197"Description
OpenVZ Web Panel login panel was detected.
OpenVas Login Panel - Detect
Author: rxeriumAdded: Feb 27, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1606029165"Description
An OpenVas Admin login panel was detected.
OpenX/Revive Adserver Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)revive adserver"}) || service["favicon.ico.image.mmh3"] == "106844876"Description
OpenX login panel was detected. Note that OpenX is now a Revive Adserver.
Openfire Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire admin console"}) || any(each(service["html.titles"]), {# matches "(?i)openfire"})Description
Openfire Admin Console login panel was detected.
Openfire Administration Console - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire"}) || any(each(service["html.titles"]), {# matches "(?i)openfire admin console"}) || service["http.body"] matches "(?i)welcome to openfire setup"Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
Impact
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Openfire Administration Console.
Remediation
The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Opentwrt Login / Configuration Interface
Author: For3stCo1d,TechbrunchFRAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openwrt - luci"})Opentwrt luCI - Admin Login Page
Author: For3stCo1dAdded: Dec 2, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openwrt - luci"})Description
An Opentwrt admin login page was discovered.
Openweb UI Panel - Detect
Author: rxerium,righettodAdded: May 6, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-286484075"Description
OpenWebUI was detected - a platform for running AI on your own terms
Opinio Login Panel - Detect
Author: righettodAdded: Feb 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Opinio"})Description
Opinio login panel was detected.
Opsview Monitor Pro - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Opsview"})Description
Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade to the latest version of Opsview Monitor Pro to fix the local file inclusion vulnerability.
Optergy Proton/Enterprise Building Management System - Open Redirect
runzero-match
service["product"] matches "(?i)optergy.enterprise"Description
Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
Remediation
Apply the latest security patches or updates provided by Optergy to fix the open redirect vulnerability.
Opto 22 groov - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)<i>groov</i> is a registered trademark of Opto 22.`Description
Opto 22 groov is an IIoT and industrial automation platform providing browser-based
HMI and edge computing capabilities. The groov View and groov Admin interfaces allow
control of industrial devices and data acquisition systems. Exposed instances may
provide unauthenticated access to industrial control panels.
Oracle ADF Faces Deserialization of Untrusted Data Vulnerability
runzero-match
service["product"] matches "(?i)Oracle:WebLogic"Description
Vulnerability in versions 12.2.1.3.0 and 12.2.1.4.0 of the Oracle Application Development
Framework (ADF) component of Oracle Fusion Middleware that allows for unauthenticated
attackers to remotely execute arbitrary code.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Oracle Access Management Login Panel - Detect
Author: righettodAdded: May 29, 2024
runzero-match
service["http.body"] matches "(?i)/oam/pages/css/login_page\\.css" || any(each(service["html.titles"]), {# matches "(?i)oracle access management"})Description
Oracle Access Management login panel was detected.
Oracle Access Manager - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle access management"}) || service["http.body"] matches "(?i)/oam/pages/css/login_page\\.css"Description
The Oracle Access Manager portion of Oracle Fusion Middleware (component: OpenSSO Agent) is vulnerable to remote code execution. Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by Oracle to mitigate this vulnerability.
Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability
runzero-match
service["product"] contains "Oracle:Agile PLM Framework"Description
A vulnerability found within version 9.3.6 of the Oracle Agile PLM Framework allows an unauthenticated
attacker access to critical data or complete access to all Oracle Agile PLM Framework accessible data.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Oracle Application Server Panel - Detect
Author: righettodAdded: Jun 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle Containers for J2EE"})Description
Oracle Application Server login panel was detected.
Oracle Business Intelligence Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence default admin credentials were discovered.
Oracle Business Intelligence Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence login panel was detected.
Oracle Business Intelligence Publisher - XML External Entity Injection
runzero-match
service["product"] matches "(?i)oracle.bi.publisher"Description
Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publisher.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information or disrupt the availability of the system.
Remediation
Apply the latest security patches provided by Oracle to fix this vulnerability.
Oracle Business Intelligence/XML Publisher - XML External Entity Injection
runzero-match
service["product"] matches "(?i)oracle.business.intelligence.publisher"Description
Oracle Business Intelligence and XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 are vulnerable to an XML external entity injection attack.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.
Remediation
Apply the necessary patches or updates provided by Oracle to fix this vulnerability.
Oracle Commerce Business Control Center Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle commerce"})Description
Oracle Commerce Business Control Center login panel was detected.
Oracle E-Business Suite - Blind SSRF
runzero-match
service["product"] matches "(?i)oracle.application.management.pack"Description
Oracle E-Business Suite, Application Management Pack component (User Monitoring subcomponent), is susceptible to blind server-side request forgery. An attacker with network access via HTTP can gain read access to a subset of data, connect to internal services like HTTP-enabled databases, or perform post requests towards internal services which are not intended to be exposed. Affected supported versions are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, and 12.2.7.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass network restrictions and access internal resources.
Remediation
Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.
Oracle E-Business Suite - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "E-Business Suite"})Description
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.
Impact
Unauthenticated attackers can force the Configurator server to make requests to arbitrary URLs, potentially exposing internal services and sensitive data.
Remediation
Apply the Oracle security patches as described in the Oracle security alert for E-Business Suite.
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
runzero-match
service["product"] matches "(?i)oracle.applications.framework"Description
The Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)) is impacted by open redirect issues in versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. These easily exploitable vulnerabilities allow unauthenticated attackers with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data.
Impact
Attackers can redirect users to malicious sites for phishing attacks, malware distribution, or credential theft.
Remediation
Apply the necessary patches or updates provided by Oracle to fix the open redirect vulnerability.
Oracle E-Business Suite 12.2.3–12.2.14 – Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)E-Business Suite"})Description
Oracle Concurrent Processing 12.2.3-12.2.14 contains a remote code execution caused by unauthenticated network access via HTTP, letting unauthenticated attackers fully compromise the system, exploit requires network access via HTTP.
Impact
Unauthenticated attackers can fully compromise Oracle Concurrent Processing, leading to complete system takeover.
Remediation
Update to the latest available version beyond 12.2.14.
Oracle E-Business Suite <=12.2 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" \"x-oracle-dms-ecid"}) || service["http.body"] matches "(?i)oracle uix"Description
Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the Oracle E-Business Suite application.
Remediation
Apply the necessary security patches or updates provided by Oracle to mitigate this vulnerability.
Oracle E-Business Suite Login Panel - Detect
Author: righettodAdded: May 21, 2024
runzero-match
service["http.body"] matches "(?i)Oracle UIX"Description
Oracle E-Business Suite login panel was detected.
Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"}) || service["http.body"] matches "(?i)weblogic application server"Description
An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,
11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown
vectors related to Report Server Component.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution.
Remediation
Apply the necessary patches and updates provided by Oracle to mitigate this vulnerability.
Oracle Fusion - Directory Traversal/Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence Enterprise Edition 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 are vulnerable to local file inclusion vulnerabilities via "getPreviewImage."
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files, execute arbitrary code, or gain unauthorized access to the system.
Remediation
Apply the latest security patches and updates provided by Oracle to fix this vulnerability.
Oracle Fusion Middleware WebLogic Server Administration Console - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
The Oracle Fusion Middleware WebLogic Server admin console in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is vulnerable to an easily exploitable vulnerability that allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.
Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "oracle peoplesoft sign-in"})Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Apply the necessary patches or updates provided by Oracle to fix this vulnerability.
Oracle Identity Manager REST WebServices - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle access management"})Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager.
Impact
Allows unauthenticated attacker to fully compromise Oracle Identity Manager via HTTP(S), leading to complete loss of confidentiality, integrity, and availability.
Remediation
Apply the latest security updates released by Oracle as referenced in the October 2025 Critical Patch Update.
Oracle Integrated Lights Out Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle\\(R\\) Integrated Lights Out Manager"})Description
Oracle Integrated Lights Out Manager login panel was detected.
Oracle Opera Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle Opera"})Oracle PeopleSoft - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Oracle PeopleSoft Sign-in"})Description
Oracle PeopleSoft contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Oracle PeopleSoft Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft enterprise"})Description
Oracle PeopleSoft Enterprise login panel detected.
Oracle PeopleSoft Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle PeopleSoft Sign-in"})Description
Oracle PeopleSoft login panel was detected.
Oracle Peoplesoft - Unauthenticated File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft enterprise"})Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component- Portal). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data.
Impact
Unauthenticated attackers can read arbitrary files from the PeopleSoft server through the wsrp-url parameter in the Portal component, potentially accessing critical data including configuration files and sensitive employee information.
Remediation
Update Oracle PeopleSoft Enterprise PeopleTools to a version newer than 8.60 that validates and restricts file:// URLs in the wsrp-url parameter.
Oracle Retail Xstore Suite - Pre-authenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)xstoremgwt"Description
Vulnerability in the Oracle Retail Xstore Office product of Oracle Retail Applications (component: Security). Supported versions that are affected are 19.0.5, 20.0.3, 20.0.4, 22.0.0 and 23.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Xstore Office. While the vulnerability is in Oracle Retail Xstore Office, attacks may significantly impact additional products (scope change).
Impact
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Xstore Office accessible data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Oracle WebLogic Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic login panel was detected.
Oracle WebLogic Server - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic Server (Oracle Fusion Middleware (component: WLS Core Components) is susceptible to a remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 2.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability could allow unauthenticated attackers with network access via IIOP to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by Oracle to mitigate this vulnerability.
Oracle WebLogic Server - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"}) and service["service.transport"] contains "tcp" and service["protocol"] contains "http"Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contain an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Install the suitable patch as per the Oracle Critical Patch Update advisory
Oracle WebLogic Server - Remote Command Execution
runzero-match
service["http.body"] matches "Weblogic Application Server"Description
Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised machine without entering necessary credentials. See also CVE-2020-14882, which is addressed in the October 2020 Critical Patch Update.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the WebLogic server.
Remediation
Apply the latest security patches provided by Oracle to mitigate this vulnerability.
Oracle WebLogic Server - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"}) || service["http.body"] matches "(?i)weblogic application server"Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
Impact
Unauthenticated attackers can compromise Oracle WebLogic Server via the Web Services component, potentially leading to complete server takeover and unauthorized access to sensitive data.
Remediation
Apply the latest security patches provided by Oracle to fix the vulnerability and ensure proper input validation and sanitization of XML data.
Oracle WebLogic Server - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "oracle peoplesoft sign-in"})Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the WebLogic server.
Remediation
Apply the latest security patches provided by Oracle to fix this vulnerability. Additionally, restrict network access to the WebLogic server and implement strong authentication mechanisms.
Oracle WebLogic Server Java Object Deserialization - Remote Code Execution
runzero-match
service["product"] matches "(?i)oracle.weblogic" and service["service.transport"] contains "tcp"Description
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
Impact
Unauthenticated attackers can exploit deserialization vulnerabilities in WLS Core Components through T3 protocol to execute arbitrary code and completely compromise Oracle WebLogic Server installations.
Remediation
Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
Oracle WebLogic Server Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
Impact
An attacker can read sensitive files containing credentials, configuration details, or other sensitive information.
Remediation
Apply the latest security patches provided by Oracle to fix the vulnerability.
Oracle WebLogic UDDI Explorer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic UDDI Explorer panel was detected.
Oracle Weblogic - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Weblogic"})Description
An unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass network restrictions and access internal resources.
Remediation
Apply the latest patches and updates provided by Oracle to fix the SSRF vulnerability
Oracle Weblogic Server - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "oracle peoplesoft sign-in"})Description
Oracle WebLogic Server contains an easily exploitable remote command execution vulnerability which allows unauthenticated attackers with network access via HTTP to compromise the server.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the affected application.
Remediation
Apply the latest security patches provided by Oracle to fix the vulnerability.
Oracle iPlanet Web Server 7.0.x - Image Injection
runzero-match
service["product"] matches "(?i)Oracle.iPlanet.Web.Server"Description
Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
Impact
Attackers can inject malicious images into the admin console, potentially leading to social engineering, phishing attacks, or interface manipulation.
Remediation
Oracle iPlanet Web Server 7.0.x is no longer supported. Migrate to a supported platform or restrict network access to the administration console.
Orange Forum 1.4.0 - Open Redirect
runzero-match
service["product"] matches "(?i)goodoldweb.orange.forum"Description
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade to a patched version of Orange Forum or apply the necessary security patches to fix the open redirect vulnerability.
Orchard 'ReturnUrl' Parameter URI - Open Redirect
runzero-match
service["product"] matches "(?i)orchardproject.orchard"Description
Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x before 1.0.21, 1.1.x before 1.1.31, 1.2.x before 1.2.42, and 1.3.x before 1.3.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the ReturnUrl parameter.
Impact
An attacker can craft a malicious URL to redirect users to a malicious website, leading to phishing attacks.
Remediation
Validate and sanitize user input for the 'ReturnUrl' parameter to prevent open redirect vulnerabilities.
Orchid Core VMS Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)orchid core vms"})Description
Orchid Core VMS panel was detected.
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/order-delivery-date-for-woocommerce"Description
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.
Impact
Unauthenticated attackers can modify WordPress options to enable user registration with administrator role, allowing complete site takeover without authentication.
Remediation
Update to version 12.3.1 or later.
OurMGMT3 Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OurMGMT3"})Description
OurMGMT3 admin login panel was detected.
OutBack Power Mate3s Gateway - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Outback Power"})Description
OutBack Power Mate3s is a system hub and gateway for OutBack FX-series inverter-chargers
used in off-grid, grid-hybrid, and battery backup solar power systems.
The built-in web interface exposes system status, battery metrics, and inverter data.
OutSystems Service Center Login Panel - Detect
Author: righettodAdded: Apr 2, 2024
runzero-match
service["http.body"] matches "(?i)outsystems"Description
OutSystems Service Center login panel was detected.
Outline Panel - Detect
Author: ChrisJr404Added: May 4, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "811213058" || any(each(service["html.titles"]), {# matches "(?i)Outline"})Description
Outline (getoutline.com / github.com/outline/outline) is a popular open-source team knowledge base / wiki, often self-hosted as a Notion alternative. Exposed self-hosted instances may reveal team documents and provide a path to login enumeration if SSO is misconfigured.
OwnCloud - Phpinfo Configuration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)owncloud"})Description
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.
Impact
Unauthenticated attackers can access phpinfo configuration details exposing sensitive credentials including admin passwords, mail server credentials, and license keys in containerized deployments.
Remediation
Upgrade ownCloud graphapi to version 0.2.1 or 0.3.1 or later, and remove or secure the GetPhpInfo.php file.
Owncast - Default Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Owncast"})Description
Detected Owncast using default admin credentials admin:abc123. The admin API was accessible via HTTP Basic authentication, allowing full server configuration access.
Owncast - Server Side Request Forgery
runzero-match
service["http.body"] matches "owncast"Description
Server-Side Request Forgery (SSRF) in GitHub repository owncast/owncast prior to 0.1.0.
Impact
Unauthenticated attackers can exploit SSRF through the account parameter in the remotefollow API to probe internal network services and potentially access sensitive internal resources.
Remediation
Update Owncast to version 0.1.0 or later that validates federated account addresses and restricts remote follow requests to authorized domains only.
PAHTool Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PAHTool"})Description
PAHTool login panel was detected.
PAN-OS Management Interface - Path Confusion to Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
Impact
Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure.
Remediation
Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
PAN-OS Management Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "873381299"Description
PAN-OS management panel was detected.
PAN-OS Management Web Interface - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities
Impact
Unauthenticated attackers with network access to the management interface can bypass authentication to gain full administrator privileges, allowing them to tamper with configurations, exploit additional vulnerabilities, and completely compromise the Palo Alto firewall and connected networks.
Remediation
Upgrade to the latest patched version of PAN-OS as specified in the vendor security advisory.
PAN-OS Management Web Interface - Command Injection
runzero-match
service["product"] matches "(?i)paloaltonetworks.pan.os"Description
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Impact
Authenticated administrators with access to the management web interface can escalate privileges to execute commands with root privileges on the PAN-OS firewall, achieving complete system control and bypassing security controls.
Remediation
Apply security updates from Palo Alto Networks to address the privilege escalation and command injection vulnerability in the PAN-OS management web interface.
PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"Description
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files on the server, potentially exposing sensitive configuration files, wp-config.php containing database credentials, and other critical system files.
Remediation
Update PDF Generator Addon for Elementor Page Builder plugin to a version later than 1.7.5 that properly validates and sanitizes file paths in the rtw_pgaepb_dwnld_pdf function.
PDI Intellifuel - Device Page
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)PDI Intellifuel"PHP CGI - Argument Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)php warning\" \\|\\| \"fatal error"})Description
PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.
Impact
Successful exploitation could lead to remote code execution on the affected system.
Remediation
Apply the vendor-supplied patches or upgrade to a non-vulnerable version.
PHP LDAP Admin Panel - Detect
Author: ritikchaddha,DhiyaneshDkAdded: Sep 12, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpLDAPadmin"})PHP Login System 2.0.1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)klik_loginsystem"Description
msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL
Impact
Attackers can execute arbitrary JavaScript in users' browsers, potentially stealing cookies or session tokens.
Remediation
Implement proper input validation and output encoding for the 'validator' parameter.
PHPCI Configuration Exposure "phpci.yml" Exposure
Author: DhiyaneshDkAdded: Dec 16, 2025
runzero-match
service["http.body"] matches "(?i)phpci\\.yml"Description
PHPCI Configuration "phpci.yml" File was exposed.
PHPCMS 2008 - Remote Code Execution via Template Injection
runzero-match
service["http.body"] matches "(?i)Powered by phpcms"Description
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
Remediation
The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it.
PHPGurukul Hospital Management System 4.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Hospital Management System"})Description
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information.
Impact
Successful exploitation allows attackers to access sensitive data from the database, potentially leading to data leakage and further compromise of the application.
Remediation
Upgrade to the latest version or apply proper input sanitization and parameterized queries to mitigate this vulnerability.
PHPIPAM <v1.5.1 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)phpipam ip address management"Description
In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via find_full_subnets.php endpoint. The bug lies in the fact that find_full_subnets.php does not verify if the user is authorized to access the data, and if the script was started from a command line.
Impact
Unauthenticated attackers can access sensitive network information including IP subnet descriptions, ranges, and usage rates through the find_full_subnets.php endpoint without authorization.
Remediation
Update phpIPAM to version 1.5.1 or later that implements proper authorization checks in find_full_subnets.php before returning subnet information.
PHPJabbers Food Delivery Script - SQL Injection
runzero-match
service["http.body"] matches "(?i)PHPJabbers"Description
PHPJabbers Food Delivery Script 3.0 has a SQL injection (SQLi) vulnerability in the "q" parameter of index.php.
Impact
Unauthenticated attackers can exploit SQL injection in the q parameter to extract sensitive database information including customer orders, payment details, delivery addresses, and admin credentials from the Food Delivery platform.
Remediation
Update PHPJabbers Food Delivery Script to a version newer than 3.0 that properly sanitizes the q parameter and uses parameterized queries.
PHPJabbers Food Delivery Script v3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)PHPJabbers"Description
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
Impact
Unauthenticated attackers can exploit SQL injection in the column parameter to extract sensitive database information including customer orders, payment details, delivery addresses, and admin credentials from the Food Delivery platform.
Remediation
Update PHPJabbers Food Delivery Script to a version newer than 3.0 that properly sanitizes the column parameter and uses parameterized queries.
PHPJabbers Shuttle Booking Software 1.0 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)php jabbers\\.com"Description
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
Impact
Unauthenticated attackers can inject malicious JavaScript through URL parameters, potentially stealing session tokens and login credentials of shuttle booking system administrators and customers.
Remediation
Update PHPJabbers Shuttle Booking Software to a version newer than 1.0 that properly sanitizes URL parameters in the admin login functionality.
PHPJabbers Taxi Booking 2.0 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)php jabbers\\.com"Description
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely.
Impact
Unauthenticated attackers can inject malicious JavaScript through the index parameter, potentially stealing booking information and user credentials from the Taxi Booking platform.
Remediation
Update PHP Jabbers Taxi Booking to a version newer than 2.0 that properly sanitizes the index parameter and encodes output to prevent XSS attacks.
PHPMailer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PHP Mailer"})Description
PHPMailer panel was detected.
PMB 7.4.6 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1469328760"Description
PMB 7.4.6 contains a cross-site scripting vulnerability via the query parameter at /admin/convert/export_z3950_new.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of PMB.
PMB 7.4.6 - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "1469328760"Description
PMB v7.4.6 contains an open redirect vulnerability via the component /opac_css/pmb.php. An attacker can redirect a user to an external domain via a crafted URL and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade PMB to a version that has addressed the open redirect vulnerability (CVE-2023-24735).
PRONOTE Login Panel - Detect
Author: righettodAdded: Nov 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PRONOTE"})Description
PRONOTE products was detected.
PRTG Network Monitor - Hardcoded Credentials
runzero-match
service["favicon.ico.image.mmh3"] == "-655683626"Description
PRTG Network Monitor contains a hardcoded credential vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
PTC ThingWorx - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Thingworx"})Description
PTC ThingWorx is an Industrial IoT (IIoT) platform for building and deploying
connected industrial applications, machine monitoring, and remote service solutions.
Exposed instances may provide unauthenticated access to IIoT dashboards and
connected device management interfaces.
Pair Drop Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PairDrop"})Description
Local file sharing in your browser. Inspired by Apple's AirDrop. Fork of Snapdrop.
Palo Alto Expedition - Admin Account Takeover
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Impact
Attackers with network access can exploit missing authentication to takeover Expedition admin accounts without credentials.
Remediation
Update Palo Alto Networks Expedition to the latest version that patches CVE-2024-5910 as specified in the Palo Alto security advisory.
Palo Alto Expedition - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Impact
Unauthenticated attackers can exploit SQL injection to reveal Expedition database contents including password hashes, usernames, device configurations, and API keys, and create or read arbitrary files on the system.
Remediation
Apply security updates from Palo Alto Networks as specified in security advisory PAN-SA-2024-0010 to address the SQL injection vulnerability in Expedition.
Palo Alto Expedition Project Login - Detect
Author: johnk3rAdded: Oct 10, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
Palo Alto Expedition Project login panel was detected.
Palo Alto Network PAN-OS - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches and updates provided by Palo Alto Networks.
Palo Alto Networks Expedition - OS Command Injection
Author: iamnoooob,pdresearchAdded: May 27, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Expedition"})Description
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
Impact
Unauthenticated attackers can execute arbitrary OS commands on Palo Alto Networks Expedition servers, leading to disclosure of sensitive firewall credentials, configurations, and API keys that could compromise all connected PAN-OS firewalls.
Remediation
Upgrade to the latest patched version of Palo Alto Networks Expedition as specified in the vendor security advisory.
Palo Alto Networks PAN-OS Default Login
runzero-match
any(each(service["html.bodies"]), {# contains "window.Pan = window.Pan || {}"})Description
Palo Alto Networks PAN-OS application default admin credentials were discovered.
PaloAlto Networks Expedition - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Impact
Successful exploitation could result in unauthorized access and control of the affected device.
Remediation
Apply the necessary security patches provided by Palo Alto Networks to mitigate the CVE-2024-9463 vulnerability.
Pandora FMS Mobile Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Pandora FMS Mobile Console login panel was detected.
Pandora v7.0NG.777.3 - Remote Code Execution
runzero-match
service["http.body"] matches "pandora fms - installation wizard"Description
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism.This issue affects Pandora FMS- from 700 through <=777.4
Impact
Authenticated attackers can execute arbitrary commands via command injection in the LDAP authentication mechanism, leading to complete system compromise.
Remediation
Upgrade Pandora FMS to version 777.5 or later.
PaperCut - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "PaperCut"Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
PaperCut < 22.1.3 - Path Traversal
runzero-match
service["http.body"] matches "(?i)content=\"papercut" || service["http.body"] matches "(?i)papercut" || any(each(service["html.titles"]), {# matches "(?i)papercut"})Description
PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.
Impact
An attacker can exploit this vulnerability to access sensitive files, potentially leading to unauthorized disclosure of information or remote code execution.
Remediation
Upgrade PaperCut to version 22.1.3 or later to mitigate the vulnerability.
PaperCut NG Unauthenticated XMLRPC Functionality
runzero-match
service["http.body"] matches "(?i)content=\"papercut" || service["http.body"] matches "(?i)'content=\"papercut'"Description
PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
Impact
Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Papercut - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Papercut"})Description
Papercut is susceptible to Log4j JNDI remote code execution. Papercut is a print management system.
Paperless-ngx Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Paperless-ngx"})Description
Detected Paperless-ngx was a self-hosted document management platform for scanning, OCR-ing and tagging paper documents.
Parallels H-Sphere 3.6.1713 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h-sphere"})Description
Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability.
Parallels H-Sphere Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parallels h-sphere"}) || any(each(service["html.titles"]), {# matches "(?i)h-sphere"})Description
Parallels H-Sphere login panel was detected.
Parse Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parse dashboard"})Description
Parse Dashboard login panel was detected.
Parse Server - GraphQL Schema Information Disclosure
Author: securitytatersAdded: Jul 20, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parse server\" \\|\\| \"parse-server"})Description
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
Impact
Unauthenticated attackers can access GraphQL schema metadata without authentication, potentially expanding the attack surface through exposure of API structure and query capabilities.
Remediation
Upgrade Parse Server to the latest version that requires authentication for GraphQL schema introspection.
Pascom CPS Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)pascom.cloud.phone.system"Description
Pascom versions before 7.20 packaged with Cloud Phone System contain a known server-side request forgery vulnerability.
Impact
The vulnerability can result in unauthorized access to sensitive data or systems, potentially leading to further exploitation or compromise.
Remediation
Apply the latest security patches or updates provided by Pascom to fix the Server-Side Request Forgery vulnerability (CVE-2021-45967).
Passbolt Login Panel
Author: righettodAdded: Feb 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Passbolt \\| Open source password manager for teams"})Description
Passbolt login panel was detected.
Payment Gateway for Telcell < 2.0.4 - Open Redirect
runzero-match
service["http.body"] contains "/wp-content/plugins/payment-gateway-for-telcell"Description
The plugin does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue
Impact
Unauthenticated attackers can exploit open redirect through the api_url parameter to redirect users to malicious websites for phishing attacks.
Remediation
Fixed in 2.0.4
Payroll Management System Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Admin \\| Employee's Payroll Management System"})Description
Payroll Management System Web login panel was detected.
Pega - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Pega"})Description
Pega is susceptible to Log4j JNDI remote code execution. Pega provides a powerful low-code platform that empowers the world's leading enterprises to Build for Change.
Pega Infinity Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pega platform"})Description
Pega Infinity login panel was detected.
Pelco Sarix - Default Login
runzero-match
asset["hw"] matches "(i)Pelco Sarix"Description
Pelco Sarix camera default login credentials (admin/admin) were discovered using Digest Authentication.
Pentaho Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^Pentaho User Console"})Description
Pentaho default admin credentials were discovered.
Perforce Repository Disclosure
Author: DhiyaneshDkAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)Perforce"Description
Detected an exposed .p4ignore file, which could have revealed ignored files, sensitive paths, or developer-specific information useful for further enumeration.
Perplexica Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Perplexica"})Description
Perplexica is an open-source AI-powered search engine that uses SearXNG to search
the web and provides AI-generated answers.
Persis Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Persis"})Description
Persis panel was detected,
Personal Weather Station Dashboard 12 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PWS Dashboard"})Description
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
Impact
Unauthenticated attackers can read arbitrary files including private SSL keys through directory traversal in the test parameter, potentially exposing sensitive cryptographic material.
Remediation
Upgrade Personal Weather Station Dashboard to a version later than 12_lts that properly validates file paths.
Phabricator Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)phabricator-standard-page"Description
Phabricator login panel was detected.
Phoenix Contact CHARX SEC-3XXX AC Charging Controller Panel - Detect
Author: inokiiAdded: Jul 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Phoenix Contact CHARX SEC-3XXX AC Charging Controller panel was detected.
Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API - Detect
Author: inokiiAdded: Jul 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API was detected.
Phoenix Contact CHARX SEC-3XXX AC Controller < 1.7.3 - Multiple Vulnerabilities
Author: inokiiAdded: Sep 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Multiple vulnerabilities exist in Phoenix Contact CHARX SEC-3XXX AC Controller versions prior to 1.7.3. Successful exploitation may allow attackers to bypass authentication, disclose sensitive information, or execute arbitrary code.
Phoenix Framework - Open Redirect
runzero-match
service["product"] matches "(?i)phoenixframework.phoenix"Description
Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks.
Impact
An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks.
Remediation
Apply the latest security patches or upgrade to a patched version of the Phoenix Framework.
Phoronix Test Suite Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phoronix-test-suite"})Description
Phoronix Test Suite panel was detected.
Photo Gallery by 10Web < 1.6.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/photo-gallery"Description
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
This is resolved in release 1.6.0.
PhotoPrism Panel - Detect
Author: rxerium,ritikchaddhaAdded: Aug 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PhotoPrism"})Description
PhotoPrism is an AI-powered photos app for the decentralized web. This template detects the presence of PhotoPrism login panel.
PhpMyAdmin - Unauthenticated Access
Author: pwnhxlAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)server_databases\\.php"Description
Unauthenticated Access to phpmyadmin dashboard.
PhpMyAdmin <4.8.2 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
PhpMyAdmin before version 4.8.2 is susceptible to local file inclusion that allows an attacker to include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Impact
An attacker can exploit this vulnerability to read arbitrary files on the server.
Remediation
Upgrade PhpMyAdmin to version 4.8.2 or later to fix the vulnerability.
PhpMyAdmin Scripts - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system.
Remediation
Update PhpMyAdmin to the latest version or apply the necessary patches.
Pichome 2.1.0 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PicHome"})Description
A vulnerability, which was classified as critical, was found in zyx0814 Pichome 2.1.0. This affects an unknown part of the file /index.php?mod=textviewer. The manipulation of the argument src leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the src parameter, potentially exposing sensitive configuration files, credentials, and user data.
Remediation
Upgrade to Pichome version 2.1.1 or later that properly validates file paths.
Pichome Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "933976300"Description
Pichome login panel was detected.
Pimcore Admin Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Welcome to Pimcore!"Description
Pimcore admin login interface was discovered.
Piwigo - User Enumeration via Password Reset
runzero-match
service["http.body"] matches "(?i)Piwigo"Description
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
Impact
Unauthenticated attackers can enumerate valid usernames or email addresses, aiding further targeted attacks.
Remediation
Update to the latest version when available or apply mitigations to unify response messages.
Piwigo Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "540706145"Description
Piwigo login panel was detected.
PlaceOS 1.2109.1 - Open Redirection
runzero-match
service["product"] matches "(?i)place.placeos.authentication"Description
PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Apply the latest security patch or update to PlaceOS 1.2109.2 or higher to fix the open redirection vulnerability.
Planet eStream Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - planet estream"})Description
Planet eStream login panel was detected.
Plausible Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["http.body"] matches "(?i)Plausible"Description
Plausible is intuitive, lightweight and open source web analytics.
Plesk End-of-Life - Detect
Author: Shivam KambojAdded: Mar 2, 2026
runzero-match
service["http.head.xPoweredByPlesk"] != ""Description
Detected Plesk versions that have reached End-of-Life (EOL) and no longer receive security updates.
Plesk Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)plesk onyx"Description
Plesk login panel was detected.
Plesk Obsidian Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)plesk obsidian" || any(each(service["html.titles"]), {# matches "(?i)plesk obsidian"})Description
Plesk Obsidian login panel was detected.
Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
runzero-match
service["product"] matches "(?i)posimyth.the.plus.addons"Description
WordPress Plus Addons for Elementor Page Builder before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an open redirect issue.
Impact
This vulnerability can be exploited by attackers to trick users into visiting malicious websites, leading to potential phishing attacks or the execution of other malicious activities.
Remediation
Upgrade Plus Addons for Elementor Page Builder to version 4.1.10 or later to mitigate the vulnerability.
PocketBase Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "981081715"Description
PocketBase Login panel was discovered.
Polarion Siemens Login - Panel
Author: Th3l0newolfAdded: May 17, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-1135703796" || service["favicon.ico.image.mmh3"] == "707299418"Description
Detects the exposed Polarion Siemens login page.
Polarisft Intellect Core Banking Software Version 9.7.1 - Open Redirect
runzero-match
service["product"] matches "(?i)polarisft.intellect.core.banking"Description
Polarisft Intellect Core Banking Software Version 9.7.1 is susceptible to an open redirect issue in the Core and Portal modules via the /IntellectMain.jsp?IntellectSystem= URI.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Polarisft to fix the open redirect vulnerability.
Polycom HDX - Web Interface Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Polycom HDX"})Description
Detecetd Polycom HDX video conferencing system web interface, potentially allowing unauthorized access to device configuration and video calls.
Polynote Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Polynote"})Description
Polynote is a polyglot notebook supporting Scala, Python, SQL, and Spark with a rich UI
Popup-Maker < 1.8.12 - Broken Authentication
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/popup-maker/"Description
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
Impact
Unauthenticated attackers can gain administrative access to the WordPress site.
Remediation
Update Popup-Maker plugin to version 1.8.12 or later.
Portainer - Init Deploy Discovery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Portainer"})Description
Portainer initialization deployment files were discovered.
Portainer Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)portainer"})Portal API - Server Side Request Forgery
runzero-match
service["http.body"] matches "/_proxy/api/v3/"Description
A Server-Side Request Forgery (SSRF) vulnerability in the Portal API endpoint by injecting a crafted X-Portal-Context-Origin header.
Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)i3geo"Description
Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Apply the latest patch or upgrade to a newer version of i3geo to fix the LFI vulnerability.
Post Grid <= 2.2.50 - Information Exposure via REST API
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/post-grid-combo/"Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo – 36+ Gutenberg Blocks.This issue affects Post Grid Combo – 36+ Gutenberg Blocks: from n/a through 2.2.50.
Impact
Unauthorized actors can access sensitive information, leading to privacy breaches and potential misuse of data.
Remediation
Update to the latest version beyond 2.2.50 or apply available security patches.
PostHog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)posthog"})Description
PostHog login panel was detected.
Poste.io Admin Panel - Detect
Author: ritikchaddhaAdded: Mar 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Administration login"})Description
Poste.io login panel was detected.
PowerChute Network Shutdown Panel - Detect
Author: DhiyaneshDKAdded: Apr 11, 2024
runzero-match
service["http.body"] matches "(?i)PowerChute Network Shutdown"PowerCom Network Manager
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerCom Network Manager"})PowerJob - Default Login
Author: j4vaovoAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "PowerJob"})Description
PowerJob default login credentials were discovered.
PowerJob <=4.3.2 - Unauthenticated Access
runzero-match
service["http.body"] matches "(?i)powerjob"Description
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions.
Remediation
Upgrade PowerJob to a version higher than 4.3.2 or apply the necessary patches to fix the authentication bypass issue.
PowerJob List - Authorization Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerJob"})Description
PowerJob = 5.1.2 contains a broken access control caused by missing authorization in /user/list function, letting remote attackers access unauthorized resources, exploit requires no special privileges.
Impact
Remote attackers can access unauthorized resources, potentially leading to data exposure or privilege escalation.
Remediation
Update to the latest version beyond 5.1.2.
PowerJob Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerJob"})Description
PowerJob login panel was detected.
PowerShell Universal - Default Login
Author: ap3rAdded: Jan 17, 2024
runzero-match
service["http.body"] matches "PowerShell Universal"Description
PowerShell Universal default admin credentials were discovered.
Powertek Firmware <3.30.30 - Authorization Bypass
runzero-match
service["http.body"] matches "(?i)powertek"Description
Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
Impact
An attacker can bypass authentication and gain unauthorized access to the Powertek Firmware, potentially leading to further compromise of the system.
Remediation
Upgrade the Powertek Firmware to version 3.30.30 or higher to mitigate the vulnerability.
Pre-Auth Takeover of Build Pipelines in GoCD
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Create a pipeline - Go\" html:\"GoCD Version"})Description
GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access and control over the build pipelines, potentially resulting in the execution of arbitrary code or unauthorized modifications.
Remediation
Upgrade to version v21.3.0. or later.
PrestaShop < 1.7.6.6 - Information Exposure via Upload Directory
runzero-match
service["product"] contains "PrestaShop:PrestaShop"Description
PrestaShop versions after 1.5.0.0 and before 1.7.6.6 are vulnerable to information exposure through directory listing in the upload directory due to a missing index.php file.
Impact
Attackers can enumerate uploaded files potentially exposing sensitive customer data, invoices, or internal documents.
Remediation
Upgrade to PrestaShop version 1.7.6.6 or later, or add an empty index.php file in the upload directory as a workaround.
PrestaShop Theme Volty CMS Blog - SQL Injection
runzero-match
service["http.body"] matches "(?i)/tvcmsblog"Description
In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop `tshirtecommerce` Module - SQL Injection
runzero-match
service["http.body"] matches "(?i)Prestashop"Description
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the designer endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the parent_id parameter in the designer endpoint to extract the complete PrestaShop database including user credentials and order data.
Remediation
Update the tshirtecommerce module to the latest version and apply all security patches.
PrestaShop fieldpopupnewsletter Module - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)fieldpopupnewsletter"Description
Fieldpopupnewsletter Prestashop Module v1.0.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback parameter at ajax.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential theft of sensitive information, session hijacking, or defacement.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop productsalert - SQL Injection
runzero-match
service["http.body"] matches "(?i)/productsalert"Description
In the module 'Products Alert' (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop xipblog - SQL Injection
runzero-match
service["http.body"] matches "(?i)/xipblog"Description
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access and data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Prestashop posstaticfooter <= 1.0.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)posstaticfooter"Description
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract database contents including customer data, orders, payment information, and administrative credentials from the PrestaShop database.
Remediation
Upgrade to the latest version of the posstaticfooter module from posthemes.
Prettier - Ignore File Disclosure
Author: ritikchaddhaAdded: Dec 26, 2025
runzero-match
service["http.body"] matches "(?i)\\.prettierignore"Description
The .prettierignore file is publicly accessible, potentially revealing project structure, sensitive file paths, and internal directory organization.
Prime Mover < 1.9.3 - Sensitive Data Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/prime-mover"Description
Prime Mover plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.2 via directory listing in the 'prime-mover-export-files/1/' folder. This makes it possible for unauthenticated attackers to extract sensitive data including site and configuration information, directories, files, and password hashes.
Impact
Unauthenticated attackers can exploit directory listing to access export files containing sensitive site configuration data, database information, and password hashes from WordPress Prime Mover installations.
Remediation
Fixed in 1.9.3
Primetek Primefaces 5.x - Remote Code Execution
runzero-match
service["product"] contains "Primetek:Primefaces"Description
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or upgrade to a newer version of the Primetek Primefaces application.
Prison Management System - SQL Injection Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Prison Management System"})Description
Sql injection vulnerability was found on the login page in Prison Management System
Impact
Attackers can bypass authentication via SQL injection to gain unauthorized administrative access to the Prison Management System.
Remediation
Apply security patches for Prison Management System addressing SQL injection vulnerabilities.
Pritunl - Panel
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pritunl"})Description
Realtime website and application monitoring tool
PrivateGPT - Detect
Author: ritikchaddhaAdded: Aug 16, 2024
runzero-match
service["http.body"] matches "(?i)private gpt"Description
PrivateGPT panel has been detected.
PrivateGPT < 0.5.0 - Open Redirect
runzero-match
service["http.body"] matches "private gpt"Description
An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling of the 'file' parameter. This vulnerability allows attackers to redirect users to a URL specified by user-controlled input without proper validation or sanitization.
Impact
Attackers can craft malicious URLs with the file parameter to redirect users to attacker-controlled sites, potentially leading to phishing attacks or credential theft.
Remediation
Update PrivateGPT to version 0.5.1 or later to address the open redirect vulnerability.
ProFTPD mod_sql - Preauth User Backdoor
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches "(?i)ProFTPd"Description
ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
Impact
Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Upgrade to version 1.3.10rc1 or later.
ProcessWire Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)processwire"Description
ProcessWire login panel was detected.
Procore Login - Panel
Author: rxeriumAdded: Aug 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1952289652"Prodigy Commerce <= 3.3.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/prodigy-commerce/"Description
Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
Impact
Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access sensitive data, potentially leading to full server compromise.
Remediation
Update to the latest version beyond 3.2.9.
ProfileGrid <= 5.7.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/profilegrid-user-profiles-groups-and-communities/"Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied 'search' parameter and lack of sufficient preparation on the existing SQL query.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to ProfileGrid version 5.7.9 or later.
Progress Kemp Flowmon - Command Injection
runzero-match
service["http.head.server"] matches "Flowmon"Description
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
Impact
Unauthenticated attackers can execute arbitrary system commands through the Flowmon management interface, leading to complete system compromise.
Remediation
Update Progress Kemp Flowmon to version 11.1.14 or 12.3.5 or later.
Progress Kemp LoadMaster - Command Injection
runzero-match
service["http.body"] matches "(?i)LoadMaster"Description
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Impact
Unauthenticated attackers can execute arbitrary system commands through the LoadMaster management interface, leading to complete system compromise.
Remediation
Upgrade to LoadMaster versions 7.2.59.2, 7.2.54.8, or 7.2.48.10 depending on your current version.
Progress Kemp LoadMaster Panel - Detect
Author: rxeriumAdded: Sep 10, 2024
runzero-match
service["http.body"] matches "(?i)Kemp Login Screen"Description
A Progress Kemp LoadMaster panel was detected.
Progress ShareFile Storage Zones Controller - Authentication Bypass
runzero-match
service["product"] contains "Progress Software:ShareFile Storage Zones Controller"Description
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Impact
Unauthenticated attackers can change system configuration and potentially execute remote code, leading to full system compromise.
Remediation
Update ShareFile Storage Zones Controller to version 5.12.4 or later.
Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution
runzero-match
service["http.body"] matches "WhatsUp Gold"Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of GetFileWithoutZip method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.
Impact
Unauthenticated attackers can exploit directory traversal to read sensitive files and achieve remote code execution.
Remediation
Update Progress WhatsUp Gold to a version that patches CVE-2024-4885.
Project Insight Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)project insight - login"})Description
Project Insight login panel was detected.
ProjectSend Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)provided"Description
ProjectSend login panel was detected.
Prometheus - Open Redirect
runzero-match
service["product"] matches "(?i)prometheus"Description
Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the disclosure of sensitive information.
Remediation
The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
runzero-match
any(each(service["html.titles"]), {# matches "Blackbox Exporter"})Description
Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter.
Impact
Attackers can perform SSRF attacks, potentially accessing internal services or causing denial of service.
Remediation
Update to version 0.17.1 or later to fix the vulnerability.
Proofpoint Protection Server Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "942678640"Description
Proofpoint Protection Server panel was detected.
Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/protect-wp-admin"Description
The Protect WP Admin WordPress plugin before version 4.0 disclosed the URL of the admin panel through the redirection of a crafted URL, bypassing the protection offered.
Impact
Unauthenticated attackers can exploit URL redirection to discover the protected admin panel URL and bypass the protection mechanism offered by the plugin.
Remediation
Fixed in 4.0 or later
Proxmox Virtual Environment Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "213144638"Description
Proxmox Virtual Environment login panel was detected.
Pterodactyl Panel - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pterodactyl"}) || service["favicon.ico.image.mmh3"] == "-456405319" || service["favicon.ico.image.mmh3"] == "846001371"Description
Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
Impact
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
Remediation
Upgrade to Pterodactyl version 1.11.11+. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Pterodactyl game server - Panel
Author: darsesAdded: Jun 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pterodactyl"}) || service["favicon.ico.image.mmh3"] == "-456405319" || service["favicon.ico.image.mmh3"] == "846001371"Description
Detects Pterodactyl game server management panel.
Pulsar Admin Console Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pulsar admin console"}) || any(each(service["html.titles"]), {# matches "(?i)pulsar admin ui"})Description
Pulsar admin console panel was detected.
Pulsar Admin UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pulsar admin ui"}) || any(each(service["html.titles"]), {# matches "(?i)pulsar admin console"})Description
Pulsar admin UI panel was detected.
Pulsar360 Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pulsar Admin"})Description
Pulsar360 admin panel was detected.
Pulse Connect Secure SSL VPN Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 all contain an arbitrary file reading vulnerability that could allow unauthenticated remote attackers to send a specially crafted URI to gain improper access.
Impact
An attacker can access sensitive information stored on the system, potentially leading to further compromise.
Remediation
Apply the latest security patches and updates provided by Pulse Secure.
Puppetboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Puppetboard"})Description
Puppetboard panel was detected.
Pure Storage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pure storage login"})Description
Pure Storage login panel was detected.
PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
runzero-match
service["http.body"] matches "pyload"Description
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the target system.
Remediation
Upgrade PyLoad to a version that is not affected by this vulnerability.
PyLoad Default Login
Author: DhiyaneshDkAdded: Jul 6, 2023
runzero-match
service["http.body"] matches "(?i)pyload"Description
PyLoad Default Credentials were discovered.
PyLoad Login - Panel
Author: DhiyaneshDkAdded: Jul 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - pyload"}) || service["http.body"] matches "(?i)pyload" || any(each(service["html.titles"]), {# matches "(?i)pyload"})Description
A Pyload Login was detected.
PyTorch TorchServe SSRF
runzero-match
service["http.body"] matches "Requested method is not allowed, please refer to API document"Description
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
Impact
Unauthenticated attackers can load malicious models from arbitrary URLs and write files to disk due to lack of input validation, potentially compromising the PyTorch TorchServe system and accessing internal network resources through SSRF.
Remediation
Update PyTorch TorchServe to version 0.8.2 or later that includes allowed_urls validation and restricts model loading to trusted sources.
Python Flask-Security - Open Redirect
runzero-match
service["product"] matches "(?i)flask.security"Description
Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks or the exploitation of other vulnerabilities.
Remediation
Upgrade to the latest version of Python Flask-Security library to fix the open redirect vulnerability.
Python Flask-Security-Too <=5.3.2 - Open Redirect
runzero-match
service["product"] matches "(?i)flask.security.too"Description
An open redirect vulnerability exists in the python package Flask-Security-Too prior to version 5.3.3. Attackers can abuse the 'next' parameter on the /login and /register routes to redirect unsuspecting users to malicious sites via crafted URLs, which could lead to phishing or other attacks ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-49438)).
Impact
Allows attackers to redirect users to arbitrary sites, potentially leading to phishing, data theft, or user session hijacking.
Remediation
Upgrade Flask-Security-Too to version 5.3.3 or later to mitigate the open redirect vulnerability.
Python Requirements File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)index of"})Description
Detected Python requirements.txt file. This file contains Python package dependencies and versions that could reveal technology stack, vulnerable package versions, and internal dependencies.
Python Setup Configuration - Exposure
Author: DhiyaneshDkAdded: Dec 16, 2025
runzero-match
service["http.body"] matches "(?i)setup\\.py"Description
Python Setup Configuration "setup.py" File was exposed.
QNAP HBS 3 - Broken Access Control
runzero-match
asset["hw"] matches "(?i)QNAP"Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Impact
Remote attackers can log in without proper authorization, potentially leading to full system compromise or unauthorized data access.
Remediation
Update to the latest versions: v16.0.0415 or later for QTS 4.5.2, v3.0.210412 or later for QTS 4.3.6, v3.0.210411 or later for QTS 4.3.4 and 4.3.3, v16.0.0419 or later for QuTS hero h4.5.1, and v16.0.0419 or later for QuTScloud c4.5.1~c4.5.4.
QNAP Music Station < 5.4.0 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
Impact
Unauthenticated attackers can bypass authentication in Music Station to read arbitrary files from the QNAP system including /etc/passwd, potentially accessing sensitive configuration files and user credentials.
Remediation
Update QNAP Music Station to version 5.4.0 or later that implements proper authentication validation in the as_get_file_api.php endpoint.
QNAP Photo Station - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Impact
Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
Remediation
Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
QNAP Photo Station Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
QNAP Photo Station panel was detected.
QNAP QTS Photo Station External Reference - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap"}) || any(each(service["html.titles"]), {# matches "(?i)photo station"})Description
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.
Impact
An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.
Remediation
Apply the latest security patches and updates provided by QNAP to fix the local file inclusion vulnerability in QTS Photo Station.
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station.
QNAP Turbo NAS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap turbo nas"})Description
QNAP QTS login panel was detected.
QVIS NVR/DVR - Remote Code Execution
runzero-match
service["product"] matches "(?i)qvis.dvr.firmware"Description
QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version or apply security patches provided by the vendor.
Qlik Sense Enterprise - HTTP Request Smuggling
runzero-match
service["http.body"] matches "(?i)qlik" || service["favicon.ico.image.mmh3"] == "-74348711" || any(each(service["html.titles"]), {# matches "(?i)qlik-sense"})Description
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Impact
Authenticated attackers with low privileges can exploit HTTP request tunneling to escalate privileges and execute malicious requests on the Qlik Sense repository application backend server.
Remediation
Update Qlik Sense Enterprise for Windows to August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13 that fixes HTTP request smuggling in the repository application.
Qlik Sense Enterprise - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qlik-sense"}) || service["favicon.ico.image.mmh3"] == "-74348711" || service["http.body"] matches "(?i)qlik"Description
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Impact
Unauthenticated attackers can exploit path traversal to generate anonymous sessions and access unauthorized API endpoints, potentially extracting sensitive business intelligence data and manipulating Qlik Sense dashboards.
Remediation
Update Qlik Sense Enterprise to August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13 that properly validates resource paths and enforces authentication.
Qlik Sense Server Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qlik-sense"}) || service["favicon.ico.image.mmh3"] == "-74348711" || service["http.body"] matches "(?i)qlik"Description
Qlik Sense Server panel was detected.
QlikView AccessPoint Login Panel - Detect
Author: righettodAdded: May 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)QlikView - AccessPoint"})Description
QlikView AccessPoint login panel was detected.
QloApps 1.6.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qloapps"})Description
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
QmailAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qmailadmin"})Description
QmailAdmin login panel was detected.
Qualitor <= v8.24 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "-1217039701"Description
Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php.
Impact
Unauthenticated attackers can force the server to make arbitrary requests via SSRF, potentially accessing internal services.
Remediation
Update Qualitor to a version later than 8.24 that patches the SSRF vulnerability.
Qualitor ITSM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1217039701"Description
Qualitor ITSM login panel was detected.
Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-463230636"Description
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
Impact
An attacker can execute arbitrary commands on the affected system, potentially leading to complete system compromise, data theft, or further network exploitation.
Remediation
Upgrade to a patched version of Quest KACE System Management Appliance or apply the necessary security patches provided by Quest Software.
Quest Modem Configuration Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced Setup - Security - Admin User Name & Password"})Description
Quest Modem Configuration login Panel was detected.
Quick.CMS v6.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Quick\\.Cms v6\\.7"Description
Quick.CMS version 6.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
Quilium Panel - Detect
Author: righettodAdded: Sep 8, 2023
runzero-match
service["http.body"] matches "(?i)CMS Quilium"Description
Quilium CMS Login Panel was detected.
Quiz and Survey Master <= 8.1.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/quiz-master-next"Description
ExpressTech Quiz And Survey Master (versions up to 8.1.4) contains an SQL injection caused by improper neutralization of special elements used in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of Quiz And Survey Master that addresses this vulnerability.
Qwik - Unauthenticated RCE via server$ Deserialization
runzero-match
service["http.body"] matches "(?i)q:version"Description
Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
Impact
Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
Remediation
Update to version 1.19.1 or later.
RAGFlow Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "RAGFlow"})Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep
document understanding.
RCDevs WebADM Panel - Detect
Author: righettodAdded: Oct 19, 2023
runzero-match
service["http.body"] matches "(?i)WebADM"Description
RCDevs WebADM Login Panel was detected.
RClone RC - Command Injection
runzero-match
service["product"] matches "(?i)rclone"Description
Rclone >= 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication.
Impact
Unauthenticated attackers can execute local commands remotely, potentially leading to full system compromise.
Remediation
Update to version 1.73.5 or later.
RD Web Access Panel - Detect
Author: rxerium,sorrowx3Added: Nov 9, 2023
runzero-match
service["http.body"] matches "(?i)rd web access"Description
RD web access panel was discovered.
RDWeb RemoteApp and Desktop Connections - Web Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RD Web Access"})Description
RDWeb RemoteApp and Desktop Connections does not display.
RG-UAC Ruijie - Password Hashes Leak
Author: ritikchaddha,galogetAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)Get_Verify_Info"Description
Multiple Firewall Devices from vendor Ruijie Networks are affected by an information leakage vulnerability where credentials are included in the source code of the web admin login interface (usernames, roles, MD5 hashes and additional details of each user). Attackers can use this information to illegally access into the vulnerable devices, obtain sensitive device information and change configurations. The vulnerability is identified by CNVD-2021-14536.
RStudio Connect - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "217119619"Description
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.
Impact
An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.
Remediation
This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.
RStudio Sign In Panel - Detect
Author: DhiyaneshDkAdded: Oct 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RStudio Sign In"})Description
RStudio Sign In panel was detected.
RWS WorldServer - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WorldServer"})Description
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.
Impact
Unauthenticated attackers can bypass all authentication by adding a token parameter with value 02, then upload and execute arbitrary Java code via JAR archives, potentially compromising the translation management system and accessing sensitive multilingual content.
Remediation
Upgrade to RWS WorldServer version 11.7.3 or later that properly validates authentication tokens and restricts API access.
RabbitMQ Default Login
runzero-match
any(each(service["html.titles"]), {# matches "RabbitMQ Management"})Description
RabbitMQ default admin credentials were discovered.
Racksnet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)My Datacenter - Login"})Description
Racksnet login panel was detected.
Radio Player <= 2.0.82 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "/wp-content/plugins/radio-player"Description
The Radio Player Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.82. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Impact
Unauthenticated attackers can perform server-side request forgery to query and modify internal services, potentially accessing sensitive data from internal networks or cloud metadata services.
Remediation
Update Radio Player plugin to version 2.0.83 or later to address the SSRF vulnerability.
RaidenMAILD Mail Server v.4.9.4 - Path Traversal
runzero-match
service["http.body"] matches "(?i)RaidenMAILD"Description
Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.
Impact
Attackers can traverse directories to obtain sensitive information from the mail server.
Remediation
Update RaidenMAILD to a version later than 4.9.4 that patches the directory traversal vulnerability.
RailsAdmin Dashboard Exposure
Author: 0x_AkokoAdded: Jan 26, 2026
runzero-match
service["http.body"] matches "(?i)RailsAdmin"Description
Detected RailsAdmin dashboard was exposed without proper authentication, allowing unauthorized access to data management interface.
Rainloop WebMail - Default Admin Login
Author: For3stCo1dAdded: Apr 27, 2023
runzero-match
any(each(service["html.bodies"]), {# matches "rainloop/"})Description
Rainloop WebMail default admin login credentials were successful.
Rallly Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches `^Login | Rally`})Description
Rallly login interface was discovered.
Rancher Dashboard Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1324930554" || service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher Dashboard was detected.
Rancher Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.
Rancher Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher login panel was detected.
Rapid7 Nexpose VM Security Console - Detect
Author: johnk3rAdded: Nov 2, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-516760689"Description
Rapid7 Nexpose VM Security Console login panel was detected.
Raritan PDU - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Raritan PDU`Description
Raritan intelligent PDU web interface panel has been detected.
RaspAP 2.8.7 - Unauthenticated Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1465760059"Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Upgrade to a patched version of RaspAP or apply the vendor-supplied patch to mitigate this vulnerability.
RaspAP <=2.6.5 - Remote Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1465760059"Description
RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";".
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the integrity and confidentiality of the affected system.
Remediation
Upgrade RaspAP to a version higher than 2.6.5 to mitigate the vulnerability.
RaspberryMatic Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-578216669"Description
RaspberryMatic login panel was detected.
Ray API - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)ray dashboard" || service["favicon.ico.image.mmh3"] == "463802404"Description
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
Impact
Unauthenticated attackers can read any file on the server via the log API endpoint, potentially accessing sensitive configuration files, credentials, and application data.
Remediation
Update Ray to a patched version that properly validates file paths in the logs endpoint.
Ray Static File - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "463802404" || service["http.body"] matches "(?i)ray dashboard"Description
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
Impact
Unauthenticated attackers can read any file on the server via path traversal in the /static/ directory, potentially exposing sensitive configuration files and credentials.
Remediation
Update Ray to a patched version that restricts static file access.
Rclone RC - Broken Access Control
runzero-match
service["http.head.server"] matches "(?i)^rclone"Description
Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
Impact
Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
Remediation
Upgrade to version 1.73.5 or later.
ReCrystallize Server - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ReCrystallize"})Description
This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.
Impact
Unauthenticated attackers can bypass authentication by manipulating the AdminUsername cookie to gain administrative access to ReCrystallize Server.
Remediation
Update ReCrystallize Server to a patched version that addresses CVE-2024-26331.
React Server Components - Remote Code Execution
Author: DhiyaneshDk,princechaddha,assetnote,lachlan2k,maple3142,iamnooobAdded: Dec 4, 2025CWE-502CVE-2025-55182
runzero-match
service["http.head.xPoweredBy"] matches `(?i)Next\.js`Description
React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel,
react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused
by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting
unauthenticated attackers execute arbitrary code remotely, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version that fixes the unsafe deserialization issue.
RealTek Jungle SDK - Arbitrary Command Injection
runzero-match
service["product"] matches "(?i)realtek.jungle.sdk"Description
There is a command injection vulnerability on the "formWsc" page of the management interface. Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
Impact
Unauthenticated attackers can execute arbitrary system commands via command injection in the peerPin parameter, leading to complete router compromise and control over network traffic.
Remediation
Apply the latest security patches or updates provided by RealTek to fix the vulnerability.
Really Simple Security < 9.1.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/really-simple-ssl"Description
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Impact
Unauthenticated attackers can exploit improper error handling in the two-factor authentication REST API to bypass authentication and log in as any user including administrators when two-factor authentication is enabled.
Remediation
Fixed in 9.1.2
Rebuild <= 3.5.5 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "871154672"Description
There is a security vulnerability in Rebuild 3.5.5, which is due to a server-side request forgery vulnerability in the URL parameter of the readRawText function of the HTTP Request Handler component.
Impact
Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources.
Remediation
Apply the latest security patches or updates provided by Rebuild to fix this vulnerability.
Red Hat JBoss Enterprise Application Platform - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jboss"})Description
Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 is susceptible to sensitive information disclosure. A remote attacker can obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks.
Remediation
Apply the necessary patches or updates provided by Red Hat to fix the vulnerability.
Red Hat Satellite Panel - Detect
runzero-match
service["http.body"] matches "(?i)redhat"Red Lion HMI - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)www\.redlion\.net`Description
Red Lion HMI web interface panel has been detected.
Redash Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "698624197"Description
Redash login panel was detected.
Redash Setup Configuration - Default Secrets Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "698624197"Description
Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
Impact
An attacker can gain unauthorized access to sensitive information and potentially compromise the Redash application.
Remediation
Remove or update the default secrets in the Redash setup configuration file.
Redis Commander - Default Login
Author: DhiyaneshDKAdded: Nov 28, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Redis Commander"})Description
Redis Commander Default Login credentials were discovered.
Redis Enterprise - Detect
Author: tessAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Enterprise-Class Redis for Developers"})Redis Sandbox Escape - Remote Code Execution
runzero-match
service["service.transport"] == "tcp" and service["service.port"] == "6380" and service["protocol"] contains "redis"Description
This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and compromise of the affected system.
Remediation
Update to the most recent versions currently available.
Redmine - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["product"] contains "Redmine:Redmine"Description
Detected Redmine project management application was found to have been using the default administrator credentials (admin:admin). An attacker could have gained full administrative access to manage projects, users, and system settings.
Redmine Login Panel - Detect
Author: righettodAdded: Mar 4, 2024
runzero-match
service["http.body"] matches "(?i)'content=\"Redmine'"Description
Redmine login panel was detected.
Reflected Odoo - Open Redirect
Author: DhiyaneshDkAdded: Apr 16, 2026
runzero-match
service["product"] matches "(?i)Odoo"Description
Detected an open redirect vulnerability in Odoo where the redirect parameter in web/login was abused to redirect users to an attacker-controlled external URL after the authentication flow.
Regify Login Panel - Detect
Author: righettodAdded: Oct 23, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1817615343"Description
Regify Login Panel was detected.
Registrations for the Events Calendar < 2.7.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/registrations-for-the-events-calendar/"Description
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
Impact
Unauthenticated attackers can execute SQL injection through the event_id parameter, potentially extracting all Events Calendar registration data including attendee information.
Remediation
Fixed in 2.7.6
Rejetto HTTP File Server - Template injection
runzero-match
service["product"] matches "(?i)HttpFileServer.httpd"Description
This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.
Impact
Unauthenticated attackers can execute arbitrary commands on the Rejetto HTTP File Server through template injection, potentially compromising the entire system.
Remediation
Update Rejetto HTTP File Server to a version newer than 2.3m.
Reliable Controls MACH-Pro - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Reliable Controls"})Description
Reliable Controls MACH-ProWebSys is a web-based building controller for
HVAC, lighting, and energy management using BACnet/IP. These controllers
are widely deployed in commercial buildings across North America and are
often directly internet-facing with no VPN protection.
RemKon Device Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Remkon Device Manager"})Description
RemKon Device Manager login panel was detected.
Remedy Axis Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BMC Remedy"Remote Spark Gateway Configuration/Credentials - Exposure
runzero-match
service["http.body"] matches "(?i)SparkView"Description
Remote Spark Gateway config found via /gateway.conf.
Remotely Registration Enabled
Author: ritikchaddhaAdded: Jan 22, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Remotely$"})Description
Checks if the Remotely self-hosted remote desktop and collaboration web application has its user registration endpoint enabled, potentially allowing anyone to register without invitation.
Impact
Enabling open registration on Remotely instances may allow unauthorized users to register and gain access to the application, depending on configuration.
Remediation
Disable open registration if not required by setting 'RequireInvitationCodeForRegistration' to true in the Remotely configuration.
Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reolink"})Description
Reolink E1 Zoom camera through 3.0.0.716 is susceptible to information disclosure. The web server discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An attacker with network-level access to the camera can can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially compromising user privacy and security.
Remediation
Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the information disclosure vulnerability (CVE-2021-40150).
Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Reolink"})Description
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.
Impact
An attacker can obtain the private key, potentially leading to unauthorized access and compromise of the camera.
Remediation
Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the vulnerability.
Reolink Panel - Detect
Author: s4e-ioAdded: Oct 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Reolink"})Description
Reolink panel was discovered.
Repetier Server - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)repetier-server"})Description
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
Impact
An attacker can read, modify, or delete arbitrary files on the server, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in Repetier Server.
Repetier Server Panel - Detect
Author: ritikchaddhaAdded: May 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)repetier-server"})Description
Repetier Server login panel detected.
Reportico Administration Page - Detect
Author: geeknikAdded: Dec 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reportico administration page"})Description
Create a simple report using the designer front end in seconds from a single SQL statement. Add expressions, user criteria, charts, groups, aggregations, page headers, page footers, hyperlinks and even custom plugin code.
Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read
runzero-match
service["favicon.ico.image.mmh3"] == "1212523028"Description
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version 3.5.12. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-074.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files including the reposilite.db database file.
Remediation
Update Reposilite to version 3.5.12 or later.
Reposilite Login Panel - Detect
Author: righettodAdded: Jan 27, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reposilite"})Description
Reposilite products was detected.
Reprise License Manager 14.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)reprise license manager" || service["http.body"] matches "(?i)reprise license"Description
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the Reprise License Manager.
Remediation
Apply the latest security patch or upgrade to a patched version of Reprise License Manager to mitigate this vulnerability.
Reprise License Manager 14.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Reprise License"Description
Reprise License Manager 14.2 contains a cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in Reprise License Manager 14.2.
Reprise License Manager 14.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)reprise license"Description
Reprise License Manager 14.2 contains a reflected cross-site scripting vulnerability in the /goform/login_process 'username' parameter via GET, whereby no authentication is required.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to a patched version of Reprise License Manager or apply the vendor-supplied patch to mitigate this vulnerability.
Reprise License Manager 14.2 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)reprise license" || service["http.body"] matches "(?i)reprise license manager"Description
Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. An attacker can possibly obtain further sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of Reprise License Manager.
Request Tracker - Panel
Author: bursoAdded: Apr 10, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "203612613"Description
Request Tracker panel was discovered.
Request-Baskets <= 1.2.1 - Server Side Request Forgery
runzero-match
service["http.body"] matches "Request-Baskets"Description
Request-Baskets <= 1.2.1 allows unauthenticated SSRF via the forward_url parameter when creating a new basket.
Impact
Attackers can perform SSRF attacks to access internal network resources, scan internal systems, or interact with services that should not be accessible from external networks.
Remediation
Upgrade to Request-Baskets version 1.2.2 or later that addresses this SSRF vulnerability.
Residential Gateway Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Residential Gateway"})Description
Residential Gateway login panel was detected.
RestroPress 3.0.0-3.2.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/restropress/"Description
RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.
Impact
Unauthenticated attackers can forge JWT tokens and authenticate as any user, including administrators, leading to full account takeover.
Remediation
Update to the latest version beyond 3.1.9.2.
Retool Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Retool"})Description
Retool login panel was detected.
RevPi Webstatus <= v2.4.5 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RevPi"})Description
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Impact
Unauthenticated attackers can bypass authentication through incorrect type conversion in the login mechanism, achieving complete device compromise.
Remediation
Upgrade RevPi Webstatus to version 2.4.6 or later that properly validates authentication credentials.
Revive Adserver 4.2 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "106844876" || any(each(service["html.titles"]), {# matches "(?i)revive adserver"})Description
Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g. serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches or upgrade to a newer version of Revive Adserver.
Revive Adserver <5.1.0 - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "106844876"Description
Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could allow an attacker to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.
Remediation
Upgrade Revive Adserver to version 5.1.0 or later to mitigate this vulnerability.
Revive Adserver <=5.0.3 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)revive adserver"})Description
Revive Adserver 5.0.3 and prior contains a reflected cross-site scripting vulnerability in the publicly accessible afr.php delivery script. In older versions, it is possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script is printed back without proper escaping, allowing an attacker to execute arbitrary JavaScript code on the browser of the victim.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.
Remediation
There are currently no known exploits. As of 3.2.2, the session identifier cannot be accessed as it is stored in an http-only cookie.
Ricoh Web Image Monitor - Detect
Author: righettodAdded: Dec 16, 2024
runzero-match
service["http.body"] matches "(?i)Web Image Monitor"Description
Ricoh Web Image Monitor device was detected.
Ricoh Web Image Monitor - Reflected XSS
runzero-match
service["http.body"] matches "(?i)Web Image Monitor"Description
A reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor.
Impact
Attackers can execute malicious JavaScript in user browsers through the profile parameter, potentially leading to session hijacking and credential theft.
Remediation
Apply the security patch from Ricoh for affected Web Image Monitor implementations.
Riello Netman 204 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netman 204"}) || service["http.body"] matches "(?i)ups network management card 4" || any(each(service["html.titles"]), {# matches "(?i)netman"})Description
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.
Impact
Unauthenticated attackers can exploit SQL injection to modify collected log data, extract sensitive information, and potentially gain complete control of the Netman 204 device through multiple vulnerable CGI endpoints.
Remediation
Apply security patches from Riello for Netman 204 firmware to address the SQL injection vulnerabilities in db_datalog_w.cgi, db_eventlog_w.cgi, and db_multimetr_w.cgi endpoints.
Riello UPS NetMan 204 Network Card - Default Login
Author: mabdullah22Added: Jun 12, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Netman"})Description
Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
Riello UPS NetMan 204 Panel - Detect
Author: s4e-ioAdded: Oct 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netman 204"})Description
Riello UPS NetMan 204 login panel was detected.
RiteCMS - Default Login
Author: 0x_AkokoAdded: Oct 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ritecms"})Description
RiteCMS Default Credentials were discovered.
Rocket.Chat - Server-Side Request Forgery (SSRF)
runzero-match
any(each(service["html.titles"]), {# matches "rocket\\.chat"})Description
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
Impact
Unauthenticated attackers can force the server to make arbitrary requests, potentially accessing internal services.
Remediation
Update Rocket.Chat to version 6.10.1 or later.
Rocket.Chat <=3.13 - NoSQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rocket\\.chat"})Description
Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, leading to unauthorized access, data manipulation, or denial of service.
Remediation
Upgrade Rocket.Chat to a version higher than 3.13 or apply the provided patch to mitigate the vulnerability.
RocketChat Login Panel - Detect
Author: righettodAdded: Feb 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rocket\\.Chat"})Description
RocketChat login panel was detected.
Rockmongo Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^RockMongo"})Description
Rockmongo default admin credentials were discovered.
Rockwell Automation FactoryTalk ViewPoint - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "FactoryTalk ViewPoint"Description
Rockwell Automation FactoryTalk ViewPoint is a web-based HMI that allows remote
monitoring and control of industrial automation systems from a browser. It provides
access to FactoryTalk View Machine Edition and Site Edition displays. Exposed
instances may allow unauthorised access to industrial control system visualisations.
Roxy File Manager - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)roxy file manager"})Description
Roxy File Manager panel was detected.
Roxy-WI - Remote Code Execution
runzero-match
service["http.body"] matches "Roxy-WI"Description
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Users are advised to upgrade to latest version.
Roxy-WI - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)roxy-wi"Description
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Users are advised to upgrade to latest version.
Roxy-WI < 6.1.1.0 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)roxy-wi"Description
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Users are advised to upgrade to latest version.
Ruckus Wireless - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ruckus"})Description
Ruckus Wireless router contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Ruckus Wireless Admin - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "ruckus wireless"})Description
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.
Impact
Remote code execution vulnerability in Ruckus Wireless Admin allows attackers to execute arbitrary code on the target system.
Remediation
Apply the latest security patches and updates provided by Ruckus Wireless to mitigate the vulnerability.
Ruckus Wireless Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ruckus"})Description
Ruckus Wireless admin login panel was detected.
Ruckus Wireless Unleashed Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)unleashed login"})Description
Ruckus Wireless Unleashed login panel was detected.
Ruckus vRioT IoT Controller - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)RIoT Controller"Description
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validate_token.py,letting unauthenticated attackers interact with the API without authentication.
Impact
Unauthenticated attackers can interact with the API without authentication via a hardcoded token, allowing complete control over the IoT controller and connected devices.
Remediation
Update to Ruckus vRioT version 1.5.1.0.22 or later.
Rudder Server < 1.3.0-rc.1 - SQL Injection
runzero-match
service["product"] matches "(?i)rudderstack.rudder.server"Description
Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
Impact
Authenticated attackers can execute arbitrary SQL commands and potentially achieve remote code execution due to PostgreSQL superuser permissions, leading to complete database and server compromise.
Remediation
Upgrade to Rudder Server version 1.3.0-rc.1 or later.
Rudloff alltube prior to 3.0.1 - Open Redirect
runzero-match
service["product"] matches "(?i)alltube"Description
An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist in versions prior to 3.0.1.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware.
Remediation
Upgrade to version 3.0.1 or later to fix the open redirect vulnerability.
Ruijie NBR Series Routers - Default Login
Author: pussycat0xAdded: Jul 4, 2024
runzero-match
service["http.body"] matches "(?i)上层网络出现异常,请检查外网线路或联系ISP运营商协助排查"Description
Ruijie NBR Series Routers Default Login username and password was discovered.
Ruijie RG-EG - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)请输入您的RG-EG易网关的用户名和密码"Description
Ruijie RG-EG easy gateway WEB management system front-end RCE has a command execution vulnerability. An attacker without identity authentication can execute arbitrary commands to control server permissions.
Ruijie RG-EW1200G Router Background - Login Bypass
runzero-match
service["http.body"] matches "(?i)app\\.2fe6356cdd1ddd0eb8d6317d1a48d379\\.css"Description
A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/sys/login. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-237518 is the identifier assigned to this vulnerability.
Impact
Attackers can bypass authentication on the Ruijie RG-EW1200G router through improper authentication checks in the login API, potentially gaining administrative access to the router and compromising network security.
Remediation
Update Ruijie RG-EW1200G firmware to a version newer than 07161417 r483 that implements proper authentication validation in the login API.
Ruijie RG-NBS2009G-P - Improper Authentication
runzero-match
service["http.body"] matches "(?i)ruijie\\.com\\.cn"Description
An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm.
Impact
Unauthenticated attackers can bypass authentication to gain administrative access and control the Ruijie switch configuration.
Remediation
Update Ruijie RG-NBS2009G-P firmware to a version that addresses CVE-2024-24116.
Ruijie RG-UAC Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)get_verify_info"Description
Ruijie RG-UAC login panel was detected.
Rundeck - Default Login
Author: karkis3cAdded: Aug 27, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Rundeck - Login"})Description
Rundeck default login was discovered.
Rundeck - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Rundeck"})Description
Rundeck is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Rundeck Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rundeck"})Description
Rundeck login panel was detected.
RustDesk Web Client - Default login
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RustDesk API Admin"})Description
Detected RustDesk Web Client Admin Console was using default credentials.
Rustfs - Detect
Author: icarotAdded: Mar 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RustFS"})Description
Detects a Rustfs server, a high-performance, distributed object storage system built in Rust.
Rustici Content Controller Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rustici Content Controller"})Description
Rustici Content Controller panel was detected.
SAP Analytics Cloud Panel - Detect
runzero-match
service["http.body"] matches "(?i)SAP Analytics Cloud"Description
SAP Analytics Cloud panel was detected.
SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)sap.businessobjects.business.intelligence"Description
SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
Impact
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access to internal resources or further attacks.
Remediation
Apply the relevant security patches provided by SAP to mitigate this vulnerability.
SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.
Remediation
Upgrade to a patched version of SAP Knowledge Warehouse (>=7.5.1) to mitigate the XSS vulnerability.
SAP Management Console - Panel
Author: LRVT,l4rm4ndAdded: Feb 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SAP Management Console"})Description
Detected the SAP Management Console (SAP MC) web panel by requesting /sapmc/sapmc.html and checking for a gSOAP server header the page title.
SAP Memory Pipes (MPI) Desynchronization
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Impact
Successful exploitation of this vulnerability can result in unauthorized access to sensitive data and potential data leakage.
Remediation
Apply the latest security patches and updates provided by SAP to mitigate this vulnerability.
SAP NetWeaver - Backdoor Detection
Author: DhiyaneshDkAdded: Apr 26, 2025
runzero-match
service["http.body"] matches "(?i)SAP NetWeaver Application Server Java"Description
Detected a potential backdoor in SAP NetWeaver allowing unauthorized command execution.
SAP NetWeaver Application Server Java 7.5 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP NetWeaver Application Server Java 7.5 is susceptible to local file inclusion in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access, data leakage, and potential system compromise.
Remediation
Apply the latest security patches and updates provided by SAP to fix the LFI vulnerability in SAP NetWeaver Application Server Java 7.5.
SAP NetWeaver Composition Environment Tools - Detect
Author: ap3rAdded: May 14, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
Detects the presence of the SAP NetWeaver Process Integration / Composition Environment Tools page
SAP NetWeaver Development Infrastructure - Server Side Request Forgery
runzero-match
service["http.body"] matches "SAP NetWeaver"Description
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.
Impact
Authenticated attackers can perform SSRF attacks to manipulate internal network resources, potentially accessing sensitive internal systems and data.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
SAP NetWeaver SQL Injection Vulnerability
runzero-match
service["product"] contains 'SAP:NetWeaver Application Server'Description
SQL injection vulnerability in the UDDI server of the SAP NetWeaver J2EE Engine 7.40 allows remote attackers to
execute arbitrary SQL commands via unspecified vectors, as documented within SAP Security Note 2101079.
Remediation
Apply updates per vendor instructions.
SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
runzero-match
service["http.body"] matches "SAP NetWeaver Application Server Java"Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Impact
Unauthenticated attackers can upload malicious executable binaries through the Metadata Uploader without authorization, potentially achieving remote code execution and complete system compromise.
Remediation
Apply SAP security note 3594142 and upgrade to the latest patched version of SAP NetWeaver Visual Composer.
SAP Solution Manager - Open Redirect
runzero-match
service["product"] matches "(?i)sap.solution.manager"Description
SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Attackers can redirect users to malicious websites through crafted links, potentially facilitating phishing attacks or credential theft.
Remediation
Apply security patches or updates provided by SAP to fix the vulnerability.
SAP Solution Manager 7.2 - Remote Command Execution
runzero-match
service["favicon.ico.images.mmh3"] == "694811822"Description
SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patches provided by SAP to mitigate this vulnerability.
SAP SuccessFactors Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - sap successfactors"})Description
SAP SuccessFactors login panel was detected.
SAP Web Application Server 6.x/7.0 - Open Redirect
runzero-match
service["http.body"] matches "SAP Business Server Pages Team"Description
frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Apply the latest security patches and updates provided by SAP to fix the open redirect vulnerability.
SAP xMII 15.0 for SAP NetWeaver 7.4 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP xMII 15.0 for SAP NetWeaver 7.4 is susceptible to a local file inclusion vulnerability in the GetFileList function. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to /Catalog, aka SAP Security Note 2230978.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.
Remediation
Apply the latest security patches and updates provided by SAP to mitigate the vulnerability.
SAS Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "957255151"Description
SAS login panel has been detected.
SAUTER moduWeb Vision Panel - Detect
Author: righettodAdded: May 30, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1663319756"Description
Sauter moduWeb Vision was detected.
SDT-CW3B1 1.1.0 - OS Command Injection
runzero-match
service["http.body"] matches "SDT-CW3B1"Description
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade to a patched version of SDT-CW3B1 or apply the vendor-supplied patch to mitigate this vulnerability.
SEH utnserver Pro/ProMAX/INU-100 20.1.22 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)utnserver Control Center"Description
A vulnerability was found in utnserver Pro, utnserver ProMAX, and INU-100 version 20.1.22 and earlier, affecting the device description parameter in the web interface. This flaw allows stored cross-site scripting (XSS), enabling attackers to inject JavaScript code. The attack can be executed remotely by tricking victims into visiting a malicious website, potentially leading to session hijacking. This vulnerability is publicly disclosed and identified as CVE-2024-5420.
Impact
Authenticated attackers can inject malicious JavaScript into the device description field, leading to stored XSS that can hijack user sessions when victims access the interface.
Remediation
Update SEH utnserver Pro/ProMAX/INU-100 to a version later than 20.1.22 that addresses the XSS vulnerability.
SEL Real-Time Automation Controller - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^SEL-RTAC"})Description
Schweitzer Engineering Laboratories (SEL) Real-Time Automation Controller (RTAC)
is a programmable automation controller used in electric utility and industrial
automation environments for protection, control, and automation. The web interface
exposes a management panel for configuration and monitoring.
SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
runzero-match
service["product"] matches "(?i)seowonintech.slc"Description
SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
SGP Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SGP"})Description
SGP login panel was detected.
SHOUTcast Server Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SHOUTcast Server"})Description
SHOUTcast Server panel was detected.
SKYSEA Client View Panel - Detect
Author: rxeriumAdded: Oct 15, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "385597939"Description
SKYSEA Client View panel was detected.
SOPlanning - Default Login
Author: s4e-ioAdded: May 7, 2024
runzero-match
service["http.body"] matches "(?i)soplanning"Description
SOPlanning contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
SOUND4 IMPACT/FIRST/PULSE/Eco <= 2.x - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1548359600"Description
The application suffers from an SQL Injection vulnerability. Input passed through the 'username' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
Author: arafatansariAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)SOUND4"Description
The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
SPIP - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)spip\\.php\\?page=backend"Description
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest security patches or upgrade to a patched version of SPIP.
SPIP Saisies - Remote Code Execution
runzero-match
service["http.body"] matches "SPIP"Description
SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions.
Impact
Attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to version 5.11.1 or later.
SQL Buddy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SQL Buddy"})Description
SQL Buddy login panel was detected.
SQL Monitor - Discovery
runzero-match
service["http.body"] matches "(?i)sql monitor"Description
SQL Monitor was discovered.
SRS - Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1386054408"Description
SRS's v5.0.137~v5.0.156, v6.0.18~v6.0.47 api-server server is vulnerable to a drive-by command injection.
Impact
Unauthenticated attackers with user interaction can inject commands through the app parameter in the snapshots API to execute arbitrary commands on the SRS streaming server.
Remediation
Update SRS (Simple Realtime Server) to a version newer than v5.0.156 or v6.0.47 that properly sanitizes input in the api-server snapshots endpoint.
SSH PrivX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PrivX"})Description
SSH PrivX login panel was detected.
SSL VPN Session Hijacking
runzero-match
service["http.body.mmh3"] == "-1466805544"Description
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Impact
Unauthenticated attackers can hijack SSL VPN sessions by bypassing authentication mechanisms and gaining unauthorized access to the VPN.
Remediation
Update SonicWall to a version that patches CVE-2024-53704 as specified in PSIRT advisory SNWLID-2025-0003.
STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jira"})Description
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server.
Remediation
Upgrade STAGIL Navigation for Jira Menu & Themes to version 2.0.52 or higher to fix the Local File Inclusion vulnerability.
STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jira"})Description
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server.
Remediation
Upgrade STAGIL Navigation for Jira Menu & Themes to version 2.0.52 or higher to fix the Local File Inclusion vulnerability.
SUNGROW Logger1000 Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)logger"})Description
SUNGROW (Solar Energy Inverter Monitoring Devices) Logger1000 panel was detected.
SUSE Manager Server - Panel
Author: darsesAdded: Jul 30, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SUSE Manager - Sign In"}) || any(each(service["html.titles"]), {# matches "(?i)SUSE Multi-Linux Manager - Sign In"}) || any(each(service["html.titles"]), {# matches "(?i)Uyuni - Sign In"}) || service["favicon.ico.image.mmh3"] == "1158194469"Description
SUSE Manager login panel detected.
SV3C HD Camera L Series - Open Redirect
runzero-match
service["product"] matches "(?i)sv3c.poe.ip.camera"Description
SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can use this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Apply the latest firmware update provided by the vendor to fix the open redirect vulnerability.
SafeNet Authentication Login Panel - Detect
Author: righettodAdded: Mar 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Self Enrollment"})Description
SafeNet Authentication Service Self Enrollment login panel was detected.
Sage X3 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sage x3"})Description
Sage X3 login panel was detected.
Saia PCD Web Server Panel - Detect
Author: DhiyaneshDkAdded: Oct 7, 2024
runzero-match
service["http.body"] matches "(?i)Saia PCD Web Server"Description
Saia PCD Web Server panel was detected.
SaltStack <=3002 - Shell Injection
runzero-match
service["json.return"] == "Welcome"Description
SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.
Impact
Unauthenticated attackers can execute arbitrary shell commands via the Salt API, leading to complete server compromise and access to all managed systems.
Remediation
Upgrade to a patched version of SaltStack (>=3003) to mitigate this vulnerability.
SaltStack Config Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SaltStack Config"})Description
SaltStack config panel was detected.
Samsung MagicINFO Panel - Detect
Author: s4e-ioAdded: Aug 22, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MagicINFO"})Description
Samsung MagicINFO panel was discovered.
Samsung Printer - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SyncThru Web Service"})Description
Samsung printers contain a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Sanity Studio Panel - Detect
Author: Shivam KambojAdded: Jan 12, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sanity Studio"})Description
Sanity Studio panel was detected. Sanity is a headless CMS platform.
Sante PACS Server.exe - Path Traversal Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "1185161484"Description
A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed.
Impact
Unauthenticated attackers can exploit path traversal to download arbitrary files from the server, potentially exposing sensitive patient data, credentials, and configuration files.
Remediation
Upgrade to Sante PACS Server version 4.1.1 or later that properly validates file paths.
Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intellian aptus web"})Description
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to a patched version of Satellian Intellian Aptus Web (version > 1.24).
Satis Composer Repository - Detect
runzero-match
service["http.body"] matches "(?i)<a href=\\\\"Description
Satis composer repository was detected
Sato - Default Login
Author: y0noAdded: Oct 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Sato"})Description
Sato using default credentials was discovered.
SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Lighthouse Studio"Description
A pre-authentication remote code execution vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14. The issue arises from the unsafe use of the `eval` function within the Perl CGI component `ciwweb.pl`, where attacker-supplied input inside `hid_Random_ACARAT` is directly passed to `eval`. This allows remote unauthenticated attackers to execute arbitrary Perl code on the server.
Impact
Unauthenticated attackers can execute arbitrary Perl code through the hid_Random_ACARAT parameter due to unsafe eval usage, achieving complete server compromise.
Remediation
Upgrade to Sawtooth Software Lighthouse Studio version 9.16.14 or later that removes unsafe eval usage in ciwweb.pl.
ScadaBR - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)ScadaBR Software"Description
ScadaBR is an open-source SCADA system based on Mango Automation, widely
used in Brazil and Latin America for industrial monitoring. The "powered by
Mango" tagline in the title is a unique identifier. Instances are often
internet-facing without authentication controls.
Scan2Net - Panel
Author: matejsmyckaAdded: Sep 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1780061475" || any(each(service["html.titles"]), {# matches "(?i)Scan2Net"})Description
Scan2Net Login was detected. This software is used to manage ImageAccess devices.Universities and public institutions often use ImageAccess devices.
Schneider Electric ClearSCADA - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?:ClearSCADA|Geo SCADA Expert) Home`Description
ClearSCADA (now branded as EcoStruxure Geo SCADA Expert) is a Schneider Electric
SCADA platform used in water, oil and gas, and utilities sectors. Exposed instances
may provide unauthenticated access to industrial process data and control interfaces.
Schneider Electric EcoStruxure Link150 Default Login
runzero-match
asset["hw_product"] matches `LINK150` || any(each(service["html.titles"]), {# matches `Schneider Electric`}) && any(each(service["vscan.technologies"]), {# matches `schneider-electric-ecostruxure`})Description
Schneider Electric EcoStruxure Link150 Ethernet Gateway with default administrator credentials discovered.
Schneider Electric Pelco VideoXpert Enterprise 2.0 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VideoXpert"})Description
Schneider Electric Pelco VideoXpert Enterprise versions 2.0 and prior contain a directory traversal caused by insufficient input validation, letting unauthorized persons view web server files, exploit requires no authentication.
Impact
Unauthenticated attackers can view web server files and directories, potentially exposing sensitive configuration files, credentials, and system information.
Remediation
Apply security updates provided by Schneider Electric or upgrade to a non-vulnerable version.
Schneider Electric PowerLogic PM8000 Default Login
runzero-match
any(each(service["tls.cn"]), {# matches `(?i)PM8000-`}) || any(each(service["tls.names"]), {# matches `(?i)pm8000-`}) || any(each(service["service.vhost"]), {# matches `(?i)PM8000-`}) || (asset["hw"] matches `Schneider\s+Electric\s+PowerLogic\s+Power\s+Meter` && any(each(service["http.head.location"]), {# matches `/web/resources/monitoring.html`}))Description
Schneider Electric PowerLogic PM8000 Power Quality Meter with default User1/0 credentials discovered.
Schneider Electric U.motion Builder - Remote Code Execution
runzero-match
service["product"] matches "(?i)schneider.electric.motion.builder"Description
U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.
Impact
Attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data theft, service disruption, or lateral movement within the network.
Remediation
The product has been retired and is no longer available or supported. To further protect their installations from this threat, customers should immediately remove the U.motion Builder software from their systems.
Schneider TAC Vista - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TAC Vista Webstation"})Description
Schneider TAC Vista building automation panel has been detected.
Scramble Laravel - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)Login\s*[\p{Pd}|]?\s*Laravel`})Description
Scramble for Laravel >= 0.13.2 and < 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation endpoints.
Impact
Remote attackers can execute arbitrary PHP code, potentially leading to full application compromise.
Remediation
Upgrade to version 0.13.22 or later.
Scribble Diffusion Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Scribble Diffusion"})Description
A tool to turn your rough sketch into a refined image using AI.
ScriptCase Panel Detect
Author: Ricardo Maia (Brainfork)Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ScriptCase"})ScriptCase Production Environment Login
Author: Ricardo Maia (Brainfork)Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ScriptCase"})Seafile Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1552322396"Description
Seafile panel was detected.
Seagate BlackArmor NAS - Command Injection
runzero-match
service["product"] matches "(?i)seagate.blackarmor.nas.firmware"Description
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with the privileges of the affected device, potentially leading to unauthorized access, data loss, or further compromise of the network.
Remediation
Apply the latest firmware update provided by Seagate to patch the command injection vulnerability.
Seagate NAS Login - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seagate nas - seagate"})Description
Seagate NAS - SEAGATE Login was detected.
Seagate NAS OS 4.3.15.1 - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "seagate nas - seagate"})Description
Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
Impact
Successful exploitation of this vulnerability could lead to user redirection to malicious websites, potentially resulting in the theft of sensitive information or the installation of malware.
Remediation
Apply the latest security patches or updates provided by Seagate to fix the open redirect vulnerability in NAS OS 4.3.15.1.
Seagate NAS OS 4.3.15.1 - Server Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seagate nas - seagate"})Description
Seagate NAS OS version 4.3.15.1 has insufficient access control which allows attackers to obtain information about the NAS without authentication via empty POST requests in /api/external/7.0/system.System.get_infos.
Impact
An attacker can gain sensitive information about the server, potentially leading to further attacks.
Remediation
Upgrade to a patched version of Seagate NAS OS.
SecurEnvoy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securenvoy"})Description
SecurEnvoy login panel was detected.
SecurEnvoy Two Factor Authentication - LDAP Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SecurEnvoy"})Description
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
Impact
Unauthenticated attackers can exploit LDAP injection to exfiltrate sensitive Active Directory data including cleartext LAPS passwords.
Remediation
Update SecurEnvoy MFA to version 9.4.514 or later.
Securden Unified PAM - Authentication Bypass
Author: DhiyaneshDk,pussycat0x,iamnoooob,pdresearchAdded: Aug 28, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1798893256"Description
An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM.
Impact
Unauthenticated attackers can control administrator backup functions to compromise passwords, secrets, and application session tokens stored in Unified PAM.
Remediation
Upgrade Securden Unified PAM to the latest version that implements proper authentication checks on backup functions.
Secure Login Service Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Secure Login Service"})Description
Secure Login Service login panel was detected.
SecurePoint UTM 12.x Session ID Leak
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securepoint utm"})Description
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or perform actions on behalf of the user.
Remediation
Upgrade to version 12.2.5.1 or newer
Securepoint UTM - Leaking Remote Memory Contents
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securepoint utm"})Description
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information stored in the device's memory.
Remediation
Apply the latest security patches and updates provided by Securepoint to fix the memory leakage issue.
Security Onion Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)security onion"})Description
Security Onion is a free and open source Linux distribution for intrusion detection, security monitoring, and log management. It includes CyberChef, NetworkMiner, and many other security tools.
SecuritySpy Camera Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SecuritySpy"})Description
SecuritySpy Camera panel was detected.
SeedDMS Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SeedDMS"})Description
SeedDMS default admin credentials were discovered.
SeedDMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seeddms"})Description
SeedDMS login panel was detected.
Seeyon OA (Log4j) - Remote Code Execution
runzero-match
service["product"] matches "(?i)致远互联.OA"Description
Seeyon OA is susceptible to remote code execution via the Apache Log4j 2 library prior to 2.15.0 by recording its own log information, specifically with specially crafted values sent as user input. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Seeyon OA A6 setextno.jsp - SQL Injection
runzero-match
service["http.body"] matches "(?i)yyoa"Description
Seeyon OA A6 initDataAssess.jsp has leaked user sensitive information,You can blast the user password through the obtained username to enter the background for further attacks
Seeyon OA Fastjson Remote Code Execution
runzero-match
service["product"] matches "(?i)致远互联.OA"Description
Seeyon OA Fastjson is vulnerable to RCE.
Selenium Grid Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Selenium Grid"})Description
Selenium Grid panel was detected.
SelfCheck System Manager - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SelfCheck System Manager"})Sensei LMS < 4.24.2 - Email Template Leak
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sensei-lms"Description
The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
Impact
Unauthenticated attackers can access and leak email templates through unprotected REST API endpoints, potentially exposing sensitive information included in email communications and template configurations.
Remediation
Update Sensei LMS plugin to version 4.24.2 or later to address the REST API protection issue.
Sensu by Sumo Logic Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-749942143"Description
Sensu by Sumo Logic login panel was detected.
SentinelOne Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SentinelOne - Management Console"})Description
SentinelOne Management Console login panel was detected.
Sentry Login Panel
Author: righettodAdded: Feb 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login \\| sentry"})Description
Sentry login panel was detected.
SequoiaDB Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SequoiaDB"})Description
SequoiaDB login panel was detected.
Sercomm VD625 Smart Modems - CRLF Injection
runzero-match
service["product"] matches "(?i)sercomm.agcombo.vd625.firmware"Description
Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.
Impact
Successful exploitation of this vulnerability could lead to various attacks, including session hijacking, cross-site scripting (XSS), and cache poisoning.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Serge Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Serge - Powered by LLaMa"})Description
Serge is a web interface for chatting with Alpaca through llama.cpp. This template detects the presence of a Serge chat interface.
Server Backup Manager SE Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Server Backup Manager SE"})Description
Server Backup Manager SE login panel was detected.
Service Finder Bookings - Authentication Bypass
runzero-match
service["http.body"] contains "/wp-content/plugins/sf-booking"Description
Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
Impact
Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
Remediation
Update to the latest version beyond 6.0.
ServiceNow - Incomplete Input Validation
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-5217.
ServiceNow Login Panel - Detect
Author: righettodAdded: Nov 1, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow Login Panel was detected.
ServiceNow UI Macros - Template Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Impact
Unauthenticated attackers can exploit SSTI to execute arbitrary code on ServiceNow servers.
Remediation
Apply security patches for ServiceNow as per KB1644293 and KB1645154.
SevOne NMS Network Manager
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SevOne NMS - Network Manager"})ShardingSphere ElasticJob UI Panel
runzero-match
service["favicon.ico.image.mmh3"] == "816588900"Description
An ShardingSphere ElasticJob UI panel was detected.
Sharefile Login - Panel
Author: irshad ahamedAdded: Jul 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sharefile login"})Description
ShareFile is a cloud-based file sharing and collaboration platform that provides secure access to files from anywhere.
Shell In A Box - Detect
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-629968763"Description
Shell In A Box implements a web server that can export arbitrary command line tools to a web based terminal emulator
Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
Author: Chocapikk,DhiyaneshDkAdded: Aug 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-741058468 \"lighttpd/1.4.32"Description
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the time parameter in the protocol.csp endpoint without disrupting device operation.
Remediation
Update Shenzhen Aitemi M300 Wi-Fi Repeater firmware to the latest version that properly sanitizes the time parameter.
Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)shibboleth.oidc.op"Description
The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services.
Impact
An attacker can exploit this vulnerability to send crafted requests, potentially leading to unauthorized access to internal resources or information disclosure.
Remediation
Upgrade to Shibboleth OIDC OP version 3.0.4 or later to mitigate the vulnerability.
Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-simple-firewall"Description
The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can exploit local file inclusion via render_action_template to execute arbitrary PHP code, potentially compromising the entire WordPress installation.
Remediation
Update Shield Security plugin to version 18.5.10 or later.
Shiziyu CMS Api Controller - SQL Injection
runzero-match
service["http.body"] matches "(?i)/seller\\.php\\?s=/Public/login"Description
Shiziyu CMS ApiController.class.php parameter filtering is not rigorous, resulting in SQL injection vulnerability.
ShokoServer System - Local File Inclusion (LFI)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Shoko WEB UI"})Description
ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read.
Impact
This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server.
Remediation
The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.
ShortPixel Adaptive Images < 3.6.3 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/shortpixel-adaptive-images/"Description
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin
Impact
Unauthenticated attackers can inject malicious JavaScript to steal high-privilege user session cookies including administrator credentials.
Remediation
Fixed in version 3.6.3
ShowDoc Panel Detection
runzero-match
service["http.body"] matches "(?i)showdoc"Description
ShowDoc panel was detected. ShowDoc was a tool for documenting APIs and interfaces.
SickChill - Open Redirect
runzero-match
service["http.body"] matches "SickChill"Description
SickChill's login endpoint's 'next_' parameter accepts arbitrary content, allowing authenticated attackers to perform open redirects, but this was fixed in commit c7128a8946c3701df95c285810eb75b2de18bf82 by redirecting to a default page.
Impact
Authenticated attackers can redirect users to malicious sites, potentially leading to phishing or information disclosure.
Remediation
Update to the version containing commit c7128a8946c3701df95c285810eb75b2de18bf82 or later.
Sidekiq < 7.0.8 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sidekiq"})Description
An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system.
Impact
Unauthenticated attackers can inject malicious JavaScript through the period parameter in Sidekiq metrics endpoints, potentially stealing administrator session cookies and accessing sensitive job queue information and worker statistics.
Remediation
Update Sidekiq to version 7.0.8 or later that properly sanitizes the period parameter and encodes output in the metrics dashboard.
Sidekiq Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sidekiq"})Description
Sidekiq Dashboard panel was detected.
Siemens SIMATIC HMI Miniweb - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Miniweb Start Page"})Description
Identified Siemens SIMATIC HMI MiniWeb interfaces that were accessible using default credentials.These interfaces are used to remotely monitor and control Human-Machine Interface (HMI) panels deployed in industrial environments. Leaving the default login in place posed a significant risk to operational technology (OT) systems.
Signet Explorer Dashboard - Detect
runzero-match
service["http.body"] matches "(?i)mempool-space"Description
Signet Explorer Dashboard was detected.
SillyTavern - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "SillyTavern"})Description
SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to build outbound server-side fetch requests. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the full response body, enabling read access to internal services, cloud metadata endpoints, and private network resources.
Remediation
Upgrade SillyTavern to version 1.18.0 or later, which introduces a Private Request Whitelisting filter. Enable and properly configure the filter when hosting over a network.
SillyTavern Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SillyTavern"})Description
SillyTavern was detected. SillyTavern is a character-based AI roleplay and chat frontend that connects to local or remote LLM backends. Exposed instances may allow unauthenticated access to AI models and conversation history.
SimpleHelp <= 5.5.7 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)SimpleHelp"Description
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
Impact
Unauthenticated attackers can exploit path traversal to download server configuration files containing secrets, hashed passwords, and other sensitive information.
Remediation
Update SimpleHelp to version 5.5.8 or later to address the path traversal vulnerabilities.
Sitecore - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Impact
Unauthenticated attackers can execute arbitrary code on Sitecore servers through the XAML parser by injecting malicious ASP.NET markup, potentially compromising the entire content management system and accessing sensitive customer data.
Remediation
Apply Sitecore security patches as outlined in KB1002979 for Experience Manager, Experience Platform, and Experience Commerce versions through 10.3.
Sitecore CMS - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Sitecore"Description
Sitecore CMS contains a cross-site scripting vulnerability via the "special way" of displaying XML Controls directly, which allows for a Cross Site Scripting Attack.
Impact
Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of users.
Remediation
Update to a patched version of Sitecore CMS or apply vendor security updates.
Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Impact
Unauthenticated attackers can use hardcoded credentials to access administrative API endpoints over HTTP, potentially compromising the entire Sitecore platform.
Remediation
Apply the security patch as described in Sitecore KB1003667 and change all default credentials immediately.
Sitecore Experience Platform - Deserialization of Untrusted Data
runzero-match
service["http.body"] matches "SitecoSitecore Experience Platform"Description
Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can exploit this issue to execute arbitrary code on the affected system via a crafted request to the /sitecore/shell/Applications/Layouts/IDE.aspx endpoint.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version of Sitecore or apply security patches addressing deserialization issues.
Sitecore Experience Platform <= 10.4 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
Impact
Unauthenticated attackers can read arbitrary files from the Sitecore server, potentially exposing sensitive configuration and credentials.
Remediation
Update Sitecore Experience Platform to a version that patches CVE-2024-46938.
Sitecore Experience Platform Pre-Auth RCE
runzero-match
any(each(service["html.titles"]), {# matches "SiteCore"})Description
Sitecore XP 7.5 to Sitecore XP 8.2 Update 7 is vulnerable to an insecure deserialization attack where remote commands can be executed by an attacker with no authentication or special configuration required.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions- - Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher. - Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. - Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below. - For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
Sitecore Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Sitecore"})Description
Sitecore login panel was detected.
Sitefinity Login
Author: dhiyaneshDKAdded: Apr 27, 2023
runzero-match
service["product"] contains "Progress:Sitefinity"Description
This template identifies the Sitefinity login page.
Skeepers Login Panel - Detect
Author: righettodAdded: Mar 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Skeepers"})Description
Skeepers login panel was detected.
Skype for Business 2019 (SfB) - Blind Server-side Request Forgery
runzero-match
service["http.body"] matches "Skype for Business"Description
Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability
Impact
Unauthenticated attackers can exploit blind SSRF vulnerabilities through the meeturl parameter to make the Skype for Business server probe internal network resources, potentially discovering internal services and infrastructure topology.
Remediation
Apply Microsoft security patches for Skype for Business Server 2015 and 2019 that validate and restrict URL parameters in the LwaClient.aspx endpoint.
Skyvern Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Skyvern"})Description
Skyvern is an open-source AI agent that automates browser-based workflows using
LLMs and computer vision
Smart s200 Management Platform v.S200 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Smart管理平台"Description
SQL Injection vulnerability in Baizhuo Network Smart s200 Management Platform v.S200 allows a local attacker to obtain sensitive information and escalate privileges via the /importexport.php component.
Impact
Authenticated attackers can extract sensitive database information via SQL injection in the importexport.php component.
Remediation
Update Smart s200 Management Platform to a version that addresses CVE-2024-27718.
SmartPing Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SmartPing Dashboard"})Description
SmartPing Dashboard panel was detected.
SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/smartsearchwp"Description
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
Impact
Unauthenticated attackers can retrieve and decode the OpenAI API key through an unsecured REST endpoint, potentially incurring API usage costs and data exposure.
Remediation
Update SmartSearchWP plugin to version 2.4.6 or later to address the API key disclosure vulnerability.
SmarterMail - Remote Code Execution
runzero-match
service["http.body"] matches "SmarterMail"Description
SmarterTools SmarterMail < build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication.
Impact
Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
Remediation
Update to build 9511 or later.
SmarterMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SmarterMail"})Description
SmarterMail login panel was detected.
Smartstore <4.1.0 - Open Redirect
runzero-match
service["http.body"] matches "'content=\"Smartstore'"Description
Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade Smartstore to version 4.1.0 or later to fix the open redirect vulnerability.
Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting
runzero-match
service["product"] contains "WPWeb Infotech:Social Auto Poster"Description
Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
Impact
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
SoftEther VPN Admin Console - Default Login
Author: bhutchAdded: May 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "SoftEther VPN Server"})Description
The administrative password for the SoftEther VPN Server is blank.
SoftEther VPN Panel - Detect
Author: bhutchAdded: Mar 20, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SoftEther VPN Server"})Description
SoftEther VPN panel was detected.
Solar-Log - Monitoring Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Solar-Log"})Description
Solar-Log is a solar plant monitoring system by Solare Datensysteme GmbH (Germany)
used for PV system monitoring, yield optimisation, and fault detection. The web
interface is commonly exposed on port 80, 81, or non-standard ports.
SolarEdge Monitoring - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^SolarEdge"})Description
SolarEdge Telematics monitoring panel has been detected.
SolarView 6.00 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact 6.00 is vulnerable to a command injection via network_test.php.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest patch or upgrade to a non-vulnerable version of SolarView.
SolarView Compact 6.00 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)solarview compact" || service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact 6.00 was discovered to contain a command injection vulnerability, attackers can execute commands by bypassing internal restrictions through downloader.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.
Remediation
Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.
SolarView Compact 6.00 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)solarview compact"Description
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.
Remediation
Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.
SolarView Compact <= 6.00 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)solarview compact"Description
There is an arbitrary read file vulnerability in SolarView Compact 6.00 and below, attackers can bypass authentication to read files through texteditor.php
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade to a patched version of SolarView Compact or apply the vendor-provided security patch to mitigate the LFI vulnerability.
SolarView Compact Panel - Detect
runzero-match
service["http.body"] matches "(?i)solarview compact" || service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact panel was detected.
SolarWinds ARM (Access Rights Manager) - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1416464161"Description
SolarWinds ARM login panel was detected.
SolarWinds Orion API - Auth Bypass
runzero-match
service["product"] contains "SolarWinds:Orion"Description
SolarWinds Orion API is vulnerable to an authentication bypass vulnerability that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the SolarWinds Orion system.
Remediation
Apply the necessary patches or updates provided by SolarWinds to fix the authentication bypass vulnerability.
SolarWinds Orion Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SolarWinds Orion"})Description
SolarWinds Orion default admin credentials were discovered.
SolarWinds Security Event Manager - Unauthenticated RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SolarWinds Security Event Manager"})Description
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Impact
Unauthenticated attackers on the adjacent network can execute arbitrary code remotely on the SolarWinds Security Event Manager, leading to complete system compromise and potential access to all security event data.
Remediation
Upgrade to SolarWinds Security Event Manager version 2023.4.1 or later.
SolarWinds Serv-U - Directory Traversal
runzero-match
service["http.body"] matches "(?i)Serv-U"Description
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Impact
Attackers can traverse directories and access sensitive files outside the intended directory structure.
Remediation
Update SolarWinds Serv-U to a version that patches the directory traversal vulnerability.
SolarWinds Web Help Desk - Authentication Bypass
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative functions including authentication configuration settings, SAML/CAS setup, and API key management.
Impact
An attacker can bypass authentication and access administrative configuration pages, potentially leading to full system compromise through authentication method manipulation.
Remediation
Update to Web Help Desk version 2026.1 or later.
SolarWinds Web Help Desk - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1895809524"Description
SolarWinds Web Help Desk contains an authentication bypass vulnerability caused by improper access control, letting attackers execute protected actions without authentication, exploit requires no special conditions.
Impact
Attackers can execute protected actions without authentication, potentially compromising system integrity and data security.
Remediation
Update to the latest version of SolarWinds Web Help Desk.
SolarWinds Web Help Desk - Hardcoded Credential
runzero-match
service["favicon.ico.image.mmh3"] == "1895809524"Description
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
Impact
Attackers with knowledge of the hardcoded credentials can gain unauthorized access to the SolarWinds Web Help Desk system.
Remediation
Update SolarWinds Web Help Desk to a version that removes the hardcoded credentials.
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk before version 12.8.3 contain a critical Java deserialization vulnerability that enables remote code execution. Attackers can exploit this flaw to execute arbitrary commands on the host machine. Initially reported as unauthenticated, SolarWinds was unable to reproduce without authentication but still recommended immediate patching. With a CVSS score of 9.8, this vulnerability was discovered by Inmarsat Government researchers and added to CISA's Known Exploited Vulnerabilities Catalog due to active exploitation in the wild. The complete attack vector requires low complexity and has high impact on confidentiality, integrity, and availability. This vulnerability was later bypassed, leading to CVE-2024-28988 and subsequently CVE-2025-26399. Fixed in version 12.8.3 Hotfix 1.
Impact
Attackers can execute arbitrary commands on the host machine, potentially leading to full system compromise.
Remediation
Apply the available patch provided by SolarWinds.
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Impact
Attackers can gain access to certain restricted functionality.
Remediation
Apply the available 12.8.8 Hotfix 1 (HF1) or upgrade to version 2026.1.
SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
runzero-match
service["favicon.ico.image.mmh3"] == "1895809524"Description
SolarWinds Web Help Desk before version 2026.1 contains an insecure deserialization vulnerability in the jabsorb JSON-RPC library. When chained with a CSRF whitelist bypass (CVE-2025-40536), remote unauthenticated attackers can exploit JNDI injection via the Apache Xalan JNDIConnectionPool class to achieve remote code execution. The bypass involves including "/ajax/" in a query parameter to circumvent URI validation, while switching from "/ajax/" to "/wo/" endpoints bypasses payload sanitization routines.
Impact
Remote attackers can execute arbitrary code on the host machine without authentication, potentially leading to full system compromise.
Remediation
Update SolarWinds Web Help Desk to version 2026.1 or later.
Solara <1.35.1 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-223126228"Description
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
Impact
Unauthenticated attackers can exploit LFI to read arbitrary files from the local filesystem.
Remediation
Update Solara to version 1.35.1 or later.
Somansa DLP Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)DLP system"Description
Somansa DLP login panel was detected.
Sonar Poller Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Sonar Poller"Description
Sonar Poller login/interface was discovered.
SonarQube Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "SonarQube"})Description
SonarQube contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade Sonatype Nexus Repository Manager to a version higher than 3.15.0.
Sonatype Nexus Repository Manager 3 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
Impact
Unauthenticated attackers can read arbitrary system files via path traversal in Sonatype Nexus Repository.
Remediation
Update Sonatype Nexus Repository 3 to version 3.68.1 or later.
Sonatype Nexus Repository Manager 3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Sonatype Nexus Repository Manager 3.
SonicWall Analyzer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sonicwall analyzer login"})Description
SonicWall Analyzer login panel was detected.
SonicWall Appliance Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appliance management console login"})Description
SonicWall Appliance Management Console login panel was detected.
SonicWall GMS and Analytics - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1381126564"Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SonicWall GMS and Analytics allows an unauthenticated attacker to extract sensitive information from the application database. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
SonicWall GMS and Analytics Web Services - Shell Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1381126564"Description
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
SonicWall Network Security Login - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sonicwall network security login"})Description
SonicWall Network Security Login panel was detected.
SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
runzero-match
service["product"] matches "(?i)sonicwall.sma.firmware"Description
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or crash the affected system.
Remediation
Apply the latest security patch or update provided by SonicWall to mitigate this vulnerability.
SonicWall SMA1000 LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Appliance Management Console Login"})Description
Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the affected device, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or firmware updates provided by SonicWall to mitigate this vulnerability.
Sonicwall - Pre-Authentication Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)SonicWall\" html:\"SMA"Description
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Impact
Unauthenticated attackers can read arbitrary files from the SonicWall SMA100 filesystem including configuration files, logs, and sensitive data, potentially leading to further exploitation or complete system compromise.
Remediation
Upgrade to the latest patched version of SonicWall SMA100 or apply vendor-provided security updates.
Sonicwall NSM - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "SonicWall Network Security"})Description
Sonicwall NSM is susceptible to Log4j JNDI remote code execution. SonicWall Network Security Manager (NSM) allows you to centrally orchestrate all firewall operations error-free, see and manage threats and risks across your firewall ecosystem from one place, and stay connected and compliant.
Sophos Firewall <=18.5 MR3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos"})Description
Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the firewall.
Remediation
Upgrade to a patched version of Sophos Firewall (>=18.5 MR4) to mitigate this vulnerability.
Sophos Firewall Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos"})Description
Sophos Firewall login panel was detected.
Sophos Mobile Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos mobile"}) || service["favicon.ico.image.mmh3"] == "-1274798165"Description
Sophos Mobile panel was detected.
Sophos Mobile managed on-premises - XML External Entity Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1274798165"Description
An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.
Remediation
Apply the latest security patches or updates provided by Sophos to mitigate the vulnerability.
Sophos UTM Preauth - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "securepoint utm"})Description
Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
Impact
Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to take control of the affected system.
Remediation
Apply the latest security patches provided by Sophos to mitigate the vulnerability.
Sophos Web Appliance
Author: DhiyaneshDkAdded: Apr 27, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-893681401" || any(each(service["html.titles"]), {# matches "(?i)sophos web appliance"})Sophos Web Appliance - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Sophos Web Appliance"})Description
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability.
Sound4 IMPACT/FIRST/PULSE/Eco <=2.x - Authentication Bypass
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] matches "(?i)SOUND4"Description
The application suffers from an SQL Injection vulnerability. Input passed through the 'password' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)spacelogic c-bus"Description
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade SpaceLogic C-Bus Home Controller to a version higher than 1.31.460 to mitigate this vulnerability.
SpaceLogic C-Bus Home Panel - Detect
Author: ritikchaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)spacelogic c-bus"Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugin/cleantalk-spam-protect/"Description
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Impact
Unauthenticated attackers can extract database contents via time-based blind SQL injection through User-Agent header manipulation, potentially exposing all WordPress user data.
Remediation
Fixed in 5.153.4
Speedtest Panel - Detection
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Speedtest Tracker"})Description
Speedtest panel was discovered
SphinxOnline Panel - Detect
Author: righettodAdded: Oct 3, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Connection - SphinxOnline"})Description
SphinxOnline Login Panel was detected.
SpiderFlow Crawler Platform - Remote Code Execution
runzero-match
service["product"] matches "(?i)SpiderFlow"Description
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability.
Impact
Unauthenticated attackers can inject and execute arbitrary code remotely on the Spider-Flow server, leading to complete system compromise and potential access to all crawled data.
Remediation
Upgrade to Spider-Flow version 0.5.0 or later that addresses this code injection vulnerability.
Splash Render - SSRF
runzero-match
any(each(service["html.titles"]), {# matches "Splash"})Description
Splash Render is vulnerable to Server-Side Request Forgery (SSRF) Vulnerability.
Splunk - Default Password
Author: pussycat0xAdded: Dec 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Splunk"})Description
Splunk Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
Splunk <=7.0.1 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - splunk"})Description
Splunk through 7.0.1 is susceptible to information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Upgrade Splunk to a version higher than 7.0.1 to mitigate the vulnerability.
Splunk Enterprise - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Login \\| Splunk"Description
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Impact
Attackers can perform path traversal to access sensitive filesystem locations on Splunk Enterprise for Windows.
Remediation
Update Splunk Enterprise to version 9.2.2, 9.1.5, or 9.0.10 or later.
Splunk Enterprise - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Login - Splunk"})Description
Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
Splunk Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - splunk"})Description
Splunk Enterprise login panel was detected.
Splunk MCP Server IDE Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Splunk MCP Server"})Description
Splunk MCP Server IDE login interface was discovered.
Splunk SOAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Splunk SOAR"})Description
Splunk SOAR login panel was detected.
SpotWeb Login Panel - Detect
Author: theamanrawatAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spotweb - overview"})Spotweb <= 1.5.1 - Cross Site Scripting (Reflected)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spotweb - overview"})Description
There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, data theft, or other attacks.
Remediation
Fixed in version 1.5.2
Spring Cloud - Remote Code Execution
runzero-match
service["product"] matches "(?i)vmware.spring.cloud.function"Description
Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability.
Spring Cloud Config Server - Local File Inclusion
runzero-match
service["favicon.ico.images.mmh3"] == "116323821"Description
Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.
Impact
An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.
Remediation
Upgrade to a patched version of Spring Cloud Config Server or apply the recommended security patches.
Spring Cloud Gateway Code Injection
runzero-match
service["product"] matches "(?i)vmware.spring.cloud.gateway"Description
Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Impact
Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the latest security patches provided by the vendor and ensure proper input validation to prevent code injection attacks.
Spring Cloud Netflix - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)vmware.spring.cloud.netflix"Description
Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Impact
The vulnerability can result in unauthorized access to sensitive data or systems, leading to potential data breaches or further exploitation.
Remediation
Apply the latest security patches or updates provided by Spring Cloud Netflix to mitigate the vulnerability.
Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
runzero-match
service["product"] matches "(?i)vmware.spring.cloud.netflix"Description
Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade to Spring Cloud Netflix Hystrix Dashboard version 2.2.10 or later to mitigate this vulnerability.
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "eureka"})Description
Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.
Impact
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Remediation
To remediate this vulnerability, update to Spring Data REST version 2.6.9 or later, or 3.0.1 or later, and Spring Boot version 1.5.9 or later, or 2.0 M6 or later.
SqWebMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SqWebMail"})Description
SqWebMail login panel was detected.
Squid End-of-Life - Detect
Author: Shivam KambojAdded: Mar 5, 2026
runzero-match
service["product"] contains "Squid Cache:Squid"Description
Detected Squid proxy versions that have reached End-of-Life (EOL) and no longer receive security updates.
Squid Proxy - HTTP Authentication Credentials Disclosure
runzero-match
service["http.head.server"] matches `(?i)squid/`Description
Squid versions prior to 7.2 fail to redact HTTP authentication credentials in error page responses. The Authorization header value is embedded in plain text inside the mailto: diagnostic block when Squid generates an error page (e.g. ERR_DNS_FAIL).
Impact
Attackers can extract tokens and credentials used by trusted clients or backend applications proxied through Squid.
Remediation
Update to the version 7.2+ or disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Squidex Headless CMS Panel - Detect
Author: johnk3rAdded: Feb 13, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1099097618"Description
Squidex is an open source headless CMS and content management hub.
SquirrelMail 1.2.11 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail 1.2.11 is vulnerable to local file inclusion.
SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.
Remediation
Upgrade to a patched version of SquirrelMail or apply the necessary security patches to mitigate the XSS vulnerability.
SquirrelMail Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail login panel was detected.
Squirrelmail <=1.4.6 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail 1.4.6 and earlier versions are susceptible to a PHP local file inclusion vulnerability in functions/plugin.php if register_globals is enabled and magic_quotes_gpc is disabled. This allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade Squirrelmail to a version higher than 1.4.6 or apply the necessary patches to fix the LFI vulnerability.
Stable Diffusion Webui 1.10.0 - Open Redirect
Author: DhiyaneshDKAdded: Jan 22, 2025
runzero-match
service["http.body"] matches "stable-diffusion-webui"Description
An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs.
Impact
Unauthenticated attackers can redirect users to malicious URLs via the file parameter, facilitating phishing attacks and credential theft.
Remediation
Update Stable Diffusion Webui to a version newer than 1.10.0.
Stackposts Social Marketing Tool v1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)stackposts"Description
SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries.
Star Micronics Network Utility Panel - Detect
runzero-match
service["http.body"] matches "(?i)Network Utility"Description
Star Micronics Network Utility panel was detected.
Stash < 0.26.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>Stash</title>"Description
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
Impact
Attackers can execute arbitrary SQL queries via the sort parameter, potentially extracting sensitive database information.
Remediation
Update Stash to version 0.26.0 or later.
SteVe Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "SteVe - Steckdosenverwaltung"})Description
SteVe login panel was detected.
SteVe Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SteVe - Steckdosenverwaltung"})Description
SteVe login panel was detected.
Stirling PDF Panel - Detect
Author: s4e-ioAdded: Jan 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)StirlingPDF"})Description
Stirling PDF panel was discovered.
Stirling-PDF < 1.1.0 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "Stirling PDF"})Description
Stirling-PDF < 1.1.0 contains a server side request forgery caused by bypassing the sanitizer in the /api/v1/convert/html/pdf endpoint when processing HTML to PDF conversion, letting attackers perform SSRF, exploit requires local access.
Impact
Attackers can perform SSRF to access internal resources or services, potentially leading to information disclosure or further attacks.
Remediation
Upgrade to version 1.1.0 or later.
Stirling-PDF SSRF via Markdown
runzero-match
any(each(service["html.titles"]), {# matches "Stirling PDF"})Description
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF.
Impact
Unauthenticated attackers can force the server to make requests to arbitrary URLs through malicious Markdown image tags, potentially exposing internal services and credentials.
Remediation
This issue has been patched in version 1.1.0.
Stock Ticker <= 3.23.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/stock-ticker/"Description
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Impact
Unauthenticated attackers can inject malicious JavaScript through the class parameter in the ajax_stockticker_load function to execute attacks when users interact with malicious links.
Remediation
Fixed in version 3.23.3
Stop User Enumeration WordPress plugin - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/stop-user-enumeration/"Description
Stop User Enumeration WordPress plugin < 1.7.3 contains an authentication bypass caused by URL-encoding the REST API path /wp-json/wp/v2/users/, letting attackers bypass user enumeration restrictions, exploit requires crafted URL encoding.
Impact
Attackers can bypass user enumeration protection through URL-encoding manipulation, potentially facilitating brute force attacks against user accounts.
Remediation
Upgrade Stop User Enumeration WordPress plugin to version 1.7.3 or later that properly handles URL-encoded REST API paths.
Storybook Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)storybook"})Description
Storybook panel was detected.
Strapi Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)strapi"})Description
Strapi login panel was detected.
Strider CD Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "115295460"Description
Strider CD panel was detected.
Structurizr - Default Login
Author: DhiyaneshDKAdded: Nov 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1199592666"Description
Structurizr contains default credentials.
Structurizr Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1199592666"Description
Structurizr login panel was detected.
Submitty <= 20.04.01 - Open Redirect
runzero-match
service["product"] matches "(?i)rcos.submitty"Description
Submitty through 20.04.01 contains an open redirect vulnerability via authentication/login?old= during an invalid login attempt. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Upgrade to Submitty version 20.04.01 or later to fix the open redirect vulnerability.
Subscribe to Category <= 2.7.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/subscribe-to-category/"Description
The Subscribe to Category contains a sql_injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to the latest version beyond 2.7.4 or apply security patches that neutralize special elements in SQL queries.
SugarCRM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sugarcrm"}) || service["http.body"] matches "(?i)sugarcrm inc\\. all rights reserved"Description
SugarCRM login panel was detected.
SuiteCRM - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SuiteCRM"})Description
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive CRM data.
Remediation
Update SuiteCRM to version 7.14.4 or 8.6.1 or later.
SuiteCRM Unauthenticated Graphql Introspection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)suitecrm"})Description
Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.
Impact
An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.
Remediation
Update to version 8.4.2.
Sunbird DCIM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "781922099"Description
Sunbird DCIM login panel was detected.
Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
runzero-match
service["product"] matches "(?i)sunhillo.sureline"Description
Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade to Sunhillo SureLine version 8.7.0.1.1 or later to mitigate this vulnerability.
Supabase Studio Panel - Detect
Author: ChrisJr404Added: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Supabase Studio"})Description
Supabase Studio login panel was detected. The admin dashboard shipped with Supabase, the popular open-source Firebase alternative (Postgres + auth + realtime + storage + edge functions).
SuperAGI Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-2056571568"Description
SuperAGI panel was detected. SuperAGI was an open-source autonomous AI agent platform that enables building, managing, and running AI agents. Exposed instances may allow unauthorized access to agent configurations and execution environments.
SuperAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Superadmin UI - 4myhealth"})Description
SuperAdmin login panel was detected.
SuperWebMailer 9.00.0.01710 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SuperWebMailer"})Description
An issue was discovered in SuperWebMailer 9.00.0.01710 allowing XSS via crafted incorrect passwords.
Impact
Successful exploitation could lead to unauthorized access or data theft.
Remediation
Implement input validation and output encoding to prevent XSS attacks.
SuperWebmailer 7.21.0.01526 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)superwebmailer"})Description
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to the latest version of SuperWebmailer to mitigate this vulnerability.
Supermicro BMC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Supermicro BMC Login"})Description
Supermicro BMC login panel was detected.
Supermicro Ipmi - Default Admin Login
Author: For3stCo1dAdded: Apr 27, 2023
runzero-match
any(each(service["html.bodies"]), {# matches "/cgi/login.cgi"})Description
Supermicro Ipmi default admin login credentials were successful.
Supershell - Default Login
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)supershell"})Description
Supershell is a WEB management platform that integrates the reverse_ssh service.
Supertokens Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)<title>SuperTokens "Description
A Supertokens login panel was detected.
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/supportcandy/"Description
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Impact
Attackers can inject malicious JavaScript via reflected XSS in pages with wpsc_create_ticket shortcode, potentially stealing user session cookies or manipulating support ticket data.
Remediation
Fixed in 2.2.7
Suprema BioStar 2 Panel - Detect
Author: ritikchaddhaAdded: Apr 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Biostar"})SwarmUI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "SwarmUI"})Description
SwarmUI (formerly StableSwarmUI) is a modular Stable Diffusion web interface built on ASP.NET Core.
It provides a feature-rich UI for AI image generation
Swift Performance Lite < 2.3.7.2 - Local PHP File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/swift-performance-lite"Description
A vulnerability in Swift Performance Lite before version 2.3.7.2 allows unauthenticated attackers to perform local PHP file inclusion via the 'ajaxify' parameter. This can lead to arbitrary code execution on the server.
Impact
Unauthenticated attackers can perform local PHP file inclusion via the ajaxify parameter to execute arbitrary code, potentially compromising the entire WordPress site.
Remediation
Update Swift Performance Lite plugin to version 2.3.7.2 or later.
Syfadis Xperience Login Panel - Detect
Author: righettodAdded: Apr 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Syfadis Xperience"})Description
Syfadis Xperience login panel was detected.
Symantec Data Loss Prevention Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)symantec data loss prevention"})Description
Symantec Data Loss Prevention login panel was detected.
Symantec Encryption Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Symantec Encryption Server"})Description
Symantec Encryption Server login panel was detected.
Symantec Endpoint Protection Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)symantec endpoint protection manager"})Description
Symantec Endpoint Protection Manager login panel was detected.
Symantec PGP Global Directory Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PGP Global Directory"})Description
Symantec PGP Global Directory panel was detected.
Symantec SEPM - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "Symantec Endpoint Protection Manager"})Description
Symantec SPEM is susceptible to Log4j JNDI remote code execution.
Symfony Lock File - Exposure
Author: ritikchaddhaAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)symfony\\.lock"Description
symfony.lock was found accessible, exposing a full list of installed Composer packages, library versions, and metadata for a Symfony-based PHP application. Disclosure of this file can provide insight into the application's attack surface, potentially revealing vulnerable or outdated dependencies and aiding an attacker in choosing their exploit strategy.
Impact
Attackers can enumerate all installed Composer packages and versions, increasing the risk of targeted attacks (e.g., against known CVEs in dependencies) or application fingerprinting.
Remediation
Restrict direct access to internal and sensitive files such as symfony.lock via proper web server configuration (e.g., .htaccess, nginx directives) and consider excluding such files from the web root in deployment.
Symfony Profiler - Remote Access via Injected Arguments
runzero-match
service["http.body"] matches "(?i)<div id=\\\\"Description
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50340.
Symmetricom SyncServer Panel - Detect
Author: DhiyaneshDkAdded: Jun 22, 2023
runzero-match
service["http.body"] matches "(?i)symmetricom syncserver"Symmetricom SyncServer Unauthenticated - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)Symmetricom SyncServer"Description
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device.
Remediation
Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability.
Sympa version =>6.2.16 - Cross-Site Scripting
runzero-match
service["http.body"] matches "sympa"Description
Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to a patched version of Sympa (>=6.2.17) or apply the necessary security patches provided by the vendor.
Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"}) || service["favicon.ico.image.mmh3"] == "1624375939"Description
Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, leading to unauthorized access to sensitive information.
Remediation
Upgrade to the latest version of Synacor Zimbra Collaboration (8.7.11p10 or higher) to mitigate this vulnerability.
Synapse Mobility Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Synapse Mobility Login"})Description
Synapse Mobility login panel was detected.
SyncThru Web Service Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)syncthru web service"})Description
SyncThru Web Service panel was detected.
Synology DSM System Info - Detect
Author: DhiyaneshDkAdded: Mar 17, 2026
runzero-match
asset["hw_vendor"] == "Synology" && asset["type"] == "NAS"Description
Detected the disclosure of Synology DiskStation Manager (DSM) system information via the SYNO.API.Info endpoint, identifying all available APIs, versions, and installed packages returned without authentication.
Synopsys Coverity Panel
Author: idealphaseAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Coverity"})Description
Coverity® is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards.
Synway SMG Gateway 9-2radius.php - Remote Command Execution
Author: ChenkhAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "(?i)text ml10 mr20" && any(each(service["html.titles"]), {# matches "(?i)(Gateway Management|网关管理软件)"})Description
Synway SMG Gateway Management Software contains a remote command execution vulnerability in 9-2radius.php, where the radius_address parameter is passed to a system() call without sanitization. This allows unauthenticated attackers to execute arbitrary commands on the server.
SysAid Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1540720428"Description
Detects the presence of a SysAid Help Desk Software login panel by identifying characteristic login pages, favicon hash, and system-specific content.
SysAid On-Prem <= 23.3.40 - XML External Entity
runzero-match
service["favicon.ico.image.mmh3"] == "1540720428"Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Impact
Unauthenticated attackers can exploit XXE vulnerabilities in the Checkin endpoint to read arbitrary files, potentially leading to administrator account takeover and complete system compromise.
Remediation
Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.
SysAid On-Prem <= 23.3.40 - XML External Entity
runzero-match
service["favicon.ico.image.mmh3"] == "1540720428"Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
Impact
Unauthenticated attackers can exploit XXE vulnerabilities in the lshw endpoint to read arbitrary files, potentially leading to administrator account takeover and complete system compromise.
Remediation
Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.
SysAid On-Prem <= 23.3.40 - XML External Entity
runzero-match
service["favicon.ico.image.mmh3"] == "1540720428"Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Impact
Unauthenticated attackers can exploit XXE vulnerabilities in the Server URL endpoint to read arbitrary files, potentially leading to administrator account takeover and complete system compromise.
Remediation
Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.
T-Up OpenFrame
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "824580113"TIBCO JasperReports Library - Directory Traversal
runzero-match
service["http.body"] matches "(?i)jasperserver-pro"Description
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.
Impact
An attacker can access sensitive files, potentially leading to unauthorized disclosure of sensitive information.
Remediation
Apply the latest security patches or upgrade to a patched version of TIBCO JasperReports Library.
TIBCO Jaspersoft Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jaspersoft"})Description
TIBCO Jaspersoft login panel was detected.
TIBCO Managed File Transfer - Panel
Author: Th3l0newolfAdded: Apr 2, 2025
runzero-match
service["http.body"] matches "(?i)TIBCO Managed"Description
TIBCO Managed File Transfer Login Panel was discovered.
TITool PrintMonitor - Blind SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)printmonitor"})Description
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Impact
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially compromising user credentials and sensitive printing data.
Remediation
Upgrade to PM18.2.1.
TOTOLINK A3002RU 1.0.8 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK A3002RU firmware version 1.0.8 contains a vulnerability in which an unauthenticated attacker can obtain the plaintext admin password by making a GET request for `password.htm`. This allows remote attackers to gain administrative access without credentials.
Impact
Unauthenticated attackers can obtain the plaintext administrator password without any authentication, leading to complete device compromise.
Remediation
Update to the latest firmware version that addresses this vulnerability.
TOTOLINK A3700R - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.
Impact
Unauthenticated attackers can execute arbitrary commands on the router, potentially gaining full device control and compromising network security.
Remediation
Update TOTOLINK A3700R firmware to a version newer than 9.1.2u.6165_20211012.
TOTOLINK CP450 v4.1.0cu.747_B20191224 - Hard-Coded Password Vulnerability
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A critical vulnerability has been discovered in TOTOLINK CP450 version 4.1.0cu.747_B20191224. This vulnerability affects an unknown part of the file /web_cste/cgi-bin/product.ini of the Telnet Service component. The issue stems from the use of a hard-coded password, which can be exploited remotely without any user interaction.
Impact
Unauthenticated attackers can retrieve hard-coded credentials from the accessible product.ini file, enabling complete device compromise through Telnet service access with administrative privileges.
Remediation
Contact TOTOLINK for security updates addressing the hard-coded password vulnerability in CP450 firmware version 4.1.0cu.747_B20191224, or implement network segmentation to restrict access.
TOTOLINK CX-A3002RU - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)TOTOLINK"Description
An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
TOTOLINK EX1200T 4.1.2cu.5215 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK EX1200T 4.1.2cu.5215 is susceptible to authentication bypass. An attacker can bypass login by sending a specific request through formLoginAuth.htm, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the device, potentially leading to further compromise of the network.
Remediation
Apply the latest firmware update provided by TOTOLINK to fix the authentication bypass vulnerability.
TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
Impact
Unauthenticated attackers can execute arbitrary commands via the apcliEncrypType parameter, gaining device administrator privileges.
Remediation
Update TOTOLINK EX1800T firmware to a version that patches the command injection vulnerability.
TOTOLINK N150RT - Password Exposure
Author: ritikchaddhaAdded: Jun 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
Detects password exposure vulnerability in TOTOLINK N150RT router where sensitive credentials are exposed in the password.htm page.
TOTOLINK Realtek SD Routers - Remote Command Injection
runzero-match
service["product"] matches "(?i)totolink.a3002ru.firmware"Description
TOTOLINK Realtek SDK based routers may allow an authenticated attacker to execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the vulnerability.
TOTOLINK/Realtek Routers - CAPTCHA Bypass
runzero-match
service["http.body"] matches "(?i)TOTOLINK"Description
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via a POST request to the boafrm/formLogin URI with the JSON payload {"topicurl":"setting/getSanvas"}. This allows an unauthenticated attacker to bypass CAPTCHA verification, gaining unauthorized access to restricted functions. Once valid credentials are known or brute-forced, an attacker can fully control the device using HTTP requests and Basic Authentication. Affected router models include A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-derived devices.
Impact
Unauthenticated attackers can bypass CAPTCHA verification to brute-force credentials and gain unauthorized administrative access, leading to complete device control and potential network compromise.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLINK/Realtek Routers - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
Impact
Unauthenticated attackers can retrieve the entire router configuration including Wi-Fi passwords, admin credentials, and network settings, enabling complete network takeover.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLINK/Realtek Routers - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
Impact
Unauthenticated attackers can retrieve the entire router configuration including Wi-Fi passwords, admin credentials, and network settings, enabling complete network takeover.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLink Router - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TOTOLINK"})Description
TOTOLink routers are vulnerable to unauthenticated remote command execution via the /boaform/formWsc endpoint. An attacker can inject OS commands through the localPin parameter.
TP-LINK - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tp-link"})Description
TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.
Impact
An attacker can read sensitive files on the TP-LINK router, potentially leading to unauthorized access or disclosure of sensitive information.
Remediation
Apply the latest firmware update provided by TP-LINK to fix the local file inclusion vulnerability.
TP-LINK WR840N v6 up to 0.9.1 4.16 - Improper Authentication
runzero-match
service["http.body"] matches "(?i)WR840N"Description
A vulnerability in the TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory.When adding Referer- http-//tplinkwifi.net to the the request, it will be recognized as passing the authentication.
Impact
Unauthenticated attackers can bypass authentication by adding a specific Referer header, gaining unauthorized access to router administrative interfaces.
Remediation
Update TP-Link WR840N v6 router to firmware version later than 0.9.1 4.16 that addresses the authentication bypass vulnerability.
TP-Link - OS Command Injection
runzero-match
service["product"] matches "(?i)tp.link.tl.wr840n"Description
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
Remediation
Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TP-Link Router"})Description
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
Impact
Unauthenticated attackers can exploit OS command injection through the country parameter in the locale endpoint to execute arbitrary commands as root and completely compromise TP-Link Archer AX21 routers.
Remediation
Update to the latest firmware version provided by TP-Link.
TP-Link Archer C20 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Archer C20"Description
A vulnerability in the TP-Link Archer C20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass authentication on interfaces under the /cgi directory. When adding a Referer header with value "http://tplinkwifi.net" to requests, the router will recognize the request as passing authentication, allowing access to protected administration interfaces.
Impact
Unauthenticated attackers can bypass authentication by adding a specific Referer header, gaining unauthorized access to protected administration interfaces and router configuration.
Remediation
Update TP-Link Archer C20 router to firmware version later than V6.6_230412 that addresses the authentication bypass vulnerability.
TP-Link Wireless N Router WR940N - Default-Login
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
service["http.body"] matches "/userRpm/"TRENDnet TEW-827DRU Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tew-827dru"Description
TRENDnet TEW-827DRU login panel was detected.
TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
TRUfusion Enterprise versions 7.10.4.0 and earlier contained a vulnerability that allowed unauthenticated access to the Internal Admin Contact Page, resulting in the disclosure of PII (including partner and contact names).
Impact
Unauthenticated attackers can access the Internal Admin Contact Page, exposing personally identifiable information including partner and contact names without any authorization.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
Hard-Coded Cryptographic key allowing to forge session cookies that can be used to entirely bypass authentication
Impact
Attackers can forge session cookies using hard-coded cryptographic keys to completely bypass authentication, gaining unauthorized access to the system with arbitrary user privileges.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
Pre-Auth Path Traversal Allowing to Leak Local server files disclosing sensitive clear-text passwords.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive clear-text passwords, configuration files, and other confidential data.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TVT NVMS 1000 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)^NVMS-1000" })Description
TVT NVMS-1000 devices allow GET /.. local file inclusion attacks.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the system.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the local file inclusion vulnerability in TVT NVMS 1000 software.
TYPO3 ceselector Extension - Insecure Deserialization
runzero-match
service["http.body"] matches `(?i)content\s*=\s*"TYPO3 CMS"`Description
TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize() without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration.
Impact
Remote unauthenticated attackers can execute arbitrary code on the TYPO3 server, leading to full system compromise.
Remediation
Update to the latest version of TYPO3 with the vulnerability fixed or apply patches that validate and sanitize unserialize input.
Tabby Panel - Detect
Author: s4e-ioAdded: Jan 14, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tabby"})Description
Tabby panel was discovered.
Tableau Services Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - tableau services manager"})Description
Tableau Services Manager login panel was detected.
Tactical RMM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tactical RMM - Login"})Description
Tactical RMM login panel was detected.
Tailon Panel - Detect
Author: ritikchaddhaAdded: Dec 3, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tailon"})TamronOS IPTV/VOD - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TamronOS IPTV系统"})Description
TamronOS IPTV/VOD contains a remote command execution in the 'host' parameter of the /api/ping endpoint.
TaskingAI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TaskingAI \\| Console"})Description
TaskingAI is an open-source platform for building and deploying LLM-based agents
and AI applications with a unified API
Tattile Camera < 1.181.5 - Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "2030104257" || service["http.body"] matches "(?i)Tattile camera manager"Description
Tattile Smart+, Vega, and Basic device families firmware <= 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges.
Impact
Attackers can gain administrative access to device configuration and data, leading to unauthorized control and data exposure.
Remediation
Update firmware to a version later than 1.181.5 or the latest available version.
Tautulli Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tautulli"}) || any(each(service["html.titles"]), {# matches "(?i)tautulli - home"})Description
A Python based monitoring and tracking tool for Plex Media Server.
Tautulli Panel - Unauthenticated Access
Author: ritikchaddhaAdded: Nov 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tautulli - home"}) || any(each(service["html.titles"]), {# matches "(?i)tautulli"})TeamCity < 2023.11.4 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Impact
Unauthenticated attackers can bypass authentication to perform administrative actions on TeamCity servers, potentially compromising build pipelines and source code.
Remediation
Update JetBrains TeamCity to version 2023.11.4 or later.
TeamCity Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
TeamCity login panel was detected.
TeamForge Panel - Detection
Author: lstatroAdded: May 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TeamForge :"})Description
TeamForge Login Panel was discovered.
TeamPass 2.1.27.36 - Improper Authentication
runzero-match
service["http.body"] matches "(?i)teampass"Description
TeamPass 2.1.27.36 is susceptible to improper authentication. An attacker can retrieve files from the TeamPass web root, which may include backups or LDAP debug files, and therefore possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can bypass authentication and gain unauthorized access to sensitive information.
Remediation
Upgrade to a patched version of TeamPass or apply the recommended security patches.
TeamPass Panel - Detect
runzero-match
service["http.body"] matches "(?i)teampass"Description
TeamPass panel was detected.
Tekton Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tekton"})Description
Tekton Dashboard panel was detected.
Telaen => v1.3.1 - Open Redirect
runzero-match
service["product"] matches "(?i)telaen"Description
Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade to the latest version of Telaen to fix the open redirect vulnerability.
Telecontrol Server Basic Panel - Detect
Author: KazgangapAdded: Oct 15, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Logon - Telecontrol Server Basic"})Description
Telecontrol Server Basic panel was discovered.
Teleport - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1275955539" || service["favicon.ico.image.mmh3"] == "544208100" || service["favicon.ico.image.mmh3"] == "1854879765"Description
Teleport versions prior to 17.5.2 are vulnerable to a remote authentication bypass vulnerability. This issue allows attackers to gain unauthorized access to affected systems.
Impact
Attackers can bypass authentication mechanisms to gain unauthorized access to Teleport systems, potentially compromising protected infrastructure and sensitive resources.
Remediation
Upgrade Teleport to version 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27, or 12.4.35 depending on your version branch.
Teleport Login Panel - Detect
Author: pdteam,mahmoud0x00Added: Jun 17, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "544208100" || service["favicon.ico.image.mmh3"] == "1854879765" || service["favicon.ico.image.mmh3"] == "-1275955539"Description
Detects Teleport web login interface exposed at /web/login and version information from /webapi/ping
Telerik Report Server Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Telerik Report Server"Description
Telerik Report Server login panel was detected.
Telesquare TLR-2005KSH - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to TLR-2005KSH"})Description
Telesquare Tlr-2005Ksh is a Sk Telecom Lte router from South Korea's Telesquare company.Telesquare TLR-2005Ksh versions 1.0.0 and 1.1.4 have an unauthorized remote command execution vulnerability. An attacker can exploit this vulnerability to execute system commands without authorization through the Cmd parameter and obtain server permissions.
Impact
Attackers can execute arbitrary commands on the router, leading to complete device compromise.
Remediation
Update Telesquare TLR-2005KSH firmware to a version that patches the RCE vulnerability.
Telesquare TLR-2005KSH Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tlr-2005ksh"Description
Telesquare TLR-2005KSH login panel was detected.
TemboSocial Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TemboSocial Administration"})Description
TemboSocial Admin panel was detected.
Temenos Transact Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)t24 sign in"})Description
Temenos Transact login panel was detected.
Tenable Nessus Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nessus"})Description
Tenable Nessus panel was detected.
Tenda 11N - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tenda 11n"})Description
Tenda 11N with firmware version V5.07.33_cn contains an authentication bypass vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Unauthenticated attackers can bypass authentication by setting an admin cookie to gain full administrative access to Tenda 11N routers, enabling complete device configuration changes and network compromise.
Remediation
Apply the latest firmware update provided by Tenda to fix the authentication bypass vulnerability (CVE-2022-42233).
Tenda 11n Wireless Router - Admin Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tenda 11N Wireless Router Login Screen"})Description
The administrative panel for a Tenda Technology 11n Wireless Router was found.
Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "tenda wifi"})Description
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to access or modify database contents, potentially compromising the entire Tenda router and network configuration.
Remediation
Upgrade to a patched firmware version or replace the affected device.
Tenda Router AC11 - Remote Command Injection
runzero-match
service["product"] matches "(?i)tenda.ac11.firmware"Description
Tenda Router AC11 is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data exfiltration, and complete compromise of the affected router.
Remediation
Apply the latest firmware update provided by Tenda to fix the remote command injection vulnerability (CVE-2021-31755).
Tenda Web Master Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tenda Web Master"})Description
Tenda Web Master login panel was detected.
Tenemos T24 Login Panel - Detect
Author: righettodAdded: Feb 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)T24 Sign in"})Description
Tenemos T24 products was detected.
TensorBoard Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TensorBoard"})Description
TensorBoard is TensorFlow's visualization toolkit for machine learning experimentation
Teradek Cube Administrative Console - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Teradek Cube Administrative Console"})TerraMaster TOS - Unauthenticated Remote Command Execution
runzero-match
service["product"] matches "(?i)terra.master.tos"Description
TerraMaster TOS <= 4.2.06 is susceptible to a remote code execution vulnerability which could allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php via the Event parameter.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patch or update provided by TerraMaster to fix the vulnerability.
TerraMaster TOS < 4.2.30 Server Information Disclosure
runzero-match
service["http.body"] matches "(?i)terramaster"Description
TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure.
Impact
An attacker can exploit this vulnerability to gain sensitive information about the server, potentially leading to further attacks.
Remediation
Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
Terraform Enterprise Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)terraform enterprise"})Description
Terraform Enterprise panel was detected.
The Events Calendar < 6.4.0.1 - Cross-site Scripting
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin < 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction.
Impact
Attackers can execute arbitrary scripts in the context of the affected site, leading to potential session hijacking or defacement.
Remediation
Update to version 6.4.0.1 or later.
The Events Calendar <= 6.15.2 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin <= 6.15.2 contains an information disclosure vulnerability caused by REST endpoint exposure, letting unauthenticated attackers extract data about password-protected vendors or venues, exploit requires no authentication.
Impact
Unauthenticated attackers can access sensitive information about password-protected vendors or venues.
Remediation
Update to the latest version beyond 6.15.2
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-plus-addons-for-elementor-page-builder/"Description
The Plus Addons for Elementor plugin (before version 4.1.7) allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive.
Impact
Unauthenticated attackers can bypass authentication, gain administrator access, and create elevated privilege accounts even when registration is disabled, leading to complete WordPress site takeover.
Remediation
Fixed in 4.1.7
ThemeGrill Demo Importer < 1.6.2 - Database Reset
runzero-match
service["http.body"] matches "(?i)/plugins/themegrill-demo-importer"Description
ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
Impact
Unauthenticated attackers can wipe the entire WordPress database to its default state and gain automatic administrator access, resulting in complete site takeover and data loss.
Remediation
Upgrade to ThemeGrill Demo Importer version 1.6.2 or later.
Themes Coder Ecommerce <= 1.3.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/tc-ecommerce/"Description
The Themes Coder Ecommerce WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive database information or manipulate data.
Remediation
Update Themes Coder Ecommerce plugin to a version newer than 1.3.4.
ThinVNC - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1414548363"Description
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via a specific command, potentially leading to unauthorized access and code execution.
Impact
An attacker can bypass authentication and gain unauthorized access to the ThinVNC server.
Remediation
Apply the vendor-supplied patch or update to the latest version to mitigate the CVE-2022-25226 vulnerability.
Thinfinity Iframe Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential remote code execution.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the vulnerability.
Thinfinity VirtualUI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
Thinfinity VirtualUI panel was detected.
Thinfinity VirtualUI User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
Impact
An attacker can use the gathered usernames for further attacks, such as brute-forcing passwords or launching targeted phishing campaigns.
Remediation
Apply the vendor-supplied patch or upgrade to the latest version of Thinfinity VirtualUI to mitigate the user enumeration vulnerability.
ThingsBoard Panel - Detect
Author: righettodAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ThingsBoard"})Description
ThingsBoard was detected — a Open-source IoT Platform for device management, data collection, processing and visualization.
ThinkPHP 5.0.24 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinkphp"})Description
ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Upgrade to a patched version of ThinkPHP or apply the necessary security patches.
ThinkPHP < 3.2.4 - Remote Code Execution
runzero-match
service["product"] contains "ThinkPHP:ThinkPHP"Description
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality.
Impact
Attackers can execute arbitrary system commands true the server without authentication, potentially leading to full system compromise.
Remediation
Update to ThinkPHP 3.2.4 or later, or apply vendor patches.
Thinkphp Lang - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Thinkphp"})Description
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Impact
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Apply the latest security patches and updates provided by the Thinkphp framework.
Thruk Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)thruk"Description
Thruk Monitoring panel was detected.
TiTiler - Blind Server Side Request Forgery
runzero-match
service["http.body"] matches "TiTiler"Description
Blind SSRF vulnerability in TiTiler, a dynamic tile server for Cloud Optimized GeoTIFFs (COGs). The flaw lies in how the application handles the url parameter in the /cog/info endpoint, allowing attackers to make arbitrary internal or external HTTP requests.
Tigase XMPP Server - Exposure
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tigase XMPP Server"})Tiki Wiki CMS GroupWare - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tiki Wiki CMS"})Description
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Impact
Unauthenticated attackers can trigger 50 failed login attempts to reset the admin password to blank, gaining complete administrative access to the Tiki Wiki CMS and all its content.
Remediation
Upgrade to Tiki Wiki CMS version 21.2 or later.
Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)tiki wiki"Description
Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Upgrade Tiki Wiki CMS Groupware to a version that is not affected by the CVE-2010-4239 vulnerability.
Tiki Wiki CMS Groupware Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tiki wiki"Description
Tiki Wiki CMS Groupware login panel was detected.
TikiWiki CMS Groupware v8.3 - Open Redirect
runzero-match
service["http.body"] matches "tiki wiki"Description
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection
Impact
Successful exploitation of this vulnerability could lead to phishing attacks and potential unauthorized access to sensitive information.
Remediation
Apply the latest security patches or upgrade to a newer version of TikiWiki CMS Groupware to mitigate the risk of open redirect vulnerabilities.
TileServer API - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "-1258058404"Description
tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.
Impact
Attackers can inject malicious scripts via the key parameter, potentially compromising user sessions or stealing sensitive information.
Remediation
Update tileserver-gl to a version later than v4.4.10 that patches the XSS vulnerability.
Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/time-clock/"Description
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
Impact
Unauthenticated attackers can execute limited PHP functions on the server through the etimeclockwp_load_function_callback function, potentially exposing sensitive system information through phpinfo and other callable functions.
Remediation
Update Time Clock plugin to a version later than 1.2.2 or Time Clock Pro plugin to a version later than 1.1.4 to address the remote code execution vulnerability.
TimeKeeper - Default Login
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "2134367771"Description
TimeKeeper contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
TimeKeeper by FSMLabs - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "2134367771"Description
An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.
Impact
Unauthenticated attackers can inject Bash commands through the arg[2] parameter in getsamplebacklog endpoint to execute arbitrary commands on the server, potentially compromising the entire TimeKeeper time synchronization infrastructure.
Remediation
Update FSMLabs TimeKeeper to a version newer than 8.0.28 that properly sanitizes input parameters in getsamplebacklog and prevents command injection attacks.
Tiny File Manager - Default Login
runzero-match
service["http.body"] matches "Tiny File Manager"Description
Tiny File Manager contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Tiny File Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tiny File Manager"})Description
Tiny File Manager panel was detected.
Tiny RSS Panel - Detect
Author: userdehghaniAdded: May 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-418614327"Description
Tiny Tiny RSS is a free RSS feed reader
Titan FTP Server 6.03 and 6.0.5.549 - Heap Overflow via Long Commands
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)Titan\s+FTP\s+Server`Description
Titan FTP Server versions 6.03 and 6.05 (builds) contain multiple heap-based buffer overflow vulnerabilities. Remote attackers can cause denial of service (daemon crash) or potentially execute arbitrary code by sending excessively long USER, PASS, or other FTP commands that trigger heap overflows.
Impact
Unauthenticated attackers can send excessively long USER, PASS, or other FTP commands to trigger heap overflows, causing denial of service by crashing the daemon or potentially executing arbitrary code on the server.
Remediation
Update Titan FTP Server to a version newer than 6.05 build 549 that properly validates command length and prevents heap overflow vulnerabilities in FTP command handlers.
Titan FTP Server 6.05 DELE Command - Heap Overflow
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)Titan\s+FTP\s+Server`Description
Titan FTP Server version 6.05 build 550 contains a heap overflow vulnerability when processing long DELE commands. Remote attackers can cause denial of service (daemon crash) or potentially execute arbitrary code by sending excessively long arguments to the DELE command.
Impact
Unauthenticated attackers can send long DELE commands to trigger heap overflow, causing denial of service by crashing the FTP daemon or potentially executing arbitrary code on the server.
Remediation
Update Titan FTP Server to a version newer than 6.05 build 550 that properly validates command length and prevents heap overflow vulnerabilities in the DELE command handler.
TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "TitanNit Web Control"})Description
The device contains a command injection caused by the 'getcommand' query in the application, letting unauthorized attackers execute system commands with root privileges, exploit requires attacker to send crafted requests.
Impact
Unauthenticated attackers can execute arbitrary system commands with root privileges through command injection in the getcommand query parameter, achieving complete control of the TitanNit Web Control device and potentially pivoting to connected industrial control systems.
Remediation
Apply security patches from TitanNit for Web Control 2.01 and Atemio 7600 to address the command injection vulnerability in the getcommand query parameter.
Tixeo Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tixeo"})Description
Tixeo login panel was detected.
Tomcat Exposed - Detect
Author: Podalirius,righettodAdded: Jul 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache tomcat"}) || service["http.body"] matches "(?i)apache tomcat"Description
An Apache Tomcat instance was detected.
Tongda OA 11.7 - Authentication Bypass
Author: HuTa0Added: Jul 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)通达OA"})Description
Tongda OA is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., LTD v11.7 has the interface query online user function, when the user is online, it will return PHPSESSION so that it can log in to the background system.
ToolJet - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tooljet"})Description
ToolJet contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
ToolJet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ToolJet - Dashboard"})Description
ToolJet login panel was detected.
Tools4Ever Self-Service Reset Password Manager - Panel
Author: darsesAdded: Jun 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-948009664" || service["favicon.ico.image.mmh3"] == "-916902413"Description
Detects Tools4Ever Self-Service Reset Password Manager login panel.
Topsec TopAppLB - Authentication Bypass
Author: SleepingBag945Added: Sep 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TopApp-LB 负载均衡系统"})Description
Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`.
Toshiba TopAccess - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)topaccess"})Toshiba TopAccess Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)topaccess"})Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/total-donations/"Description
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
Impact
Attackers can modify site options, enabling new user registration as Administrator, leading to site takeover.
Remediation
Update to the latest version of the plugin where this issue is fixed.
Totemomail Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)totemomail"Description
Totemomail login panel was detected.
Traccar Panel - Detect
Author: s4e-ioAdded: Oct 12, 2024
runzero-match
service["http.body"] matches "(?i)Traccar"Description
Traccar panel was discovered.
Traccar(Windows) 6.1- 6.8.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Traccar"Description
Traccar 5.8-6.0 (non-default installs with web.override set) and 6.1-6.8.1 (default installs) contain a local file inclusion vulnerability caused by enabled web override configuration, letting unauthenticated attackers leak arbitrary files including passwords, exploit requires local access.
Impact
Unauthenticated local attackers can read arbitrary files, potentially exposing sensitive information like passwords and configuration data.
Remediation
Upgrade to version 6.9.0 or later.
Traefik Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)traefik"})Description
Traefik Dashboard panel was detected.
Traggo Server - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)traggo"Description
traggo/server version 0.3.0 is vulnerable to directory traversal.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
runzero-match
service["http.body"] matches "/wp-content/plugins/transposh-translation-filter-for-wordpress/"Description
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
Impact
Unauthenticated attackers can modify plugin settings through the tp_translation AJAX endpoint without authentication, potentially manipulating translated content and injecting malicious data that affects all site visitors.
Remediation
Update Transposh WordPress Translation plugin to a version newer than 1.0.8.1 that implements proper authentication checks on AJAX actions.
Trassir WebView Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "Trassir Webview"})Description
Trassir WebView contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Travelpayouts <= 1.1.16 - Open Redirect
runzero-match
service["http.body"] contains "inurl:\"/wp-content/plugins/travelpayouts"Description
The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Impact
Unauthenticated attackers can redirect users to malicious sites for phishing attacks, credential harvesting, or malware distribution by exploiting insufficient redirect validation.
Remediation
Upgrade to the latest version of the Travelpayouts plugin that addresses this open redirect vulnerability.
Trend Micro Apex One Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)officescan"})Description
Trend Micro Apex One login panel was detected.
Trilium <0.52.4 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Trilium Notes"})Description
Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected Trilium instance.
Remediation
Upgrade Trilium to version 0.52.4 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
Trinity Audio <= 5.21.0 - Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/trinity-audio"Description
The Trinity Audio Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
Impact
Unauthenticated attackers can extract sensitive configuration data, potentially aiding further attacks.
Remediation
Update to the latest version beyond 5.21.0.
Triofox - Improper Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-177043778"Description
The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely access, view, and potentially interact with the database management interface, risking data disclosure or system compromise.
Impact
Attackers may gain access to sensitive administrative functions of the Triofox database, resulting in unauthorized data access, modification, or potential system compromise.
Remediation
Upgrade to Triofox 12.91.1126.65588 or CentreStack 12.10.595.65696 and later to resolve this vulnerability and restrict unauthenticated access to the administrative database panel.
TrueNAS Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["http.body"] matches "(?i)truenas"Description
TrueNAS scale is a free and open-source NAS solution
Tufin SecureTrack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securetrack - tufin technologies"})Description
Tufin SecureTrack login panel was detected.
TurboMeeting - Boolean-based SQL Injection
runzero-match
service["http.body"] matches "(?i)TurboMeeting"Description
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract sensitive data including user credentials, meeting information, and potentially compromise the entire TurboMeeting database.
Remediation
Upgrade to the latest patched version of RHUB TurboMeeting or apply vendor-provided security updates.
TurnKey LAMP Panel - Detect
Author: ritikchaddhaAdded: Jun 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TurnKey LAMP"})Description
TurnKey LAMP Control Panel was detected.
TurnKey OpenVPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TurnKey OpenVPN"})Description
TurnKey OpenVPN panel was detected.
Tutor LMS <= 2.1.10 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugins/tutor/"Description
Tutor LMS – eLearning and online course solution plugin for WordPress [all versions up to 2.6.1] contains a time-based SQL Injection caused by insufficient escaping on the question_id parameter in SQL queries, letting authenticated attackers with subscriber or higher access extract sensitive information, exploit requires attacker to be authenticated with subscriber or higher privileges.
Impact
Authenticated attackers can extract sensitive database information through SQL injection, potentially leading to data breach or further exploitation.
Remediation
Update to version 2.6.2 or later to fix the vulnerability.
Tutor LMS <= 2.7.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/tutor/"Description
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the rating_filter parameter, potentially extracting sensitive database information including user credentials and course data.
Remediation
Update Tutor LMS plugin to version 2.7.7 or later.
Typebot Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Typebot"})Description
Typebot is an open-source chatbot builder that allows you to create advanced
chatbots visually.
Typo3 Directory Listing
Author: theamanrawatAdded: Jan 21, 2026
runzero-match
service["product"] contains "TYPO3:TYPO3"Description
Detects directory listing enabled on the TYPO3 temp directory. The typo3temp folder contains cached files, compiled assets, and temporary data that may reveal sensitive information about the application structure and configuration.
UC Gateway Investment SiteEngine v5.0 - Open Redirect
runzero-match
service["http.body"] matches "SiteEngine"Description
Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action.
Impact
Attackers can redirect users to malicious sites for phishing or malware distribution.
Remediation
Apply the latest patches or updates provided by the vendor to fix the open redirect vulnerability.
UFIDA NC - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友\" \"NC"})Description
UFIDA NC is vulnerable to an arbitrary file read vulnerability in the nc.uap.lfw.file.action.DocServlet component. An unauthenticated remote attacker can exploit this flaw to read sensitive files on the server by sending crafted requests.
Impact
Successful exploitation allows attackers to access sensitive files and information stored on the server.
UFIDA U8 CRM cfillbacksetting.php - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友U8CRM"})Description
UFIDA U8-CRM system /config/fillbacksetting.php contains an SQL injection vulnerability, which allows attackers to manipulate the database through maliciously constructed SQL statements, resulting in data leaks, tampering or destruction, and seriously threatening system security.
UFIDA U8 CRM fillbacksetting.php - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友U8CRM"})Description
UFIDA U8-CRM system /config/fillbacksetting.php contains an SQL injection vulnerability, which allows attackers to manipulate the database through maliciously constructed SQL statements, resulting in data leaks, tampering or destruction, and seriously threatening system security.
UISP Fiber Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches `^UISP\s*Fiber\s*-\s*Login`})Description
UISP Fiber login interface was discovered.
UNA CMS <= 14.0.0-RC4 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)Powered by UNA"Description
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.
Impact
Unauthenticated attackers can inject arbitrary PHP objects through the profile_id parameter, allowing remote code execution and complete server compromise.
Remediation
Upgrade to UNA CMS version 14.0.0 or later that properly validates and sanitizes serialized input.
UPS Adapter CS141 SNMP Module Default Login
runzero-match
service["http.body"] matches "CS141"Description
UPS Adapter CS141 SNMP Module default login credentials were discovered.
URL Shortify <= 1.12.1 - Open Redirect
runzero-match
service["http.body"] contains "/plugins/url-shortify/"Description
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
Impact
Unauthenticated attackers can redirect users to malicious sites, facilitating phishing or malware distribution.
Remediation
Update to the latest version beyond 1.12.1.
Ubigeo de Peru < 3.6.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ubigeo-peru/"Description
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
Impact
Unauthenticated attackers can exploit SQL injection via AJAX actions to extract usernames and password hashes from the WordPress database.
Remediation
Fixed in version 3.6.4
UiPath Orchestrator Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UiPath Orchestrator"})Description
UiPath Orchestrator login panel was detected.
Umami Panel - Detect
Author: userdehghaniAdded: May 7, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-130447705"Description
simple, fast, privacy-focused, open-source analytics solution.
Umbraco 8.14.1 - baseUrl Server-Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "Umbraco"Description
Umbraco 8.1.4.1 allows attackers to use the baseUrl parameter to several programs to perform a server-side request forgery (SSRF) attack.
Umbraco <7.4.0- Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)umbraco"Description
Umbraco before version 7.4.0 contains a server-side request forgery vulnerability in feedproxy.aspx that allows attackers to send arbitrary HTTP GET requests via http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:80/index.
Impact
The vulnerability can result in unauthorized access to sensitive information or systems, leading to potential data breaches or further exploitation.
Remediation
Upgrade Umbraco to version 7.4.0 or above to mitigate the vulnerability and apply any necessary patches or security updates.
Umbraco CMS - Directory Listing Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Umbraco"})Description
Detected directory listing enabled on sensitive Umbraco CMS directories, potentially exposing configuration files, logs, backups, and other sensitive data.
Umbraco Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)umbraco"})Description
Umbraco login panel was detected.
Umbraco Mini Profiler - Exposure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Umbraco"})Description
Detected the exposure of the MiniProfiler debugging interface in Umbraco CMS. When exposed, it can reveal sensitive information including SQL queries, execution times, stack traces, and internal application details.
UnRaid <=6.80 - Remote Code Execution
runzero-match
service["http.head.setCookie"] matches `^unraid_` || service["last.http.head.setCookie"] matches `^unraid_`Description
UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.
Impact
Unauthenticated attackers can execute arbitrary code on UnRaid servers, leading to complete system compromise and access to all stored data.
Remediation
Upgrade UnRaid to a version higher than 6.80 to mitigate the vulnerability.
Unauthenticated Arbitrary Plugin Upload in Alone Theme
Author: Nxploited,DhiyaneshDKAdded: Aug 3, 2025
runzero-match
service["http.body"] matches "/wp-content/themes/alone/"Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
Impact
This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Remediation
Fixed in 7.8.5.
Unauthenticated Remote Code Execution – Bricks <= 1.9.6
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/bricks/"Description
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
Impact
Unauthenticated attackers can execute arbitrary code through the Bricks Builder theme, leading to complete site takeover and potential server compromise.
Remediation
Update Bricks Builder theme to version 1.9.7 or later.
Unauthenticated ZyXEL USG ZTP - Detect
Author: dmartynAdded: May 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "USG FLEX"})Description
Make a ZyXEL USG with ZTP support, pre CVE-2023-28771 patch, do a DNS lookup by asking it to make an ICMP request.
This template can be used to detect hosts potentially vulnerable to CVE-2023-28771, CVE-2022-30525, and other issues, without actually exploiting the vulnerability.
Uncanny Toolkit for LearnDash - Open Redirection
runzero-match
service["http.body"] contains "/wp-content/plugins/uncanny-learndash-toolkit/"Description
A vulnerability in the WordPress Uncanny Toolkit for LearnDash Plugin allowed malicious actors to redirect users, posing a potential risk of phishing incidents. The issue has been resolved in version 3.6.4.4, and users are urged to update for security.
Impact
Unauthenticated attackers can craft malicious redirect URLs through the REST API to redirect LearnDash users to phishing sites, potentially stealing login credentials and compromising user accounts.
Remediation
Update Uncanny Toolkit for LearnDash plugin to version 3.6.4.4 or later that validates redirect URLs and prevents open redirect attacks in the REST API.
UniFi - NFC Credentials
Author: DhiyaneshDkAdded: Nov 5, 2025
runzero-match
service["http.body"] matches "(?i)UniFi Dream Machine SE"Description
An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access credentials.
UniFi Access - Broken Access Control
runzero-match
service["http.body"] matches "UniFi OS"Description
UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access.
Impact
Attackers on the management network can access management APIs without authentication, potentially leading to unauthorized control of the system.
Remediation
Update to version 4.0.21 or later.
UniFi Network Application - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "UniFi Network"})Description
UniFi Network Application is susceptible to a critical vulnerability in Apache Log4j (CVE-2021-44228) that may allow for remote code execution in an impacted implementation.
UniFi Network Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UniFi Network"})Description
UniFi Network login panel was detected.
UniFi OS - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UniFi OS"})Description
UniFi OS Panel was discovered
Unibox Panel - Detect
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "176427349"Description
Unibox Administrator panel was detected.
Unitronics PLC - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Unitronics"})Description
Unitronics PLC web interface panel has been detected.
Unity Plastic SCM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Plastic SCM"})Description
Unity Plastic SCM login panel was detected.
Universal Media Server v13.2.1 - Cross Site Scripting
Author: r3Y3r53Added: Jul 7, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-902890504"Description
Universal Media Server v13.2.1 CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.
Remediation
Fixed in version 13.2.2
Unleash Panel - Detect
Author: userdehghaniAdded: May 12, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-608690655"Description
Open-source feature management solution built for developers.
Unraid Authentication Bypass Vulnerability
runzero-match
service["product"] contains "Unraid:Unraid"Description
Unraid 6.8.0 allows authentication bypass.
Remediation
Apply updates per vendor instructions.
Untangle Administrator Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)untangle administrator login"})Description
Untangle Administrator is a centralized web-based management console that allows administrators to efficiently configure, monitor, and control various network security and filtering features provided by the Untangle NG Firewall, ensuring robust network protection and policy enforcement.
Uptime Kuma - Panel
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Uptime Kuma"})Description
Realtime website and application monitoring tool
UrBackup Panel - Detect
Author: DhiyaneshDkAdded: Apr 17, 2024
runzero-match
service["http.body"] matches "(?i)UrBackup - Keeps your data safe"User Control Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)User Control Panel"})Description
User Control Panel was detected.
User Management/Registration & Login v3.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Registration and Login System"})Description
User Registration & Login and User Management System v3.0 admin panel has SQL vulnerability. Even though the person who discovered the vulnerability tested it in version 3.0, version 3.2 also contains the same vulnerability. It can be exploited by entering "admin' -- -" as the username parameter in the admin panel.
User Meta WP Plugin < 3.1 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/user-meta/"Description
The User Meta is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0 via the /views/debug.php file. This makes it possible for unauthenticated attackers, with to extract sensitive configuration data.
Impact
Unauthenticated attackers can extract sensitive configuration data from the User Meta plugin.
Remediation
Update User Meta plugin to version 3.1 or later.
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
runzero-match
service["http.body"] matches "/wp-content/plugins/user-registration"Description
The User Registration & Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 4.1.1. This is due to insufficient restrictions on role type in the 'prepare_members_data()' function. This makes it possible for unauthenticated attackers to create newuser accounts with the 'administrator' role, allowing complete control over the affected WordPress site.
Impact
Unauthenticated attackers can create new user accounts with administrator privileges through insufficient role restrictions, gaining complete control over the WordPress site.
Remediation
Update to User Registration & Membership plugin version 4.1.2 or later.
User Registration & Membership WordPress plugin - Open Redirect
runzero-match
service["http.body"] matches "/wp-content/plugins/user-registration/"Description
User Registration & Membership WordPress plugin <= 5.1.4 contains an open redirect caused by insufficient validation of 'redirect_to_on_logout' parameter, letting attackers redirect users to malicious external URLs after logout, exploit requires crafted URL.
Impact
Attackers can redirect users to malicious sites after logout, facilitating phishing attacks and user deception.
Remediation
Update to a version later than 5.1.4 or the latest available version.
User Submitted Posts <= 20251121 - Unauthenticated Open Redirect
Author: Shivam KambojAdded: Feb 5, 2026
runzero-match
service["http.body"] matches "(?i)usp-nonce"Description
The User Submitted Posts plugin for WordPress is vulnerable to Open Redirect in all versions up to and including 20251121. This is due to insufficient validation on the redirect-override POST parameter. Unauthenticated attackers can redirect users to potentially malicious sites by tricking them into submitting a form.
Impact
Attackers can redirect users to malicious sites, facilitating phishing attacks and credential theft.
Remediation
Update to the latest version.
UserPro <= 5.1.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/userpro/"Description
The UserPro plugin for WordPress through 5.1.1 allows authentication bypass via the userpro_fbconnect AJAX action.
Impact
Unauthenticated attackers can bypass authentication by exploiting the Facebook connect AJAX action with arbitrary user IDs, potentially gaining full administrative access to the WordPress site and all user accounts.
Remediation
Update UserPro plugin to a version newer than 5.1.1 that properly validates authentication in the userpro_fbconnect AJAX action.
Usermin 2.100 - Username Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Usermin"})Description
Usermin version 2.100 and below is susceptible to username enumeration via the password change functionality. An attacker can determine valid usernames by analyzing the response messages from the password change endpoint.
Impact
Attackers can enumerate valid usernames by analyzing password change responses, aiding in further attacks.
Remediation
Upgrade to the latest version of Usermin that addresses this vulnerability.
Usermin Panel - Detect
Author: s4e-ioAdded: Oct 17, 2024
runzero-match
any(each(service["html.titles"]), {# contains "Login to Usermin"})Description
Usermin panel was discovered.
V2924 Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)V2924"})Description
V2924 admin login panel was detected.
VICIdial - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1375401192"Description
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Impact
Unauthenticated attackers can exploit SQL injection to enumerate database records and extract plaintext credentials stored by VICIdial, leading to complete system compromise and unauthorized access to the call center platform.
Remediation
Apply security patches for VICIdial to address the SQL injection vulnerability in VERM_AJAX_functions.php and implement proper credential encryption.
VMWare Cloud Foundation NSX-V - XML External Entity (XXE)
runzero-match
any(each(service["html.titles"]), {# matches "VMware Appliance Management"})Description
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
Impact
Attackers can cause denial-of-service or access sensitive information by exploiting XXE vulnerability.
Remediation
Update to the latest version of VMware Cloud Foundation with patched NSX-V component.
VMWare Workspace ONE UEM - Server-Side Request Forgery
runzero-match
service["banner"] matches "(?i)/AirWatch/default\\.aspx"Description
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Impact
An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the necessary patches or updates provided by VMWare to fix the vulnerability.
VMware - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-1250474341"Description
VMware Workspace ONE Access, Identity Manager, and Realize Automation are vulnerable to local file inclusion because they contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Impact
The impact of this vulnerability is that an attacker can read sensitive files on the server, which may contain credentials, configuration files, or other sensitive information.
Remediation
To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in file inclusion operations.
VMware Aria Operations Login - Detect
Author: rxeriumAdded: Oct 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Aria Operations"})Description
Detects VMware Aria Operations Panel.
VMware Aria Operations for Logs - Unauthenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "vRealize Log Insight"})Description
VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.
VMware Carbon Black EDR Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Carbon Black EDR"})Description
VMware Carbon Black EDR panel was detected.
VMware Cloud Director Availability Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Cloud Director Availability"})Description
VMware Cloud Director Availability login panel was detected.
VMware Cloud Director Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)welcome to vmware cloud director"})Description
VMware Cloud Director login panel was detected.
VMware FTP Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMWARE FTP SERVER"})Description
VMware FTP Server login panel was detected.
VMware HCX - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "VMware HCX"})Description
VMware HCX is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware HCX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware HCX"})Description
VMware HCX login panel was detected.
VMware Horizon - JNDI Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "VMware Horizon"Description
VMware Horizon is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware NSX - Remote Code Execution (Apache Log4j)
runzero-match
service["http.body"] matches "vmw_nsx_logo-black-triangle-500w\\.png"Description
VMware NSX is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware NSX Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)vmw_nsx_logo-black-triangle-500w\\.png"Description
VMware NSX login panel was detected.
VMware NSX SD-WAN Edge - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VeloCloud"})Description
VMware NSX SD-WAN Edge (formerly VeloCloud Edge) before 3.1.2 contains an unauthenticated command injection in the local web UI diagnostic tools (Ping/Traceroute). This template detects it reliably by injecting 'id', 'whoami', and a random marker.
Impact
Successful exploitation allows unauthenticated remote code execution as root.
Remediation
Upgrade to VMware SD-WAN Edge version 3.1.2 or later (diagnostic web UI component removed).
VMware Operations Manager - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "vRealize Operations Manager"})Description
VMware Operations Manager is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware Site Recovery Manager - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "VMware Site Recovery Manager"})Description
VMware Site Recovery Manager is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware VCenter - Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "VMware VCenter"})Description
VMware VCenter is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
VMware VRealize Network Insight - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "VMware vRealize Network Insight"})Description
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are
vulnerable.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by VMware to mitigate this vulnerability.
VMware Workspace ONE Access - Server-Side Template Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1250474341"Description
VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
Impact
Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the latest security patches provided by VMware to mitigate this vulnerability.
VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1250474341"Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.
Remediation
Apply the latest security patches or updates provided by VMware to fix the authentication bypass vulnerability (CVE-2022-22972).
VMware Workspace ONE UEM Airwatch Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)airwatch"Description
VMware Workspace ONE UEM Airwatch login panel was detected.
VMware Workspace ONE UEM Airwatch Self-Service Portal - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "321909464" || service["http.body"] matches "(?i)Self-Service Portal"Description
VMware Workspace ONE UEM Airwatch Self-Service Portal (SSP) login panel was detected.
VMware vCenter Converter Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vmware vcenter converter standalone"})Description
VMware vCenter Converter panel was detected.
VMware vCenter Server - Out-of-Bounds Write
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware VCenter"})Description
vCenter Server contains an out-of-bounds write caused by a vulnerability in the DCERPC protocol implementation. A malicious actor with network access can trigger remote code execution on vCenter Server.
Impact
Unauthenticated attackers with network access can exploit the out-of-bounds write vulnerability in the DCERPC protocol to execute arbitrary code on vCenter Server, potentially compromising the entire VMware virtualization infrastructure.
Remediation
Apply VMware security patches from VMSA-2023-0023 for vCenter Server versions 4.0-5.5 and 7.0-8.0 that fix the DCERPC protocol vulnerability.
VMware vCloud Director Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vmware vcloud director"})Description
VMware vCloud Director panel was detected.
VMware vRealize Log Insight - Improper Access Control to RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
Impact
Successful exploitation allows a remote, unauthenticated attacker to inject and execute malicious code on the target appliance, potentially resulting in complete compromise of the affected system.
Remediation
Update VMware vRealize Log Insight to version 8.10.2 or later, as detailed in the official vendor advisory.
VMware vRealize Log Insight - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Impact
A remote, unauthenticated attacker can inject malicious files leading to remote code execution on the target appliance, resulting in complete compromise of the affected system.
Remediation
Update VMware vRealize Log Insight to version 8.10.2 or later as per the official vendor advisory.
VMware vRealize Log Insight < v8.10.2 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
Impact
Attackers can access sensitive session and application data, leading to potential information leakage and security breaches."
Remediation
Apply the latest security patches and updates provided by VMware to mitigate this vulnerability.
VMware vRealize Operations Tenant - JNDI Remote Code Execution (Apache Log4j)
runzero-match
any(each(service["html.titles"]), {# matches "vRealize Operations Tenant App"})Description
VMware vRealize Operations is susceptible to a critical vulnerability in Apache Log4j which may allow remote code execution in an impacted vRealize Operations Tenant application.
VMware vSphere - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)vmware.cloud.foundation"Description
VMware vSphere (HTML5) is susceptible to server-side request forgery due to improper validation of URLs in a vCenter Server plugin. An attacker with network access to port 443 can exploit this issue by sending a POST request to the plugin. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Impact
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access, data leakage, or further attacks.
Remediation
Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.
VSFTPD 2.3.4 - Backdoor Command Execution
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)vsFTPd`Description
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the FTP server.
Remediation
Update to the latest version of VSFTPD, which does not contain the backdoor.
VTScada - Internet Client Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "VTScada Internet Client from Trihedral"})Description
VTScada (by Trihedral Engineering) is a SCADA platform used in water/
wastewater, oil and gas, and utilities. The Internet Client feature exposes
a browser-based view of process data, and is commonly deployed by municipal
water systems across North America.
Vanna - SQL injection
runzero-match
service["http.body"] matches "(?i)'vanna\\.ai'"Description
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
Impact
Unauthenticated attackers can exploit SQL injection to inject malicious training data and write arbitrary files on the victim's filesystem, including PHP backdoors, leading to remote code execution.
Remediation
Update Vanna to version 0.3.5 or later to address the SQL injection vulnerability in the DuckDB integration.
Vanna AI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Vanna Agents Chat"})Description
Vanna AI is a chat interface for text-to-SQL generation using natural language. This template detects the presence of a Vanna AI chat panel.
Vault Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-919788577"Description
Vault login panel was detected.
Vaultwarden Login Panel - Detect
Author: righettodAdded: Jan 14, 2025
runzero-match
service["http.body"] matches "(?i)vaultwarden"Description
Vaultwarden products was detected.
VectorAdmin Panel - Detect
Author: s4e-ioAdded: Mar 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VectorAdmin - Vector database management made easy\\."})Description
VectorAdmin panel was discovered.
Veeam Backup & Replication - Unauthenticated
runzero-match
service["http.body"] matches "(?i)Veeam Backup"Description
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Impact
Unauthenticated attackers can exploit deserialization vulnerabilities to achieve remote code execution on Veeam Backup & Replication servers.
Remediation
Update Veeam Backup & Replication to a patched version addressing CVE-2024-40711.
Veeam Backup Enterprise Manager Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)veeam backup enterprise manager"}) || service["favicon.ico.image.mmh3"] == "169658321" || service["http.body"] matches "(?i)Veeam"Description
Veeam Backup Enterprise Manager Login
Veeam Backup for Google Cloud Platform Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veeam Backup for GCP"})Description
Veeam Backup for Google Cloud Platform panel was detected.
Veeam Backup for Microsoft Azure Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veeam Backup for Microsoft Azure"})Description
Veeam Backup for Microsoft Azure panel was detected.
Veeam Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-633512412"Description
Veeam login panel was detected.
Vendure Core - SQL Injection
runzero-match
service["http.head.accessControlExposeHeaders"] matches `(?i)vendure-auth-token` || service["last.http.head.accessControlExposeHeaders"] matches `(?i)vendure-auth-token`Description
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.
Remediation
Upgrade @vendure/core to version 3.6.2, 3.5.7, or 2.3.4 or later, which add input validation and parameterized queries for the languageCode parameter.
Veracore Login - Detect
Author: rxeriumAdded: Feb 10, 2025
runzero-match
service["http.body"] matches "(?i)veraCoreScreenHeight"Description
A veracore login panel was detected.
Veritas NetBackup OpsCenter Analytics Login - Detect
Author: rxeriumAdded: Oct 8, 2024
runzero-match
service["http.body"] matches "(?i)Veritas NetBackup OpsCenter Analytics"Description
A Veritas NetBackup OpsCenter Analytics page was detected.
Veriz0wn OSINT - Detect
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veriz0wn"})Verizon Router Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Verizon Router"})Description
Verizon router panel was detected.
Versa Concerto API Path Based - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-534530225"Description
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
Impact
Attackers can bypass authentication through URL path manipulation to access restricted API endpoints and retrieve sensitive role information without credentials.
Remediation
Upgrade to the latest Versa Concerto version that properly handles URL decoding and path validation in authentication checks.
Versa Concerto Actuator Endpoint - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-534530225"Description
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
Impact
Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
Remediation
Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
Versa Director Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Versa Director"})Description
Versa Director login panel was detected.
Versa FlexVNF - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Flex VNF Web-UI"})Description
Versa FlexVNF contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Versa FlexVNF Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flex VNF Web-UI"})Description
Versa FlexVNF panel was detected.
VertaAI ModelDB - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-2097033750" || any(each(service["html.titles"]), {# matches "(?i)verta ai"})Description
The endpoint "/api/v1/artifact/getArtifact?artifact_path=" is vulnerable to path traversal. The main cause of this vulnerability is due to the lack of validation and sanitization of the artifact_path parameter.
Impact
Attackers can potentially exploit this vulnerability to perform a relative path traversal attack, which can lead to unauthorized access to sensitive local files on the server. As an impact it is known to affect confidentiality.
Remediation
Restrict access to the web application
Vertex Tax Installer Panel - Detect
runzero-match
service["http.body"] matches "(?i)Vertex Tax Installer"Description
Vertex Tax Installer panel was detected.
VictoriaMetrics Panel - Detect
Author: Shivam KambojAdded: Jan 5, 2026
runzero-match
service["http.body"] matches "(?i)VictoriaMetrics"Description
A VictoriaMetrics panel was discovered.
Vidyo Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1970367401"Description
Vidyo admin login panel was detected.
Viessmann Vitogate 300 - Hardcoded Password
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vitogate 300"})Description
A critical vulnerability in Viessmann Vitogate 300 up to 2.1.3.0 allows attackers to authenticate using hardcoded credentials in the Web Management Interface.
Impact
An attacker could potentially gain unauthorized access to the device.
Remediation
Update the device firmware to remove the hardcoded password or change it to a strong, unique password.
Viessmann Vitogate 300 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vitogate 300"})Description
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.
Impact
Unauthenticated attackers can execute arbitrary commands with elevated privileges through shell metacharacters in the ipaddr parameter, potentially compromising the heating control gateway and accessing building management systems.
Remediation
Update Viessmann Vitogate 300 firmware to a version newer than 2.1.3.0 that properly sanitizes the ipaddr parameter and prevents command injection through the JSON API.
Vikunja Login Panel - Detect
Author: matheusalbarelloAdded: Jun 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Vikunja$"}) || service["http.head.server"] matches "^Vikunja"Description
Vikunja login panel was detected. Vikunja is a self-hosted to-do and project management application.
Vinchin Backup & Recovery Panel - Detect
runzero-match
service["http.body"] matches "(?i)VinChin"Description
Vinchin Backup & Recovery login panel was detected.
Virtua Software Cobranca <12R - Blind SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "876876147"Description
Virtua Cobranca before 12R allows blind SQL injection on the login page.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying system.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Virtua Software Cobranca <12R.
Virtua Software Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "876876147"Description
Virtua Software panel was detected.
Vite - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Impact
Attackers can bypass file access restrictions by adding special query parameters to URLs, potentially reading arbitrary files when the Vite dev server is exposed to the network.
Remediation
Upgrade to Vite version 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 that properly validates query parameters.
Vite - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite is a frontend tooling framework for JavaScript.In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Impact
Remote attackers can access files denied by server.fs.deny, leading to sensitive information disclosure.
Remediation
Update to versions 5.4.21, 6.4.1, 7.0.8, or 7.1.11 or later.
Vite Dev Server - Path Traversal
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Impact
Attackers can access unauthorized files bypassing filesystem restrictions, potentially exposing sensitive data.
Remediation
Update to versions 7.1.5, 7.0.7, 6.3.6, or 5.4.20 or later.
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
runzero-match
service["http.body"] matches `src="/@vite/client"` && service["service.port"] == "5173"Description
Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments in the URL. This allows an attacker to bypass server.fs.strict and retrieve auto-generated sourcemaps for files located outside the project root, leaking absolute filesystem paths. Only dev servers explicitly exposed to the network using --host or server.host are affected.
Impact
An attacker can trigger auto-generated sourcemap responses for files outside the project directory, leaking absolute filesystem paths and potentially reading .map files containing sensitive source code or configuration data.
Remediation
Upgrade Vite to version 8.0.5, 7.3.2, 6.4.2 or later.
Vite Development Server - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vite App"})Description
Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.
Impact
Attackers can exploit path traversal in the @fs endpoint to access files outside the intended directory when the Vite dev server is exposed to the network, potentially reading sensitive system files.
Remediation
Upgrade to the patched version or avoid exposing the Vite development server to the network (do not use --host flag or configure server.host); if upgrading is not immediately possible, implement access restrictions to the Vite development server
Vite server.fs.deny Bypass - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vite App"})Description
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Impact
Attackers can bypass server.fs.deny restrictions to read arbitrary files smaller than 4kB when the Vite dev server is exposed to the network, potentially exposing sensitive configuration data.
Remediation
Update Vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or later.
Vlife FastJSON - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "vlife"})Description
alibaba/fastjson v1.2.67 within the MyUsernamePasswordAuthenticationFilter for processing authentication requests. The /vlife/login endpoint directly deserializes the raw HTTP request body using JSON.parseObject() without enforcing type restrictions or enabling safe mode, allowing unauthenticated attackers to exploit known fastjson gadget chains for Remote Code Execution.
VoIPmonitor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
VoIPmonitor login panel was detected.
Vodafone Vox UI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vodafone Vox UI"})Description
Vodafone Vox UI login panel was detected.
Void Aural Rec Monitor 9.0.0.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)aurall"Description
Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Void Aural Rec Monitor 9.0.0.1.
Voilà Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)voila-notebooks"Description
Voilà is an open-source tool that turns Jupyter Notebooks into standalone web applications.
It is commonly used to share AI/ML dashboards and interactive data science tools.
VoipMonitor - Pre-Auth SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL injection vulnerability in the VoipMonitor application.
VoipMonitor <24.61 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade VoipMonitor to version 24.61 or later to mitigate this vulnerability.
Vtiger CRM - Default Login
Author: icarotAdded: Nov 17, 2025
runzero-match
service["http.body"] matches "(?i)Powered by vtiger CRM"Description
Detected a Vtiger CRM instance that enabled default admin credentials.
Vtiger CRM v7.2.0 - Directory Listing
runzero-match
service["http.body"] matches "(?i)vtiger CRM"Description
Vtiger CRM v7.2.0 contains a directory traversal vulnerability caused by improper access controls in /libraries and /layout directories, letting attackers display hidden files and list directories, exploit requires no authentication.
Impact
Attackers can access sensitive files and directory structures, potentially leading to information disclosure or further exploitation.
Remediation
Update to the latest version of Vtiger CRM or apply security patches that enforce proper access controls.
Vue PACS - Panel
Author: righettodAdded: Dec 14, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vue pacs"})Description
Vue PACS was detected.
Vue Vben Admin - Default Credentials
runzero-match
service["http.body"] matches "(?i)vben" || service["http.body"] matches "(?i)vue-vben-admin"Description
Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface.
Impact
Attackers can gain unauthorized access to the backend, potentially leading to data theft or system control
Remediation
Remove hardcoded credentials and implement proper authentication mechanisms, update to the latest version if available.
WAGO - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)/wbm/\" html:\"wago"Description
In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
WAGO Web based Management - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["http.body"] matches "(?i)WAGO Ethernet Web-based Management"Description
Identified WAGO Web-Based Management interfaces that were accessible using default credentials (admin:wago).These interfaces are used to configure and monitor WAGO programmable logic controllers (PLCs) and automation systems. Use of factory-default credentials exposed critical OT infrastructure to unauthorized access.
WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Intelligent WAPPLES"})Description
WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the WAPPLES Web Application Firewall.
Remediation
Upgrade to a version of WAPPLES Web Application Firewall that does not contain hardcoded credentials or apply the vendor-provided patch to fix the vulnerability.
WAVLINK - Access Control
runzero-match
service["http.body"] matches "(?i)wavlink"Description
Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK AC1200 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)AC1200"Description
A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information of the manager of router.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WAVLINK Quantum D4G (WL-WN531G3) - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN531G3"Description
WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
WAVLINK WN530H4 M30H4.V5030.190403 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN530H4 M30H4.V5030.190403 contains an information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint. This can allow an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN530H4 live_api.cgi - Command Injection
runzero-match
service["http.body"] matches "(?i)wavlink"Description
A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.
Impact
Unauthenticated attackers can execute arbitrary Linux commands as root on the WAVLINK WN530H4 device, potentially leading to complete system compromise, data theft, or using the device as a pivot point for further attacks.
Remediation
Apply vendor security patches if available or replace the device with a secure alternative. Restrict access to the management interface.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)wn530hg4" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. It contains a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wn530hg4"Description
WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wn530hg4"Description
Wavlink WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can download log files and configuration data via Exportlogs.sh and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings, potentially leading to further compromise of the network or device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN533A8 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN533A8 M33A8.V5030.190716 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the entire network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN535 G3 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to improper access control. A vulnerability in /cgi-bin/ExportAllSettings.sh allows an attacker to execute arbitrary code via a crafted POST request and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN535 G3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in live_check.shtml. An attacker can obtain sensitive router information via execution of the exec cmd function and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as login credentials or network configuration.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN535 G3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in the live_mfg.shtml page. An attacker can obtain sensitive router information via the exec cmd function and possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN579 X3 M79X3.V5030.180719 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN579 X3 M79X3.V5030.180719 is susceptible to information disclosure in /cgi-bin/ExportAllSettings.sh. An attacker can obtain sensitive router information via a crafted POST request and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN579X3 - Remote Command Execution
runzero-match
service["http.body"] matches "Wavlink"Description
Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi.
Impact
Unauthenticated attackers can execute arbitrary commands through the pingIp parameter in the adm.cgi endpoint, potentially compromising the entire WAVLINK router and intercepting network traffic.
Remediation
Update WAVLINK WN579X3 firmware to a patched version that properly sanitizes the pingIp parameter and prevents command injection in adm.cgi.
WCFM Membership <= 2.10.0 - Broken Access Control
runzero-match
service["http.body"] matches "(?i)wcfmmp_become_vendor_link"Description
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings.
Impact
Unauthenticated attackers can modify membership details, approve or deny memberships, and change renewal info, potentially leading to data tampering and unauthorized access.
Remediation
Update to WCFM Membership version 2.10.1 or later.
WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wc-multivendor-marketplace"Description
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
Impact
Unauthenticated attackers can execute SQL injection through multiple unsanitized parameters, potentially gaining access to all WooCommerce marketplace data including customer and vendor information.
Remediation
Fixed in 3.4.12
WD My Cloud Panel - Detect
Author: DhiyaneshDkAdded: Jun 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1074357885"WIFISKY-7 Layer Flow Control Router - Remote Code Execution
Author: pussycat0xAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "WIFISKY 7层流控路由器"})Description
There is an RCE vulnerability in the confirm.php interface of WIFISKY-7 layer flow control router
WP Content Copy Protection & No Right Click - Open Redirect
runzero-match
service["product"] matches "(?i)wp.buy.wp.content"Description
The WP Content Copy Protection & No Right Click plugin before version 15.3 contains an open-redirect vulnerability via the referrer parameter in no-js.php, allowing redirection of users to external sites.
Impact
Attackers can redirect users to malicious external sites, facilitating phishing or malware distribution.
Remediation
Update to version 15.3 or later.
WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdirectorykit/"Description
WP Directory Kit plugin for WordPress <= 1.4.9 contains a sensitive information exposure caused by improper access control in wdk_public_action AJAX handler, letting unauthenticated attackers extract email addresses of users with Directory Kit-specific roles.
Impact
Unauthenticated attackers can extract email addresses of users with specific roles, leading to privacy breaches.
Remediation
Update to the latest version beyond 1.4.9.
WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)plugins/wpdirectorykit/"Description
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
An unauthenticated attacker can extract sensitive information from the WordPress database including user credentials, posts, and other data.
Remediation
Update WP Directory Kit plugin to version 1.4.4 or later.
WP Directory Kit <= 1.4.4 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdirectorykit"Description
The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access by exploiting a cryptographically weak token generation mechanism that uses only the first 10 characters of MD5(user_id). For user_id=1 (typically admin), the token is always predictable.
Impact
Unauthenticated attackers can gain administrative access, leading to full site takeover.
Remediation
Update to the latest version beyond 1.4.4.
WP Fastest Cache 1.2.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-fastest-cache/"Description
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute SQL injection to extract the complete WordPress database including user credentials and site data.
Remediation
Fixed in 1.2.2
WP Google Maps < 9.0.48 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)wp-google-maps"Description
WP Google Maps WordPress plugin < 9.0.48 contains a stored XSS vulnerability caused by unsanitized user input in AJAX actions, letting unauthenticated attackers execute scripts via stored payloads.
Impact
Unauthenticated attackers can execute arbitrary scripts in users' browsers, leading to session hijacking or defacement.
Remediation
Update to version 9.0.48 or later.
WP Hotel Booking < 1.10.4 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Impact
Unauthenticated attackers can exploit PHP object injection to execute arbitrary code, leading to complete server compromise.
Remediation
Upgrade to WP Hotel Booking version 1.10.3 or later.
WP Hotel Booking <= 2.0.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
WP Hotel Booking WordPress plugin before 2.0.8 contains a SQL injection caused by lack of authorization, CSRF checks, and input escaping in a function hooked to admin_init, letting unauthenticated users perform SQL injections, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
Remediation
Update to version 2.0.8 or later.
WP Hotel Booking <= 2.1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data leakage or database compromise.
Remediation
Update to the latest version of WP Hotel Booking plugin that addresses this vulnerability, or apply security patches provided by the vendor.
WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-popup-builder/"Description
The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Impact
Unauthenticated attackers can execute arbitrary shortcodes through the AJAX action, potentially leading to information disclosure, privilege escalation, or remote code execution depending on available shortcodes in the WordPress installation.
Remediation
Update WP Popup Builder plugin to a version later than 1.3.5 that properly validates values before executing do_shortcode in the wp_ajax_nopriv_shortcode_Api_Add AJAX action.
WP Query Console <= 1.0 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/wp-query-console/"Description
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console- from n/a through 1.0.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50498.
WP Responsive Images <= 1.0 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-responsive-images/"Description
WP Responsive Images plugin for WordPress <= 1.0 contains a path traversal caused by improper sanitization of the 'src' parameter, letting unauthenticated attackers read arbitrary files on the server.
Impact
nauthenticated attackers can read arbitrary files, potentially exposing sensitive information.
Remediation
Update to the latest version of WP Responsive Images plugin.
WP Travel Engine <= 5.7.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-travel-engine/"Description
WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion.
Remediation
Update to the latest version of WP Travel Engine.
WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-health"Description
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
Unauthenticated attackers can exploit local file inclusion through the filename parameter in the umbrella-restore action to read arbitrary server files including /etc/passwd, execute PHP code, and gain complete server compromise.
Remediation
Validate and sanitize user inputs to prevent directory traversal. Use a whitelist approach for file paths and restrict file access to intended directories only.
WP User <= 7.0 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-user/"Description
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the id parameter in wpuser_group_action AJAX endpoint, potentially extracting sensitive database information including user credentials, personal data, and WordPress configuration.
Remediation
Update WP User plugin to a version later than 7.0 that properly sanitizes and parameterizes the id parameter in admin-ajax.php.
WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-stats-manager"Description
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
Impact
Unauthenticated attackers can execute time-based SQL injection through the visitorId parameter to extract the complete WordPress database including user credentials and site statistics.
Remediation
Fixed in version 6.9
WP-Optimize WordPress plugin < 3.2.13 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-optimize"Description
The WP-Optimize WordPress plugin before 3.2.13 and SrbTransLatin WordPress plugin before 2.4.1 are vulnerable to cross-site scripting due to a third-party library that improperly handles HTML character escaping.
Impact
Unauthenticated attackers can inject malicious JavaScript through search parameters due to improper HTML character escaping in a third-party library, enabling theft of WordPress user session cookies.
Remediation
Users are recommended to upgrade WP-Optimize to version 3.2.13 and SrbTransLatin to version 2.4.1 to mitigate the vulnerability.
WP-Recall – Plugin <= 16.26.10 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-recall/"Description
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through time-based blind SQL injection in the databeat parameter, leading to extraction of sensitive database information including user credentials and personal data.
Remediation
Update to version 16.26.12, or a newer patched version
WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WordPress\" \"graphql"})Description
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Impact
An attacker can exploit this vulnerability to post unauthorized comments on WordPress posts, potentially leading to content manipulation and defacement.
Remediation
Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-graphql/"Description
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Impact
An attacker can exploit this vulnerability to enumerate all WordPress users and extract sensitive information including email addresses, usernames, and user roles without authentication.
Remediation
Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
WPMobile.App <= 11.56 - Open Redirect
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpappninja"Description
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Impact
Unauthenticated attackers can redirect users to malicious phishing sites or credential harvesting pages via the redirect parameter.
Remediation
Update WPMobile.App plugin to a version newer than 11.56.
WPS Hide Login <= 1.5.2.2 - Login Page Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wps-hide-login"Description
WPS-Hide-Login plugin before 1.5.3 for WordPress contains an action=confirmaction protection bypass, letting attackers bypass security checks, exploit requires sending crafted requests.
Impact
Attackers can bypass login protection, potentially leading to unauthorized access.
Remediation
Update to version 1.5.3 or later.
WPS Hide Login <= 1.9.15.2 - Login Page Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wps-hide-login"Description
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.
Impact
Attackers can discover hidden WordPress login pages by bypassing the WPS Hide Login plugin's protection mechanism.
Remediation
Update WPS Hide Login plugin to a version newer than 1.9.15.2.
WS-FTP Ad Hoc Transfer Panel - Detect
Author: johnk3rAdded: Nov 14, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ad hoc transfer"}) || any(each(service["html.titles"]), {# matches "(?i)ws_ftp server web transfer"})Description
WS_FTP Ad Hoc panel was detected.
WSO2 - Server Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "WSO2 Management Console"})Description
WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services.
Impact
Attackers can execute arbitrary JavaScript in admin browsers and perform internal network requests, risking UI manipulation, data exfiltration, and internal service enumeration.
Remediation
Remove or secure the deprecated Try-It feature and validate user-supplied URLs properly; update to the latest product versions with fixes.
WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, denial of service, or server-side request forgery.
Remediation
Upgrade to a patched version of WSO2 API Manager (3.1.1 or above) or apply the provided security patch.
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
Remediation
Upgrade to a patched version of WSO2 Carbon Management Console (5.11 or above) or apply the provided security patch to mitigate this vulnerability.
WSO2 Management Console - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Impact
Attackers can bypass authentication to access internal memory statistics, leading to partial information disclosure.
Remediation
Apply security patches as per WSO2-2025-4115 advisory to enforce proper authentication on Management Console endpoints.
WSO2 Management Console Default Login
runzero-match
any(each(service["html.titles"]), {# matches "WSO2 Management Console"})Description
WSO2 Management Console default admin credentials were discovered.
WSO2 Management Console Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
WSO2 Management Console login panel was detected.
WS_FTP Server - Insecure Deserialization
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ad Hoc Transfer"})Description
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Impact
Unauthenticated attackers can exploit .NET deserialization vulnerability in the Ad Hoc Transfer module to execute arbitrary commands on the WS_FTP Server, potentially compromising the entire file transfer infrastructure and accessing all transferred files.
Remediation
Update Progress WS_FTP Server to version 8.7.4 or 8.8.2 or later that properly validates deserialization input in the Ad Hoc Transfer module.
WS_FTP Server Web Transfer - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ws_ftp server web transfer"}) || any(each(service["html.titles"]), {# matches "(?i)ad hoc transfer"})Description
WS_FTP Server Web Transfer panel was detected.
WWBN AVideo 11.6 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)AVideo"Description
A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution.
Impact
Successful exploitation could lead to unauthorized access to sensitive information or account takeover.
Remediation
Sanitize and validate user input to prevent XSS attacks.
Wagtail Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wagtail - sign in"})Description
The Wagtail panel has been detected.
Wallix Access Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Wallix Access Manager"})Description
Wallix Access Manager panel was detected.
WampServer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WAMPSERVER Homepage"})Description
WampServer panel was detected.
Wanhu OA TeleConferenceService Interface - XML External Entity Injection
runzero-match
service["product"] matches "(?i)万户网络.ezOFFICE"Description
There is an XXE injection vulnerability in the Wanhu OA TeleConferenceService interface. An attacker can use the vulnerability to continue XXE injection to obtain sensitive information on the server.
WatchGuard Fireware AD Helper Component - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "Fireware XTM User Authentication"})Description
WatchGuard Fireware Threat Detection and Response (TDR) service contains a credential-disclosure vulnerability in the AD Helper component that allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
Impact
Remote attackers can retrieve cleartext passwords, leading to potential account compromise and further system exploitation.
Remediation
Update to version 5.8.5.10317 or later.
Watcher Panel - Detect
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)/vsaas/v2/static/"Watershed Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Watershed LRS"})Description
Watershed login panel was detected.
Wavlink - Improper Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-1350437236"Description
Wavlink WL-WN530H4 M30H4.V5030.210121 is susceptible to improper access control in the component /cgi-bin/ExportLogs.sh. An attacker can download configuration data and log files, obtain admin credentials, and potentially execute unauthorized operations.
Impact
The vulnerability can lead to unauthorized access, data leakage, or unauthorized actions on the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
Wavlink Multiple AP - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Wi-Fi APP Login"})Description
Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the affected device.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN530HG4"Description
An access control issue in Wavlink WL-WN530HG4 M30HG4.V5030.201217 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
Wavlink WL-WN533A8 M33A8.V5030.190716 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN533A8"Description
An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
Wavlink WN535K2/WN535K3 - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Wavlink WN535K2/WN535K3 - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Wi-Fi APP Login"})Description
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Wavlink WN535K2/WN535K3 - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Wi-Fi APP Login"})Description
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Wazuh - Default Login
Author: theamanrawat,denandz,PulseSecurity.co.nzAdded: Oct 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Wazuh"})Description
Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Wazuh Login Panel
Author: cyllective,daffainfo,idealphaseAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wazuh"})Description
Wazuh - The Open Source Security Platform
WeChat agentinfo - Information Exposure
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
service["http.body"] matches "(?i)wework_admin\\.normal_layout"Description
There is an information leakage vulnerability in the agentinfo interface of Tencent Enterprise WeChat. An attacker can obtain the Enterprise WeChat Secret through the vulnerability.
WeGIA - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WeGIA"})Description
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/download_remessa.php endpoint. This vulnerability could allow an attacker to gain unauthorized access to local files in the server and sensitive information stored in config.php. config.php contains information that could allow direct access to the database. This issue has been patched in version 3.4.8.
Impact
Attackers can read arbitrary files including sensitive configuration files containing database credentials through path traversal in the download_remessa.php endpoint.
Remediation
Upgrade to WeGIA version 3.4.8 or later, which patches the path traversal vulnerability.
Web File Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web File Manager"})Description
Web File Manager login panel was detected.
Web Page Test - Server Side Request Forgery (SSRF)
runzero-match
any(each(service["html.titles"]), {# matches "WebPageTest"})Description
Web Page Test is vulnerable to SSRF.
Web Transfer Client Login Panel - Detect
Author: righettodAdded: Mar 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web Transfer Client"})Description
Progress Web Transfer Client login panel was detected.
Web Viewer for Samsung DVR - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)web viewer for samsung dvr"})Web-Check < 2.0.1 Screenshot API - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "Web-Check"})Description
Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters.
Impact
Attackers can execute arbitrary commands on the host, potentially leading to remote code execution or system compromise.
Remediation
Upgrade Web-Check to version 2.0.1 or later. The fix replaces exec() with execFile(),
which avoids shell interpretation and properly isolates command arguments.
WebIQ 2.15.9 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebIQ"})Description
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the Windows system, potentially exposing sensitive configuration files, credentials, database files, and system information.
Remediation
Update WebIQ to a version later than 2.15.9 to address the directory traversal vulnerability.
WebMethod Integration Server Default Login
Author: ChristianPoeschl,OleWagner,usdAGAdded: Feb 20, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-234335289"WebPageTest Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebPageTest"})Description
WebPageTest login panel was detected.
WebShell4 Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)webshell4"Description
WebShell4 login panel was detected.
WebTitan Cloud Panel - Detect
Author: ritikchaddhaAdded: Oct 25, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1090061843"Description
WebTitan Cloud is a cloud-based web filtering solution that monitors, controls, and protects users and businesses online. It blocks malware, phishing, viruses, ransomware, and malicious sites.
WebcomCo - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebcomCo"})Weblate Public Project - Exposure
Author: ritikchaddhaAdded: Jan 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Weblate"})Description
Weblate instance is publicly accessible. Public exposure of Weblate may lead to unauthorized access to translation projects, potential data leaks, credential exposure, or manipulation of open source localization data. Attackers can view available projects and access sensitive information if proper access controls are not implemented.
Webmin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Webmin"})Description
Webmin default login credentials were discovered.
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
runzero-match
service["product"] contains "Webmin:Usermin" || service["product"] contains "Webmin:Webmin"Description
Webmin before 1.290 and Usermin before 1.220 contain a path traversal caused by calling the simplify_path function before decoding HTML, letting remote attackers read arbitrary files, exploit requires sending crafted '..%01' sequences.
Impact
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to Webmin 1.290 and Usermin 1.220 or later versions.
Webmin < 1.920 - Authenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Impact
Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.
Remediation
Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.
Webmin <= 1.920 - Unauthenticated Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with root privileges.
Remediation
Upgrade to Webmin version 1.930 or later to mitigate this vulnerability.
Webmin Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
Webmin admin login panel was detected.
Webmodule Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Webmodule"})Description
Webmodule login panel was detected.
Webnus Inc. Modern Events Calendar - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/modern-events-calendar(?:-lite)?/"Description
Webnus Inc. Modern Events Calendar <= 7.29.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers bypass authorization, exploit requires no special privileges.
Impact
Attackers can bypass authorization and access restricted functionality or data, potentially compromising system integrity.
Remediation
Update to the latest version beyond 7.29.0.
Webroot Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Webroot - Login"})Description
Webroot login panel was detected.
Websvn <2.6.1 - Remote Code Execution
runzero-match
service["product"] matches "(?i)websvn"Description
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade Websvn to version 2.6.1 or later to mitigate this vulnerability.
Webuzo Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webuzo - admin panel"})Description
Webuzo admin login panel was detected.
WeiPHP 5.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)weiphp5\\.0" || service["http.body"] matches "(?i)weiphp"Description
WeiPHP 5.0 contains a SQL injection vulnerability via the wp_where function. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to a patched version of WeiPHP or apply the vendor-supplied patch to fix the SQL Injection vulnerability.
WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection
runzero-match
service["product"] matches "(?i)datax.web"Description
A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249086 is the identifier assigned to this vulnerability.
Impact
Authenticated attackers with low privileges can inject and execute arbitrary OS commands via the processId parameter, potentially gaining full system access.
Remediation
Update datax-web to a version newer than 2.1.2.
Weiphp Panel - Detect
runzero-match
service["http.body"] matches "(?i)weiphp" || service["http.body"] matches "(?i)weiphp5\\.0"Description
Weiphp panel was detected.
Wekan Sign Up Page - Exposure
Author: DhiyaneshDKAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)Wekan"Description
Detected exposed Wekan sign-up functionality, indicating that unauthenticated users could access the registration page and potentially create new accounts.
Westermo Industrial Router - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^lynx - westermo"})Description
Westermo industrial router web interface panel has been detected.
Western Digital MyCloud NAS - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1074357885"Description
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \"cgi_get_ipv6\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \"flag\" with the value \"1\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
Impact
An attacker can bypass authentication and gain unauthorized access to the device, potentially leading to data theft or unauthorized control of the NAS.
Remediation
Apply the latest firmware update provided by Western Digital to fix the authentication bypass vulnerability.
Western Digital MyCloud NAS - Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1074357885"Description
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the entire network.
Remediation
Apply the latest firmware update provided by Western Digital to patch the vulnerability and ensure the device is not accessible from the internet.
Whatsup Gold Login Panel - Detect
Author: rxeriumAdded: Aug 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WhatsUp Gold"})Description
Whatsup Gold login panel was detected.
White Star Software ProTop - Directory Traversal
runzero-match
service["http.body"] matches "(?i)<title>ProTop"Description
A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences.
Impact
Unauthenticated attackers can read arbitrary files from the operating system through encoded traversal sequences in the /pt3upd/ endpoint, potentially exposing sensitive configuration and credential files.
Remediation
Upgrade White Star Software ProTop to a version after v4.4.2-2024-11-27.
WhoDB < 0.45.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)whodb"Description
WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.
Impact
Attackers can access any Sqlite3 database on the system, potentially exposing sensitive data.
Remediation
Upgrade to version 0.45.0 or later.
Wifisky Default Login
runzero-match
any(each(service["html.titles"]), {# matches "WIFISKY-7层流控路由器"})Description
Wifisky default admin credentials were discovered.
Wildfly - Default Admin Login
Author: s0obiAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Welcome to WildFly"})Description
Wildfly default admin login credentials were successful.
Wildix Collaboration Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1295577382"Description
Wildix Collaboration login panel was detected.
Windmill Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Windmill"})Description
Windmill panel was detected. Windmill (windmill.dev) is an open-source developer platform for workflows, scripts and internal apps, often self-hosted as a Postgres-backed UI. Exposed instances may reveal scripts, secrets and connected resources, and provide an authenticated path to script execution.
Windmill/Nextcloud Flow < 1.603.3 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches `id="Windmill"` && service["http.body"] matches `svelte-global-loader`Description
Windmill < 1.603.3 contains a path traversal caused by unsanitized filename parameter in get_log_file endpoint, letting unauthenticated attackers read arbitrary files on the server, exploit requires no authentication.
Impact
Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to version 1.603.3 or later.
Windows Admin Center Panel - Detection
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-765377534" || any(each(service["html.titles"]), {# matches "(?i)Windows Admin Center"})Description
Detect Windows Admin Center Panel web interface.
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
runzero-match
service["favicon.ico.image.mmh3"] == "963565804" || any(each(service["html.titles"]), {# matches "(?i)Wing FTP Server"})Description
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
Impact
Authenticated attackers can supply an overlong UID cookie value to trigger error responses that disclose the full local filesystem path, aiding in further exploitation attempts.
Remediation
Upgrade Wing FTP Server to version 7.4.4 or later that properly validates UID cookie values.
Wing FTP Server <= 7.4.3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wing ftp server"}) || service["http.head.server"] matches "wing ftp server" || service["http.body.mmh3"] == "2121146066" || service["favicon.ico.image.mmh3"] == "963565804"Description
Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
Impact
Unauthenticated attackers can inject and execute Lua code through NULL byte handling in the username parameter when anonymous login is enabled, achieving remote code execution with elevated privileges.
Remediation
Upgrade Wing FTP Server to version 7.4.4 or later that properly handles NULL bytes in authentication parameters.
Wiren Board WebUI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Wiren Board Web UI"})Description
Wiren Board WebUI panel was detected.
WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-ultimate-gift-card"Description
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Impact
Unauthenticated attackers can upload arbitrary files including PHP scripts to the server through insufficient file type validation, enabling remote code execution and complete server compromise.
Remediation
Update WooCommerce Ultimate Gift Card plugin to a version later than 2.6.0 that addresses the arbitrary file upload vulnerability in the mwb_wgm_preview_mail and mwb_wgm_woocommerce_add_cart_item_data functions.
Woodpecker CI Panel - Detect
Author: Shivam KambojAdded: Dec 27, 2025
runzero-match
service["product"] contains "Woodpecker CI:Woodpecker"Description
Woodpecker CI panel was detected. Woodpecker is a community fork of Drone CI, providing a simple yet powerful continuous integration platform.
Woodwing Studio Server Panel - Detect
Author: pdteam,righettodAdded: Dec 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WoodWing Studio Server"})WordPress 12 Step Meeting List Plugin <= 3.14.33 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/12-step-meeting-list/"Description
Code for Recovery 12 Step Meeting List versions up to 3.14.33 contain a reflected cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in users' browsers, exploit requires attacker to craft a malicious URL.
Impact
Attackers can execute malicious scripts in user browsers, potentially stealing cookies, session tokens, or performing actions on behalf of users.
Remediation
Implement proper input sanitization and output encoding, and update to the latest version.
WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts
runzero-match
service["http.body"] matches "(?i)Wordpress" && service["http.body"] matches `(?i)status-draft`Description
WordPress before 5.2.4 contains an information disclosure caused by mishandling of the static query property, letting unauthenticated users view certain content, exploit requires no authentication.
Impact
Unauthenticated users can view restricted content, leading to information disclosure.
Remediation
Update to WordPress 5.2.4 or later.
WordPress <= 6.2 - Server Side Request Forgery
runzero-match
service["product"] matches "(?i)wordpress"Description
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
Impact
Unauthenticated attackers can exploit a race condition in the WordPress pingback feature to perform blind SSRF attacks, potentially accessing internal network resources, cloud metadata endpoints, or other restricted internal services that are explicitly forbidden by validation checks.
Remediation
Update WordPress to version 6.0.3 or later that properly handles TOCTOU race conditions in the pingback feature.
WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/chatbot/"Description
ChatBot plugin for WordPress up to 4.8.9 contains a sql_injection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, leading to data disclosure and potential database compromise.
Remediation
Update to the latest version of the plugin that addresses this vulnerability, or apply security patches provided by the vendor.
WordPress AI Engine Plugin - Token Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ai-engine/"Description
Unauthenticated sensitive information exposure in AI Engine WordPress plugin <= 3.1.3 exposes bearer tokens via REST API endpoints when No-Auth URL is enabled.
Impact
Unauthenticated attackers can retrieve sensitive bearer tokens from AI Engine WordPress plugin through exposed REST API endpoints, potentially allowing privilege escalation and unauthorized access to AI service credentials.
Remediation
Upgrade to AI Engine version 3.1.4 or later that properly secures REST API endpoints and token handling.
WordPress AMP - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/accelerated-mobile-pages"Description
The WordPress AMP - Accelerated Mobile Pages plugin was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated access to the full application path.
WordPress AcyMailing <7.5.0 - Open Redirect
runzero-match
service["product"] matches "(?i)acymailing"Description
WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Update the AcyMailing plugin to version 7.5.0 or later to fix the open redirect vulnerability.
WordPress AddToAny Share Buttons Plugin - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/add-to-any/"Description
The AddToAny Share Buttons plugin for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated access to the full application path.
WordPress AnyComment <0.3.5 - Open Redirect
runzero-match
service["product"] matches "(?i)bologer.anycomment"Description
WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the execution of other malicious activities.
Remediation
Update to the latest version of WordPress AnyComment plugin (0.3.5 or higher) to fix the open redirect vulnerability.
WordPress Astra - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/themes/astra/"Description
WordPress Astra Theme files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Astra Sites - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/astra-sites/"Description
WordPress Starter Templates plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress BackWPup < 4.0.4 - Backup File Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/backwpup/"Description
BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.
Impact
Unauthenticated attackers can download site backups, potentially leading to data theft or further exploitation.
Remediation
Update to version 4.0.4 or later.
WordPress Backup Migration <= 1.3.6 - Path Traversal
runzero-match
service["http.body"] matches "(?i)backup-migration"Description
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
Impact
Attackers can download backup files with sensitive data, leading to data breaches and privacy violations.
Remediation
Update to the latest version of the plugin, version 1.3.7 or later.
WordPress Broken Link Notifier < 1.3.1 - Unauthenticated SSRF
runzero-match
service["http.body"] matches "blnotifier_front_end"Description
The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Impact
An attacker can exploit this vulnerability to perform server-side request forgery attacks, potentially accessing internal services, reading local files, or conducting port scanning from the server's perspective.
Remediation
Update the Broken Link Notifier plugin to version 1.3.1 or later which fixes this vulnerability. If immediate update is not possible, consider temporarily disabling the plugin until the fix can be applied.
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/burst-statistics/"Description
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in is_mainwp_authenticated() function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrator username.
Impact
Unauthenticated attackers can impersonate administrators, leading to privilege escalation and full control over the application.
Remediation
Update to a version later than 3.4.1.1 or the latest available version.
WordPress CAS Theme <= 1.0.0 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "wp-content/themes/cas/"Description
The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the 'url' parameter in the get_remote_data.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
Impact
Unauthenticated attackers can force the server to make arbitrary requests via SSRF, potentially accessing internal services.
Remediation
Update CAS WordPress theme to a version later than 1.0.0 that patches the SSRF vulnerability.
WordPress CMB2 - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cmb2/"Description
WordPress CMB2 plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/campress/"Description
Campress theme for WordPress up to 1.35 contains a local file inclusion caused by 'campress_woocommerce_get_ajax_products' function, letting unauthenticated attackers include and execute arbitrary PHP files, exploit requires no authentication.
Impact
Attackers can include and execute arbitrary PHP files, leading to remote code execution and potential full server compromise.
Remediation
Update to the latest version beyond 1.35.
WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)canto"Description
WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources and potential data leakage.
Remediation
Update WordPress Canto to the latest version (1.3.1) or apply the patch provided by the vendor.
WordPress Collapsing Categories <= 3.0.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/collapsing-categories/"Description
Collapsing Categories plugin for WordPress <= 3.0.8 contains a sql_injection caused by insufficient escaping of 'taxonomy' parameter in /wp-json/collapsing-categories/v1/get REST API, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'taxonomy' parameter.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data leakage or database compromise.
Remediation
Update to the latest version of the plugin that addresses this vulnerability or apply security patches provided by the vendor.
WordPress Coming Soon Page - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/responsive-coming-soon"Description
WordPress Coming Soon Page & Maintenance Mode plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Core - Post Author Email Disclosure
runzero-match
service["http.body"] matches "(?i)oembed"Description
WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
Impact
This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WordPress Core <=6.2 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/"Description
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter.
Impact
This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WordPress Download Manager - File Password Exposure
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/download-manager/"Description
The WordPress Download Manager plugin contains a vulnerability that allows attackers to obtain passwords for password-protected downloads by sending a specially crafted request to the validate-password API endpoint.
Impact
Unauthenticated attackers can obtain passwords for password-protected downloads by sending crafted requests to the validate-password API endpoint.
Remediation
Update the WordPress Download Manager plugin to the latest version.
WordPress Download Manager < 3.3.07 - Unauthenticated Data Exposure
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/download-manager/"Description
The WordPress Download Manager plugin before version 3.3.07 does not prevent directory listing on web servers that don't use htaccess, allowing unauthorized access to files stored in the download-manager-files directory.
Impact
Unauthenticated attackers can access sensitive files stored in the download-manager-files directory due to directory listing, potentially exposing confidential documents or data.
Remediation
Update the WordPress Download Manager plugin to version 3.3.07 or later.
WordPress Download Manager <= 3.2.59 - Reflected XSS
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/download-manager/"Description
W3 Eden, Inc. Download Manager plugin <= 3.2.59 contains a reflected cross-site scripting caused by insufficient input sanitization, letting attackers execute scripts in the context of the victim's browser, exploit requires attacker to craft a malicious link.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
runzero-match
service["service.product"] == "WordPress"Description
WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two
versions v1.3.24 and v1.3.26, the vulnerability wasn't
present in versions 1.3.22 and before.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation.
Remediation
Update the WordPress Duplicator plugin to the latest version (1.3.27 or higher) to mitigate the vulnerability.
WordPress End-of-Life - Detect
Author: Shivam KambojAdded: Mar 4, 2026
runzero-match
service["product"] contains "WordPress:WordPress"Description
Detected WordPress versions that have reached End-of-Life (EOL) and no longer receive security updates.
WordPress English Admin <1.5.2 - Open Redirect
runzero-match
service["product"] matches "(?i)english.wordpress.admin"Description
WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of other malicious activities.
Remediation
Update to the latest version of the WordPress English Admin plugin (1.5.2 or higher) to fix the open redirect vulnerability.
WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
runzero-match
service["product"] matches "(?i)colorlib.activello"Description
WordPress themes including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4 contain a function injection caused by epsilon_framework_ajax_action, letting unauthenticated attackers call functions and achieve remote code execution, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary code remotely, leading to full site compromise.
Remediation
Update themes to the latest versions where the vulnerability is fixed or apply security patches provided by theme developers.
WordPress Event Tickets < 5.2.2 - Open Redirect
runzero-match
service["product"] matches "(?i)tri.event.tickets"Description
WordPress Event Tickets < 5.2.2 is susceptible to an open redirect vulnerability. The plugin does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue.
Impact
Attackers can redirect users to malicious websites through the tribe_tickets_redirect_to parameter, potentially facilitating phishing attacks or malware distribution.
Remediation
Update to the latest version of the WordPress Event Tickets plugin (5.2.2 or higher) to fix the open redirect vulnerability.
WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)wp-event-solution"Description
Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction.
Impact
Attackers can access sensitive files on the server, potentially leading to information disclosure or system compromise.
Remediation
Update to the latest version of Eventin, version 4.0.27 or later.
WordPress Events Calendar 6.8.2.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin 6.8.2.1 contains missing access checks in the REST API, letting unauthenticated users access information about password protected events, exploit requires no authentication.
Impact
Unauthenticated users can access sensitive event information, potentially leading to information disclosure.
Remediation
Update to version 6.8.2.1 or later.
WordPress Events Manager - Full Path Disclosure
Author: DhiyaneshDkAdded: Feb 5, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/events-manager/"Description
WordPress WP Super Cache plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress File Upload <= 4.24.11 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-file-upload/"Description
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
Impact
Unauthenticated attackers can read or delete arbitrary files outside the intended directory on WordPress sites running PHP 7.4 or earlier, potentially exposing sensitive configuration files, credentials, and causing system disruption.
Remediation
Update WordPress File Upload plugin to version 4.24.12 or later to address the path traversal vulnerability in wfu_file_downloader.php, or upgrade PHP to version 8.0 or later.
WordPress GamiPress <= 2.5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gamipress/"Description
The GamiPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.5.7 due to insufficient escaping on the user supplied parameter '$qv[$field_id]' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of GamiPress, version 2.5.8 or later.
WordPress Gift Voucher <4.1.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gift-voucher/"Description
WordPress Gift Vouchers plugin before 4.1.8 contains a blind SQL injection vulnerability via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Fixed in version 4.1.8.
WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/tradedoubler-affiliate-tracker/"Description
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can exploit local file inclusion to read sensitive files like wp-config.php and potentially execute arbitrary PHP code.
Remediation
Update Grow by Tradedoubler plugin to version 2.0.22 or later to address the local file inclusion vulnerability.
WordPress HTML5 Video Player - SQL Injection
runzero-match
service["http.body"] matches "(?i)html5-video-player"Description
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
WordPress Header Footer Elementor - Full Path Disclosure
Author: ritikchaddhaAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/header-footer-elementor/"Description
WordPress Header Footer Elementor plugin (also known as Ultimate Addons for Elementor - Lite) contains PHP files that lack proper ABSPATH protection, allowing direct access that reveals sensitive server path information via PHP error messages.
WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hummingbird-performance"Description
Hummingbird Performance WordPress plugin <= 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive credentials, leading to potential account compromise and further attacks.
Remediation
Update to the latest version beyond 3.18.0.
WordPress JS Archive List <= 6.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/jquery-archive-list-widget/"Description
Miguel Useche JS Archive List contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.
Remediation
Update to the latest version.
WordPress Job Portal < 2.0.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-job-portal"Description
The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape the city parameter before using it in a SQL statement,leading to a SQL injection vulnerability that is exploitable by unauthenticated users. This vulnerability can be used to extractsensitive data from the database or potentially compromise the WordPress installation.
Impact
Unauthenticated attackers can execute SQL injection through the city parameter to extract the complete WordPress database including user credentials and job portal data.
Remediation
Update to version 2.0.6 or later
WordPress Kali Forms <= 2.4.9 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/kali-forms/"Description
Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 2.4.9.
WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload
runzero-match
service["product"] matches "(?i)keydatas.wordpress"Description
The Keydatas plugin for WordPress (known in Chinese as "简数采集器") is vulnerable to unrestricted file uploads due to missing file-type validation in the keydatas_downloadImages function in all versions up to and including 2.5.2. An unauthenticated attacker can upload arbitrary files to the server — potentially leading to remote code execution, site takeover, or other severe compromise.
Impact
Unauthenticated attackers can upload arbitrary files including PHP web shells through the keydatas_downloadImages function, achieving remote code execution and complete site compromise.
Remediation
Update Keydatas plugin to version 2.5.3 or later to address the arbitrary file upload vulnerability.
WordPress Like Button Rating <2.6.32 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)likebtn.like.button"Description
WordPress Like Button Rating plugin before 2.6.32 is susceptible to server-side request forgery. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to unauthorized access or information disclosure.
Remediation
Update the WordPress Like Button Rating plugin to version 2.6.32 or later.
WordPress List Site Contributors < 1.1.8 - Reflected XSS
Author: m4sh_wackerAdded: Jan 23, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/list-site-contributors/"Description
WordPress List Site Contributors plugin < 1.1.8 contains a reflected XSS caused by insufficient sanitization and escaping of the 'alpha' parameter, letting unauthenticated attackers inject scripts, exploit requires user interaction.
Impact
Unauthenticated attackers can inject scripts that execute in users browsers, potentially stealing data or performing actions on their behalf.
Remediation
Update to a version later than 1.1.8 or the latest available version.
WordPress MStore API <= 4.0.1 - Unauthenticated SQL Injection
Author: Shivam KambojAdded: Feb 6, 2026
runzero-match
service["http.body"] matches "(?i)/mstore-api/"Description
MStore API plugin for WordPress up to version 4.0.1 contains an unauthenticated blind SQL injection caused by insufficient escaping of 'id' parameter in SQL queries, letting attackers execute arbitrary SQL commands without authentication, exploit requires sending crafted requests with malicious 'id' parameter.
Impact
Attackers can extract sensitive database information, potentially leading to data breach and compromise of the website.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
WordPress ManageWP Worker - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/worker/"Description
WordPress ManageWP Worker plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Members / Membership & User Role Editor Plugin - Error Log Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/members/"Description
WordPress Members plugin is vulnerable to error log disclosure via direct access to plugin files.
WordPress Members Plugin - Debug/Error Log Disclosure
Author: ritikchaddhaAdded: Dec 25, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/members"Description
The WordPress Members plugin exposes error/debug log files that may contain sensitive information.
WordPress Meta SEO <= 4.5.2 - Open Redirect
runzero-match
service["http.body"] matches "/wp-content/plugins/wp-meta-seo/"Description
The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
Impact
Authenticated attackers with low privileges can exploit unauthorized AJAX actions to update link redirects and create arbitrary redirect vulnerabilities that could be used for phishing attacks.
Remediation
Update the plugin to version 4.5.3 or later to fix the arbitrary redirect vulnerability.
WordPress My Calendar <3.4.22 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/my-calendar"Description
WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, which could lead to data theft, database compromise, or further attack vectors.
Remediation
Upgrade to My Calendar plugin version 3.4.22 or later.
WordPress Newsletter - Log File Exposure
Author: pussycat0xAdded: Dec 30, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/newsletter/"Description
The Newsletters plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.5. This makes it possible for unauthenticated attackers to extract potentially sensitive information from log files.
WordPress NextGEN Gallery Pro - Error Log Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/nextgen-gallery-pro"Description
The NextGEN Gallery Pro plugin for WordPress may expose debug/error log files that contain sensitive information including file paths, database queries, and potentially credentials. These log files are accessible without authentication.
WordPress OceanWP - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/oceanwp/"Description
WordPress OceanWP theme is vulnerable to full path disclosure via direct access to theme files.
WordPress PHPMailer < 5.2.18 - Remote Code Execution
runzero-match
service["product"] contains "WordPress:WordPress"Description
WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected WordPress website.
Remediation
Upgrade PHPMailer to version 5.2.18 or higher to mitigate this vulnerability.
WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/post-smtp"Description
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
Impact
Unauthenticated attackers can exploit type juggling vulnerabilities in the connect-app REST endpoint to access and modify sensitive email configuration data.
Remediation
Fixed in 2.8.8
WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
runzero-match
service["product"] matches "(?i)king.theme.kingcomposer"Description
WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users).
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.
Remediation
Update to the latest version of KingComposer (>=2.9.7) to fix the open redirect vulnerability.
WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/paid-memberships-pro/"Description
WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discount_code in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Upgrade to WordPress Paid Memberships Pro version 2.6.7 or later to mitigate this vulnerability.
WordPress Paid Memberships Pro <2.9.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/paid-memberships-pro/"Description
WordPress Paid Memberships Pro plugin before 2.9.8 contains a blind SQL injection vulnerability in the 'code' parameter of the /pmpro/v1/order REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Upgrade to WordPress Paid Memberships Pro version 2.9.8 or later to mitigate this vulnerability.
WordPress Paytm Payment Gateway <=2.7.0 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)paytm.payment.gateway"Description
WordPress Paytm Payment Gateway plugin through 2.7.0 contains a server-side request forgery vulnerability. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Unauthenticated attackers can exploit server-side request forgery through the url parameter in the curltest action to make arbitrary HTTP requests from the server, potentially accessing internal network resources and sensitive data.
Remediation
Update to the latest version of the WordPress Paytm Payment Gateway plugin (2.7.0) or apply the vendor-supplied patch.
WordPress Perfect Images (WP Retina 2x) < 6.4.6 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-retina-2x/"Description
Jordy Meow Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) versions up to 6.4.5 contain a vulnerability that exposes sensitive information to unauthorized actors, letting attackers access confidential data, exploit requires no specific conditions.
Impact
Unauthorized actors can access sensitive information, leading to privacy breaches and potential data misuse.
Remediation
Update to version 6.4.6 or later.
WordPress PhastPress <1.111 - Open Redirect
runzero-match
service["product"] matches "(?i)kiboit.phastpress"Description
WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the execution of other malicious activities.
Remediation
Update the WordPress PhastPress plugin to version 1.111 or later to mitigate the vulnerability.
WordPress PhonePe Payment Solutions <=1.0.15 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)phonepe"Description
WordPress PhonePe Payment Solutions plugin through 1.0.15 is susceptible to server-side request forgery. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can exploit this vulnerability to send arbitrary HTTP requests from the server, potentially leading to unauthorized access to internal resources or performing actions on behalf of the server.
Remediation
Fixed in version 2.0.0.
WordPress Pie Register <3.8.2.3 - Open Redirect
runzero-match
service["product"] matches "(?i)genetechsolutions.pie.register"Description
WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Authenticated attackers with low privileges can manipulate the redirect_to parameter during logout to redirect users to malicious sites for phishing attacks.
Remediation
Fixed in version 3.8.2.3.
WordPress Plugin Age Verification v0.4 - Open Redirect
runzero-match
service["product"] matches "(?i)age.verification"Description
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Update to the latest version of the WordPress Plugin Age Verification or remove the plugin if not needed.
WordPress Plugin GDPR Cookie Consent - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cookie-law-info/"Description
WordPress GDPR Cookie Consent (cookie-law-info) plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin Google Tag Manager - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/duracelltomi-google-tag-manager/"Description
WordPress Plugin Google Tag Manager files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Imsanity - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/imsanity/"Description
WordPress Imsanity plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin InfiniteWP Client - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/iwp-client/"Description
WordPress InfiniteWP Client plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin LayerSlider 7.9.11-7.10.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/LayerSlider/"Description
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Authenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive data or compromising the database.
Remediation
Update LayerSlider plugin to version 7.10.1 or later.
WordPress Plugin Max Mega Menu (megamenu) - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/megamenu"Description
WordPress Plugin Max Mega Menu plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Newsletter - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/newsletter/"Description
WordPress Plugin Newsletter plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin SG Optimizer - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/sg-cachepress/"Description
WordPress Plugin SG Optimizer Plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin SSL Insecure Content Fixer - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/ssl-insecure-content-fixer/"Description
WordPress SSL Insecure Content Fixer plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Safe SVG - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/safe-svg/"Description
WordPress Safe SVG plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin Table of Contents Plus - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 19, 2025
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/table-of-contents-plus"Description
The Table of Contents Plus WordPress plugin is vulnerable to Full Path Disclosure. This vulnerability allows attackers to view the full server path by accessing certain files or triggering error conditions, which can aid in further attacks such as directory traversal or local file inclusion.
Impact
An attacker can exploit this vulnerability to gain insights into the server's directory structure, which can be leveraged to perform further attacks such as directory traversal or local file inclusion.
Remediation
Update the Table of Contents Plus plugin to the latest version. Ensure error reporting is disabled in production environments and implement proper error handling that doesn't expose full paths.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can execute time-based SQL injection through the current_page_id parameter to extract the complete WordPress database including user credentials, visitor statistics, and site analytics data.
Remediation
Update wp-statistics plugin to version 13.1.6, or newer.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can exploit time-based blind SQL injection to extract sensitive database contents including user credentials and statistics data.
Remediation
Update wp-statistics plugin to version 13.1.6, or newer.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the IP parameter to extract sensitive database information including user credentials, posts, comments, and WordPress configuration data.
Remediation
Update WP Statistics plugin to version 13.1.6 or later that properly escapes and parameterizes the IP parameter.
WordPress Plugin WooCommerce Admin (woocommerce-admin) Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/woocommerce-admin"Description
WordPress Plugin WooCommerce Admin plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin iThemes Security - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/better-wp-security/"Description
WordPress Plugin iThemes Security files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin reCaptcha by BestWebSoft (google-captcha) - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/google-captcha"Description
WordPress ManageWP Worker plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Pretty Links - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/pretty-link/"Description
WordPress Pretty Links plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
runzero-match
service["http.body"] matches "/wp-content/plugins/woocommerce-delivery-notes/"Description
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
Impact
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 5.8.0.
WordPress Qards - Cross-Site Scripting
runzero-match
service["product"] matches "(?i)designmodo.qards"Description
WordPress Qards through 2017-10-11 contains a cross-site scripting vulnerability via a remote document specified in the URL parameter to html2canvasproxy.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.
Remediation
Update to the latest version of the WordPress Qards plugin, which includes a fix for this vulnerability.
WordPress Realtyna Organic IDX Plugin <= 4.14.4 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/real-estate-listing-realtyna-wpl(?:-pro)?/"Description
The Realtyna Organic IDX plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.14.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of the plugin, version 4.14.5 or later.
WordPress SEO Plugin Rank Math - Full Path Disclosure
Author: ritikchaddha,DhiyaneshDKAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/seo-by-rank-math/"Description
WordPress Rank Math SEO plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress SVG Support - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/svg-support/"Description
The WordPress SVG Support plugin was detected to have publicly accessible PHP files without ABSPATH protection, which exposed sensitive server path information. Direct access to vendor/composer files triggered PHP fatal errors that revealed the full WordPress filesystem path.
WordPress Simple Job Board - Unauthorized Data Access
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/simple-job-board"Description
The Simple Job Board plugin for WordPress is vulnerable to unauthorized data access due to insufficient authorization checking in the fetch_quick_job() function in all versions up to and including 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be password protected or private and contain sensitive information.
Impact
Unauthenticated attackers can access password-protected or private posts containing sensitive information without authorization, potentially exposing confidential job postings or internal data.
Remediation
Upgrade to Simple Job Board version 2.10.9 or later.
WordPress Social Warfare <3.5.3 - Cross-Site Scripting
runzero-match
service["http.body"] matches "social-warfare"Description
WordPress Social Warfare plugin before 3.5.3 contains a cross-site scripting vulnerability via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, affecting Social Warfare and Social Warfare Pro.
Impact
Attackers can execute arbitrary scripts in admin context, potentially leading to session hijacking or privilege escalation.
Remediation
Update to version 3.5.3 or later.
WordPress StageShow <5.0.9 - Open Redirect
runzero-match
service["product"] matches "(?i)stageshow"Description
WordPress StageShow plugin before 5.0.9 contains an open redirect vulnerability in the Redirect function in stageshow_redirect.php. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the url parameter.
Impact
An attacker can trick users into visiting a malicious website, leading to potential phishing attacks.
Remediation
Update to the latest version of the WordPress StageShow plugin (5.0.9 or higher) to fix the open redirect vulnerability.
WordPress Statistics <13.0.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
WordPress Statistic plugin versions prior to version 13.0.8 are affected by an unauthenticated time-based blind SQL injection vulnerability.
Impact
Unauthenticated attackers can extract database contents via time-based blind SQL injection, potentially exposing sensitive WordPress configuration and user data.
Remediation
Update to WordPress Statistics plugin version 13.0.8 or later to mitigate the vulnerability.
WordPress Storefront Theme - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/storefront/"Description
The Storefront theme for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated attackers to obtain the full application path that could aid other attacks when combined with another vulnerability.
WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ti-woocommerce-wishlist/"Description
In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive data from the WordPress database.
Remediation
Update TI WooCommerce Wishlist plugin to a version that patches CVE-2024-43917.
WordPress Table of Contents Plus - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/table-of-contents-plus/"Description
WordPress Table of Contents Plus plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress The Events Calendar - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
WordPress The Events Calendar plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Themify Builder < 7.5.8 - Open Redirect
runzero-match
service["http.body"] matches "wp-content/plugins/themify-builder/"Description
The Themify Builder WordPress plugin before version 7.5.8 contains an open redirect vulnerability. The plugin does not validate the tb_redirect_fail parameter before redirecting users to its value, which could allow attackers to redirect users to malicious websites.
Impact
Attackers can redirect users to malicious websites, potentially leading to phishing attacks or credential theft.
Remediation
Update Themify Builder to version 7.5.8 or later.
WordPress Toolbar <= 2.2.6 - Open Redirect
runzero-match
service["http.body"] matches "/wp-content/plugins/wordpress-toolbar/"Description
The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Impact
Unauthenticated attackers can redirect users to malicious external sites via the wptbto parameter, potentially facilitating phishing attacks or credential theft.
Remediation
Update WordPress Toolbar plugin to version 2.2.7 or later.
WordPress Tourfic Plugin <= 2.11.7 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/tourfic/"Description
The Tourfic plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 2.11.7 due to insufficient input sanitization and output escaping in the 'place' parameter.
Impact
Attackers can execute malicious scripts in users' browsers, potentially stealing cookies, session tokens, or performing actions on behalf of users.
Remediation
Update to Tourfic version 2.11.8 or later.
WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ultimate-member"Description
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the sorting parameter in the member directory to extract the complete WordPress database including user credentials, member profiles, and sensitive site data.
Remediation
Fixed in 2.8.3
WordPress UpdraftPlus - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/updraftplus"Description
WordPress Plugin UpdraftPlus files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress User Registration & Membership Plugin Detection
Author: omarkurtAdded: Mar 10, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/user-registration/"Description
Detected WordPress User Registration & Membership plugin and its version information.
WordPress Visitor Statistics <=5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-stats-manager"Description
WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Update to the latest version of the WordPress Visitor Statistics plugin (>=5.8) to mitigate the SQL Injection vulnerability.
WordPress W3 Total Cache - Cache Files Exposure
Author: pussycat0xAdded: Dec 22, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/w3tc/dbcache/"Description
Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, password hashes, emails, or other database content if the directory is not properly protected.
WordPress WP Clone <= 2.4.2 - Database Backup Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-clone-by-wp-academy/"Description
Clone WordPress plugin < 2.4.3 contains a buffer overflow caused by storing in-progress backup information in publicly accessible buffer files at a static file path, letting attackers access sensitive backup data, exploit requires no special privileges
Impact
Attackers can access sensitive backup information, potentially leading to data disclosure or manipulation.
Remediation
Update to version 2.4.3 or later.
WordPress WP Mail SMTP - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-mail-smtp/"Description
WordPress WP Mail SMTP plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress WP Maintenance Mode - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-maintenance-mode/"Description
WordPress WP Maintenance Mode plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress WP Migrate DB - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-migrate-db/"Description
The WP Migrate DB (WP Migrate Lite - WordPress Migration Made Easy) plugin for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated attackers to obtain the full application path that could aid other attacks when combined with another vulnerability.
WordPress WP Video Gallery <=1.7.1 - SQL Injection
runzero-match
service["product"] matches "(?i)wp.video.gallery.free"Description
WordPress WP Video Gallery plugin through 1.7.1 contains a SQL injection vulnerability. The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Update to the latest version of WP Video Gallery plugin (>=1.7.2) or apply the vendor-provided patch to mitigate the SQL Injection vulnerability.
WordPress WP-Advanced-Search <= 3.3.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-advanced-search/"Description
The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can exploit SQL injection through the autocompletion endpoint to extract sensitive database information including user credentials, posts, comments, and configuration data.
Remediation
Update WP-Advanced-Search plugin to a version later than 3.3.9 that properly escapes user supplied parameters and uses prepared SQL statements in autocompletion-PHP5.5.php.
WordPress WP-PageNavi - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/wp-pagenavi/"Description
WordPress WP-PageNavi plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "wp-content/plugins/wpb-show-core/"Description
The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
Impact
Unauthenticated attackers can perform SSRF attacks via the path parameter, potentially accessing internal resources or scanning internal networks.
Remediation
Update WPB Show Core plugin to a version newer than 2.2.
WordPress WPForms - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpforms-lite"Description
WordPress Plugin WPForms files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress WPML Multilingual CMS < 4.6.1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sitepress-multilingual-cms/"Description
The WPML Multilingual CMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions prior to 4.6.1. The plugin does not escape some URL attributes before outputting them to a page, allowing attackers to inject malicious JavaScript which may be executed in the browser of an unsuspecting user.
WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect
runzero-match
service["product"] matches "(?i)webp.converter.for.media"Description
WordPress WebP Converter for Media < 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an open redirect issue.
Impact
An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information.
Remediation
Update to the latest version of the WordPress WebP Converter for Media plugin (4.0.3) or remove the plugin if not needed.
WordPress Wordfence - Configuration File Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin for WordPress stores configuration files in the /wp-content/wflogs/ directory. These files may be accessible without authentication and can expose sensitive configuration data, firewall rules, attack logs, and internal paths.
WordPress Wordfence - Rules File Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin for WordPress stores configuration files in the /wp-content/wflogs/ directory. These files may be accessible without authentication and can expose sensitive configuration data, firewall rules, attack logs, and internal paths.
WordPress Wordfence - WAF Logs and Data Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin creates various log and data files in the wflogs directory. If directory listing is enabled or files are directly accessible, sensitive information about blocked attacks, IP addresses, and firewall configuration may be exposed.
WordPress YITH WooCommerce Wishlist - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/yith-woocommerce-wishlist/"Description
WordPress YITH WooCommerce Wishlist plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Yoast SEO - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wordpress-seo/"Description
WordPress Yoast SEO plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress wp-links-opml.php - Version Disclosure
Author: princechaddhaAdded: Jan 30, 2026
runzero-match
service["product"] contains "WordPress:WordPress"Description
WordPress wp-links-opml.php file was publicly accessible and expossed the WordPress version in the generator tag.
WordPress wpForo Forum < 1.9.7 - Open Redirect
runzero-match
service["product"] matches "(?i)gvectors.wpforo.forum"Description
WordPress wpForo Forum < 1.9.7 is susceptible to an open redirect vulnerability because the plugin did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login.
Impact
An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information.
Remediation
Update wpForo Forum to version 1.9.7 or later to fix the open redirect vulnerability.
Wordpress Gift Cards <= 4.3.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gift-voucher/"Description
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
Wordpress Oembed Proxy - Server-side request forgery
runzero-match
service["http.body"] matches "oembed"Description
The oEmbed feature in WordPress allows embedding content from external sources, and if it's not properly secured, it could be exploited for SSRF.
Wordpress Polls Widget < 1.5.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/polls-widget/"Description
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
Impact
Unauthenticated attackers can execute SQL injection to manipulate database contents, potentially gaining unauthorized access to all WordPress data including user credentials.
Remediation
Fixed in 1.5.3
Wordpress WPMobile.App >= 11.42 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpappninja"Description
WPMobile.App versions up to 11.41 contain a reflected cross-site scripting (XSS) caused by improper input neutralization during web page generation, letting attackers execute scripts in the victim's browser, exploit requires attacker to craft malicious input.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
Remediation
Implement proper input sanitization and output encoding, and update to the latest version of WPMobile.App.
Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/backup-backup/"Description
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.
Impact
Unauthenticated attackers can leverage file inclusion via backup-heart.php to achieve arbitrary code execution, potentially compromising the entire WordPress site and server.
Remediation
Upgrade Backup Migration plugin to version 1.3.8 or later.
Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manager\" product:\"wowza streaming engine"})Description
Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
Impact
An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or disclosure of sensitive information.
Remediation
Upgrade to the latest version of Wowza Streaming Engine Manager or apply the necessary patches to fix the directory traversal vulnerability.
Wowza Streaming Engine Manager Panel - Detect
Author: dhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manager"})Description
Wowza Streaming Engine Manager panel was detected.
WpStickyBar <= 2.1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugins/wpstickybar-sticky-bar-sticky-header"Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Impact
Unauthenticated attackers can execute time-based SQL injection attacks to extract sensitive database information including user credentials and configuration data.
Remediation
Update WpStickyBar plugin to version 2.1.1 or later to address the SQL injection vulnerability.
X-UI - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "X-UI Login"})Description
X-UI contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
XAMPP PHP info Page - Detect
Author: pussycat0xAdded: Dec 10, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)XAMPP"})Description
XAMPPHPinfo page was detected. The output of the phpinfo() command can reveal sensitive and detailed PHP environment information.
Remediation
Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
XDS-AMR Status Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)XDS-AMR - status"})Description
XDS-AMR Status login panel was detected.
XML-RPC Server - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Supervisor Status"})Description
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisor namespace lookups.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches or disable the XML-RPC server if not required.
XNAT - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "XNAT"})Description
XNAT contains an admin default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
XNAT Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xnat"})Description
XNAT login panel was detected.
XSpeeder Login - Detect
Author: rxeriumAdded: Dec 27, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)神行者路由"})Description
Detects the presence of XSpeeder router login panels.
XStream 1.4.18 - Arbitrary Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade XStream to a version that is not affected by CVE-2021-39146.
XStream 1.4.18 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Attackers can exploit unsafe deserialization in XStream to execute arbitrary commands on the host, potentially obtaining sensitive information and compromising the entire application server.
Remediation
Upgrade XStream to a version that is not affected by CVE-2021-39141.
XStream 1.4.18 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade XStream to a version that is not affected by CVE-2021-39144.
XStream < 1.4.16 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
XStream <1.4.14 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Fixed in 1.4.14.
XStream <1.4.15 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
Impact
An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to data leakage or further attacks.
Remediation
Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher.
XStream <1.4.16 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
XStream <1.4.17 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.17 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Patched in 1.4.17.
XStream <1.4.18 - Server-Side Request Forgery
runzero-match
service["product"] matches "(?i)xstream"Description
XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services.
Remediation
Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability.
XStream <1.4.6/1.4.10 - Remote Code Execution
runzero-match
service["product"] matches "(?i)xstream"Description
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade XStream to version 1.4.10 or later to mitigate this vulnerability.
XVR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xvr login"})Description
XVR login panel was detected.
XWiki - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser.
Remediation
Update XWiki to the latest version to mitigate the Reflected XSS vulnerability.
XWiki - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).
Impact
Successful exploitation could lead to unauthorized access to sensitive information or account takeover
Remediation
Apply the latest security patches provided by XWiki to mitigate the vulnerability
XWiki - HQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki is vulnerable to Hibernate Query Language (HQL) injection in the wiki and space search REST API starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0. The vulnerability allows attackers to inject malicious HQL queries through the orderField parameter, potentially leading to data extraction, authentication bypass, or remote code execution depending on database backend and configuration.
Impact
Unauthenticated attackers can inject malicious HQL queries through the orderField parameter, potentially leading to complete database compromise, data extraction, authentication bypass, or remote code execution.
Remediation
Update XWiki to a version that patches this vulnerability. Review and sanitize all user-controlled parameters that are used in database queries, especially those passed to HQL queries.
XWiki - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki 16.7.0 to 16.10.11, 17.4.4, and 17.7.0 using XJetty contains an information disclosure vulnerability caused by exposed context allowing static access to files in webapp/ folder, letting attackers access sensitive files, exploit requires use of XJetty package.
Impact
Attackers can access sensitive files including credentials, leading to information disclosure.
Remediation
Update to versions 16.10.11, 17.4.4, or 17.7.0 or later.
XWiki - Open Redirect
runzero-match
service["http.body"] matches "data-xwiki-reference"Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.
Impact
An attacker can redirect users to malicious websites, leading to phishing attacks or malware downloads.
Remediation
Implement proper input validation and sanitize user-controlled input to prevent open redirect vulnerabilities.
XWiki - Open Redirect
runzero-match
service["http.body"] matches "data-xwiki-reference"Description
XWiki Platform is vulnerable to open redirect attacks due to improper validation of the xredirect parameter. This allows an attacker to redirect users to an arbitrary website. The vulnerability is patched in versions 14.10.4 and 15.0.
Impact
An attacker can craft malicious URLs to redirect users to malicious websites.
Remediation
Implement proper input validation and sanitize user-controlled input to prevent open redirect vulnerabilities.
XWiki < 12.10.11, 13.4.4 & 13.9-rc-1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
An unauthenticated user can retrieve a list of users and their full names through a publicly accessible URL in XWiki. The issue affects versions before 12.10.11, 13.4.4, and 13.9-rc-1.
Impact
Information disclosure could lead to unauthorized access to sensitive data.
Remediation
Upgrade XWiki to the latest version to mitigate CVE-2022-24819.
XWiki < 14.10.14 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation form. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link.
Impact
Successful exploitation could lead to cross-site scripting attack.
Remediation
This has been patched in XWiki 14.10.12 and 15.5-rc-1 by adding appropriate escaping.
XWiki < 14.10.14 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki is vulnerable to reflected cross-site scripting (RXSS) via the rev parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation.
Impact
Successful exploitation could lead to cross-site scripting attack.
Remediation
This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14.
XWiki < 14.10.5 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is vulnerable to reflected XSS via the previewactions template. An attacker can inject JavaScript through the xcontinue parameter.
Impact
Successful exploitation could lead to unauthorized access or data theft.
Remediation
Apply the latest patches provided by XWiki to mitigate the vulnerability.
XWiki < 4.10.15 - Email Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for objcontent:email* using XWiki's regular search interface.
Impact
Successful exploitation could lead to disclosure of the email of all the users.
Remediation
This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled.
XWiki < 4.10.15 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This can be reproduced by opening <xwiki-server>/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+ where <xwiki-server> is the URL of the XWiki installation. If this displays any results, the wiki is vulnerable.
Impact
Successful exploitation could lead to disclosure of content of all documents of all wikis.
Remediation
This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked.
XWiki < 4.10.15 - Sensitive Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.
Impact
Successful exploitation could lead to disclosure of the password hashes of all users.
Remediation
This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1.
XWiki < 4.10.20 - Remote code execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Impact
Successful exploitation could lead to remote code execution.
Remediation
Apply the vendor-supplied patch or upgrade to a 14.10.20 ,15.5.4, 15.10-rc-1.
XWiki >= 13.10.8 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
Reflected XSS vulnerability in XWiki authenticate endpoints allows execution of arbitrary JavaScript.
Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser.
Remediation
Implement proper input validation and output encoding to prevent XSS attacks in the XWiki application.
XWiki >= 2.5-milestone-2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki >= 3.4-milestone-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain).
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki >= 6.0-rc-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.6,15.1.
XWiki >= 6.2-milestone-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki DeleteApplication - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
Impact
An attacker can execute arbitrary JavaScript in the victim's browser, leading to potential session hijacking, data theft, or further attacks.
Remediation
Upgrade to XWiki 14.10.14, 15.5.1, 15.8-rc-1 or above. Do not interact with suspiciously crafted links.
XWiki Platform - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform versions >= 4.2-milestone-3 and < 16.4.8, >= 16.5.0-rc-1 and < 16.10.6, and >= 17.0.0-rc-1 and < 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL.
Impact
Attackers can execute malicious JavaScript in victim sessions by crafting URLs with XSS payloads in translationPrefix, extensionId, or extensionVersionConstraint parameters.
Remediation
Upgrade to XWiki Platform version 16.4.8, 16.10.6, or 17.3.0-rc-1 or later that properly sanitizes user input in templates.
XWiki Platform - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API.
Impact
Remote attackers can access sensitive configuration files, potentially exposing critical information.
Remediation
Update to version 16.10.7 or later.
XWiki Platform - Path Traversal
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform 4.2-milestone-2 through 16.10.6 contains a path traversal caused by improper access control in jsx and sx endpoints, letting remote attackers read configuration files, exploit requires no special privileges.
Impact
Remote attackers can read sensitive configuration files, potentially exposing critical system information.
Remediation
Upgrade to version 16.10.7 or later.
XWiki Platform - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade.
XWiki Platform - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
Impact
An attacker can execute arbitrary code on the server, leading to a complete compromise of the XWiki instance.
Remediation
Upgrade to XWiki 15.10.11, 16.4.1, or 16.5.0RC1 to mitigate this vulnerability.
XWiki Platform - SQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
Impact
Authenticated attackers with access to the deleted documents trash feature could inject SQL code, leading to data leakage, database modification, or further compromise of the application.
Remediation
Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters.
XWiki Platform - Unauthorized Document History Access
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki Platform's REST API allows unauthorized users to access document history information. The REST API endpoint exposes the history of any page including modification times, version numbers, author details (username and display name), and version comments, regardless of access rights configuration, even on private wikis.
Impact
An attacker can access document history of any known page
Remediation
Upgrade to XWiki Platform version 15.10.9 or 16.3.0-rc-1 or later. No workarounds are available for earlier versions
XWiki Platform Distribution Flavor Main - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.
XWiki REST API - Attachments Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
Impact
Unauthenticated users can access attachment lists and metadata through the REST API attachments endpoint, potentially exposing sensitive information.
Remediation
Upgrade to the latest XWiki version that implements proper authorization checks for the attachments REST API endpoint.
XWiki REST API - Private Pages Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's REST API allows unauthenticated users to access information about private pages through the pages endpoint. This could lead to disclosure of sensitive information and page metadata.
Impact
Unauthenticated users can access private page information through the REST API pages endpoint, potentially exposing sensitive metadata and page content.
Remediation
Upgrade to XWiki version that implements proper authorization checks for the REST API pages endpoint.
XWiki REST API Query - SQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potentially leading to complete database compromise and data exfiltration.
Remediation
Upgrade to the latest XWiki version that properly sanitizes HQL query parameters in the REST API.
XWiki WYSIWYG API - Open Redirect
runzero-match
service["http.body"] matches "data-xwiki-reference"Description
A vulnerability in XWiki's WYSIWYG API allows an attacker to redirect users to arbitrary external URLs through the xerror parameter. This could be used in phishing attacks to redirect users to malicious websites.
Impact
Attackers can redirect users to malicious external websites through the xerror parameter, potentially enabling phishing attacks and credential theft.
Remediation
Upgrade to the latest XWiki version that properly validates redirect URLs in the WYSIWYG API.
XWiki XML View - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's XML view functionality exposes sensitive information such as passwords and email addresses that are stored in custom fields not explicitly named as password or email. This information disclosure occurs when accessing user profiles with the xml.vm template.
Impact
Unauthenticated attackers can access sensitive information including passwords and email addresses stored in custom user profile fields through the XML view functionality.
Remediation
Upgrade XWiki to the latest version that properly protects sensitive custom fields in XML view outputs.
XXL-JOB Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "1691956220"Description
XXL-JOB default admin credentials were discovered.
XXL-JOB executor - Unauthorized Access
Author: k3rwinAdded: Nov 17, 2023
runzero-match
service["product"] matches "(?i)XXL.JOB"Description
XXL-JOB is a distributed task scheduling platform. Its core design goals are rapid development, easy learning, lightweight, and easy expansion. The source code is now open and connected to the online product lines of many companies, ready to use out of the box. XXL-JOB is divided into two ends: admin and executor. The former is the background management page, and the latter is the client for task execution. The executor is not configured with authentication by default, and unauthorized attackers can execute arbitrary commands through the RESTful API.
XXLJOB Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1691956220"Description
XXLJOB admin login panel was detected.
Xeams Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xeams admin"})Description
Xeams Admin Console login panel was detected.
Xerox Fuji/VersaLink Login - Panel
runzero-match
service["http.body"] matches "(?i)/XUX-nwave/"Description
Xerox Fuji / VersaLink Login Panel was discovered
Xfinity Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xfinity"})Description
Xfinity panel was detected.
Xiaomi Wireless Router Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)小米路由器"})Description
Xiaomi Wireless router admin panel was detected.
Xibo CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)/xibosignage/xibo-cms"Description
Xibo CMS login panel was detected.
Xinference Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Xinference"})Description
Xinference (Xorbits Inference) is a powerful and versatile library designed to
serve language, speech recognition, and multimodal models
XploitSPY - Default Login
Author: andrelunaAdded: Oct 8, 2023
runzero-match
service["http.body"] matches "XploitSPY"Description
Default login and password to access administrator panel
Xsuite <=2.4.4.5 - Open Redirect
runzero-match
service["product"] matches "(?i)xceedium.xsuite"Description
Xsuite 2.4.4.5 and prior contains an open redirect vulnerability, which can allow a remote attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the redirurl parameter.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
Remediation
Upgrade Xsuite to a version higher than 2.4.4.5 to mitigate the open redirect vulnerability.
Xymon - Exposure
Author: theamanrawatAdded: Jan 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Xymon"})Description
Detected the exposure of the Xymon monitoring system interface.
YARPP <= 5.30.10 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/yet-another-related-posts-plugin/"Description
The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.
Impact
Unauthenticated attackers can modify display types in the YARPP plugin without proper authorization.
Remediation
Update YARPP plugin to a version later than 5.30.10 that patches the missing authorization vulnerability.
YPAREO Panel - Detect
Author: righettodAdded: Mar 11, 2026
runzero-match
service["http.body"] matches "(?i)ypareo"Description
YPAREO was detected — an Enterprise Resource Planning system.
Yacht - Default Login
Author: Fur1naAdded: Apr 23, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-503392394"Description
Yacht is a web interface for managing Docker containers. This template detects instances with default admin credentials (admin@yacht.local:pass), which could allow unauthorized access to the Docker environment, potentially leading to container manipulation, data exposure, or even host system compromise.
YeaLink DM 3.6.0.20 - Remote Command Injection
runzero-match
service["http.body"] contains "sorry but ydmp doesn't work properly without JavaScript enabled"Description
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
Remediation
Update to the latest firmware version provided by the vendor to mitigate this vulnerability.
Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/yellow-pencil-visual-theme-customizer/"Description
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
Impact
Unauthenticated attackers can exploit CSRF to escalate privileges to administrator level, gaining complete control over the WordPress site including content manipulation and user management.
Remediation
Upgrade to Yellow Pencil Visual Theme Customizer version 7.2.1 or later.
Yellowfin Information Collaboration - Detect
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Yellowfin Information Collaboration"})YesWiki < 4.5.4 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki < 4.5.4 contains a reflected cross-site scripting caused by unsanitized `idformulaire` parameter in `/?BazaR` endpoint, letting attackers steal cookies and hijack sessions, exploit requires user to click malicious link.
Impact
Attackers can steal cookies, hijack user sessions, deface website, or embed malicious content.
Remediation
Update to version 4.5.4 or later.
YesWiki <2022-07-07 - SQL Injection
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki before 2022-07-07 contains a SQL injection vulnerability via the id parameter in the AccueiL URL. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
YesWiki Reflected XSS via File Upload
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
Remediation
Update to version 4.5.4 or later.
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
Impact
Unauthenticated attackers can exploit path traversal through the squelette parameter to read arbitrary files from the YesWiki server, potentially exposing sensitive configuration and data files.
Remediation
This vulnerability is fixed in 4.5.2.
Yii2 PHP Framework < 2.0.52 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Yii"})Description
Yii2 PHP Framework before 2.0.52 is vulnerable to remote code execution via improper validation of the __class key in JSON behaviors. An attacker can instantiate arbitrary PHP classes and achieve RCE.
Impact
Unauthenticated attackers can exploit improper validation of the __class key in JSON behaviors to instantiate arbitrary PHP classes and achieve remote code execution.
Remediation
Update Yii2 PHP Framework to version 2.0.52 or later to address the remote code execution vulnerability.
Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1085941792"Description
Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Attackers can inject malicious JavaScript through the langcode parameter in help pages, potentially stealing user credentials, session cookies, or executing unauthorized actions.
Remediation
Upgrade to Yonyou UFIDA ERP-NC version 5.1 or later that properly sanitizes the langcode parameter.
Yonyou YonBIP - Path Traversal
runzero-match
service["http.body"] matches "(?i)YonBIP \\| 数据应用服务"Description
Yonyou YonBIP v3 and before contains a path traversal caused by improper validation in the LoginWithV8 interface of the series data application service system, letting unauthorized attackers access sensitive information.
Impact
Unauthorized attackers can access sensitive system information, potentially leading to data exposure.
Remediation
Update to the latest version beyond v3.
Yopass Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Yopass"})Description
Yopass panel was detected.
YouPHPTube Encoder 2.3 - Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-276846707"Description
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
Impact
Unauthenticated attackers can execute arbitrary system commands through command injection, leading to complete server compromise and potential access to all media content.
Remediation
Upgrade to YouPHPTube Encoder version 2.4 or later, or apply vendor-provided security patches.
Youzify < 1.2.0 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/youzify"Description
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
Impact
Unauthenticated attackers can execute time-based blind SQL injection via AJAX actions to extract database contents, potentially exposing all Youzify media and user data.
Remediation
Fixed in 1.2.0
YunoHost Admin Panel - Detect
Author: s4e-ioAdded: Jan 13, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)YunoHost Admin"})Description
YunoHost Admin panel was discovered.
YzmCMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)yzmcms"})Description
YzmCMS login panel was detected.
Z-BlogPHP Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zblog"})Description
Z-BlogPHP admin login panel was detected.
Z-BlogPHP Panel - Detect
runzero-match
service["http.body"] matches "(?i)Z-BlogPHP"Description
Z-BlogPHP panel was detected.
ZEROF Web Server 2.0 - SQL Injection
runzero-match
service["http.head.server"] matches "ZEROF Web Server"Description
ZEROF Web Server 2.0 allows SQL Injection via the /HandleEvent endpoint. Attackers can exploit this vulnerability by manipulating the request parameters to execute arbitrary SQL queries.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in ZEROF Web Server 2.0.
ZITADEL Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ZITADEL"})Description
Detected ZITADEL was an open-source identity infrastructure platform providing OIDC, OAuth 2.0, SAML and machine-user IAM.
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)ZKTeco Security"Description
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
Impact
Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
Remediation
Implement proper authentication and access controls for static file resources, and update to the latest version if available.
ZKTeco BioTime v8.5.5 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)biotime"})Description
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the iclock API url parameter, potentially exposing employee biometric data, attendance records, and system credentials.
Remediation
Update ZKTeco BioTime to a version newer than 8.5.5 that validates file paths in the iclock API and restricts access to authorized files only.
ZOHO ManageEngine ADAudit/ADManager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adaudit plus"})Description
ZOHO ManageEngine ADAudit/ADManager panel was detected.
ZOHO ManageEngine ADSelfService Plus - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adselfservice plus"}) || any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
ZOHO ManageEngine ADSelfService panel was detected.
ZOHO ManageEngine APEX IT Help-Desk Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apex it help desk"})Description
ZOHO MangageEngine APEX panel was detected.
ZOHO ManageEngine Analytics Plus Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apex it help desk"})Description
ZOHO ManageEngine analytics plus panel was detected.
ZOHO ManageEngine AssetExplorer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine assetexplorer"})Description
ZOHO ManageEngine AssetExplorer panel was detected.
ZOHO ManageEngine Desktop Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"})Description
ZOHO ManageEngine desktop panel was detected.
ZOHO ManageEngine Exchange Reporter Plus Panel - Detect
Author: darsesAdded: Jun 9, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ManageEngine - Exchange Reporter Plus"}) || service["favicon.ico.image.mmh3"] == "230963457"Description
ZOHO ManageEngine Exchange Reporter Plus panel was detected.
ZOHO ManageEngine OpManager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opmanager plus"})Description
ZOHO ManageEngine OpManager panel was detected.
ZOHO ManageEngine ServiceDesk Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
ZOHO ManageEngine ServiceDesk panel was detected.
ZOHO ManageEngine SupportCenter Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine supportcenter plus"})Description
ZOHO ManageEngine SupportCenter panel was detected.
ZTE MF971R - Referer authentication bypass
runzero-match
service["product"] matches "(?i)zte.mf971r.firmware"Description
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould
use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
Impact
An attacker can bypass authentication and gain unauthorized access to the router.
Remediation
Apply the latest firmware update provided by ZTE to fix the authentication bypass vulnerability.
ZTE Panel - Detect
runzero-match
service["http.body"] matches "(?i)ZTE Corporation"Description
ZTE panel was detected. ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe. ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.
ZTE Router Panel - Detect
runzero-match
service["http.body"] matches "(?i)ZTE Corporation" and service["service.transport"] contains "tcp"Description
Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
ZTE ZXHN-F660T/F660A - Default Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)F660"})Description
ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.
Impact
Attackers with knowledge of common credentials can access ZTE device management interfaces, potentially gaining control over network equipment and configurations.
Remediation
Change default credentials immediately and restrict access to the web management interface to trusted administrators only.
ZZZCMS zzzphp 2.1.0 - Remote Code Execution
runzero-match
service["product"] matches "(?i)zzzcms.zzzphp"Description
ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or upgrade to a patched version of ZZZCMS zzzphp.
Zabbix - SAML SSO Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix monitoring system.
Remediation
Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
Zabbix - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the Zabbix application and underlying systems.
Remediation
Apply the latest security patches or upgrade to a patched version of Zabbix to mitigate the SQL Injection vulnerability (CVE-2016-10134).
Zabbix <=4.4 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix through 4.4 is susceptible to an authentication bypass vulnerability via zabbix.php?action=dashboard.view&dashboardid=1. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Impact
Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the Zabbix application.
Remediation
Upgrade to a patched version of Zabbix (>=4.4) to mitigate this vulnerability.
Zabbix Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "892542951"Description
Zabbix default admin credentials were discovered.
Zabbix Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix login panel was detected.
Zabbix Setup Configuration Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zabbix-server"}) || service["favicon.ico.image.mmh3"] == "892542951"Description
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix setup configuration.
Remediation
Apply the latest security patches or updates provided by Zabbix to fix the authentication bypass vulnerability.
Zammad Helpdesk Panel - Detect
Author: righettodAdded: Aug 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zammad Helpdesk"})Description
Zammad is an open source helpdesk and customer support system that provides ticket management, live chat, and knowledge base functionality. This template detects exposed Zammad installations.
Zebra - Default Login
Author: y0noAdded: Oct 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Zebra"}) || service["http.body"] matches "Zebra Technologies"Description
Zebra default login credentials was discovered.
Zebra Printer Detect
Author: gy741Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Zebra"}) || service["http.body"] matches "Zebra Technologies"Description
Zebra Printer panel was detected.
ZenML Dashboard Panel - Detect
Author: DhiyaneshDKAdded: Apr 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-2028554187"ZenML ZenML Server - Improper Authentication
runzero-match
service["favicon.ico.image.mmh3"] == "-2028554187"Description
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement proper authentication mechanisms and ensure access controls are correctly configured.
ZeroShell <= 1.0beta11 Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of ZeroShell.
ZeroShell Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
ZeroShell panel was detected.
Zeroshell 3.9.0 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to 3.9.5. Be aware this product is no longer supported.
Zeroshell 3.9.3 - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to the latest version of Zeroshell or apply security patches provided by the vendor.
ZimaOS - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)ZimaOS"Description
ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
Impact
Attackers can gain authenticated access to system service accounts without valid passwords, potentially compromising the system.
Remediation
Update to a fixed version when available or apply patches to properly validate passwords for system service accounts.
Zimbra - Cross-Site Scripting via ICS Files
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zimbra Collaboration Suite"})Description
Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
Impact
Authenticated users viewing malicious ICS files can have JavaScript executed in their browser context through stored XSS, potentially leading to session hijacking and data exfiltration.
Remediation
Upgrade to Zimbra Collaboration Suite version 9.0.1, 10.0.13, or 10.1.5 or later that properly sanitizes HTML content in ICS files.
Zimbra Collaboration (ZCS) - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["favicon.ico.image.mmh3"] == "475145467"Description
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Zimbra to fix the XSS vulnerability.
Zimbra Collaboration - Cross-Site Scripting (XSS)
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)zimbra collaboration suite web client" || service["favicon.ico.image.mmh3"] == "475145467"Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload.
Impact
Unauthenticated attackers can execute arbitrary JavaScript via crafted calendar headers in emails, potentially stealing user credentials or session data.
Remediation
Update Zimbra Collaboration to version 9.0.0 P39 or 10.0.7 or later.
Zimbra Collaboration - Local File Inclusion
runzero-match
service["product"] contains "Zimbra:Collaboration"Description
Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint.
Impact
Unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.
Remediation
Update to the latest version of Zimbra Collaboration.
Zimbra Collaboration - Unrestricted File Upload
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Impact
Unauthenticated attackers can upload arbitrary files through amavis via a cpio loophole that extracts to the webapps directory, potentially achieving remote code execution and unauthorized access to other user accounts in Zimbra Collaboration Suite.
Remediation
Install pax package and ensure amavis is configured to use pax instead of cpio. Update to the latest patched version of Zimbra Collaboration Suite.
Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"})Description
A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or upgrade to a newer version of Zimbra Collaboration Server to mitigate the LFI vulnerability.
Zimbra Collaboration Suite - Memcached Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"})Description
Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
Impact
Successful exploitation allows attackers to overwrite arbitrary cached entries and steal user credentials in cleartext without user interaction. With valid credentials, attackers can perform spear phishing, social engineering, and business email compromise attacks, or maintain persistent access via webshells.
Remediation
Update to Zimbra Collaboration Suite version 8.8.15 Patch 31 or 9.0.0 Patch 24.1 or later. Implement multi-factor authentication to mitigate credential theft impact.
Zimbra Collaboration Suite - SSRF
runzero-match
service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
Impact
Attackers can perform SSRF, potentially leading to internal network access or further exploitation.
Remediation
Update to the latest patched versions: 8.6 patch 13, 8.7.11 patch 10, 8.8.10 patch 7, or 8.8.11 patch 3 or later.
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["favicon.ico.image.mmh3"] == "475145467"Description
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Impact
Unauthenticated attackers can bypass authentication and upload arbitrary files through the mboximport functionality, achieving directory traversal and remote code execution on Zimbra Collaboration Suite servers, potentially compromising email systems and sensitive communications.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite.
Zimbra Collaboration Suite < 8.8.15 - Improper Encoding
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
Impact
Attackers can inject malicious JavaScript through the Calendar feature that executes in victims' browsers, potentially stealing session tokens and accessing email communications of Zimbra users.
Remediation
Update Zimbra Collaboration Suite to version 8.8.15 patch 30 or later that properly escapes HTML in Calendar feature attributes.
Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "zimbra collaboration suite"})Description
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
Impact
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access or data leakage.
Remediation
Apply the latest patch or upgrade to Zimbra Collaboration Suite version 8.8.15 Patch 7 or higher to mitigate this vulnerability.
Zimbra Collaboration Suite Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"})Description
Zimbra Collaboration Suite panel was detected. Zimbra Collaboration Suite simplifies the communication environment, connects people over multiple channels, and provides a single place to manage collaboration and communication.
Zimbra Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"})Description
Zimbra panel was detected. Zimbra provides open source server and client software for messaging and collaboration.
Zipkin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)webpackJsonpzipkin-lens"Description
Zipkin login panel was detected.
Zitadel - User Registration Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zitadel"})Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Impact
Unauthenticated users can bypass the disabled user registration restriction and register accounts.
Remediation
Update Zitadel to version 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, or 2.58.7 or later.
Zoho ManageEngine - Access Control Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Impact
Attackers can bypass access controls on REST API endpoints, potentially leading to unauthorized data access or manipulation.
Remediation
Update to the latest versions of Access Manager Plus, Password Manager Pro, and PAM360 that address this issue.
Zoho ManageEngine - Internal Hostname Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"})Description
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
Impact
An attacker could use the disclosed internal hostnames to plan targeted attacks, gain unauthorized access, or perform reconnaissance on the internal network.
Remediation
Apply the latest security patch or update provided by Zoho ManageEngine to fix the internal hostname disclosure vulnerability.
Zoho ManageEngine - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or update provided by Zoho ManageEngine to fix the vulnerability.
Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "ADAudit Plus\" \\|\\| http\\.title:\"ManageEngine - ADManager Plus"})Description
Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an
unauthenticated XML entity injection attack that can lead to remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or perform remote code execution on the affected system.
Remediation
Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
is configured with a dedicated service account with restricted privileges.
Zoho ManageEngine Desktop Central - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"}) || service["http.body"] matches "(?i)manageengine desktop central 10" || any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central"})Description
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
Zoho ManageEngine Network Configuration Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)network configuration manager"})Description
ZOHO ManageEngine Network Configuration Manager was detected.
Zoho ManageEngine OpManager - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpManager"})Description
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Impact
Unauthenticated attackers can execute SQL injection attacks to access or modify database contents, add administrator users, or extract sensitive information including credentials.
Remediation
Upgrade to ManageEngine OpManager version 12.3 Build 123196 or later.
Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opmanager plus"}) || any(each(service["html.titles"]), {# matches "(?i)opmanager"})Description
Zoho ManageEngine OpManager before 12.5.329 contains a remote code execution caused by a general bypass in the deserialization class, letting unauthenticated attackers execute arbitrary code, exploit requires no authentication
Impact
Unauthenticated attackers can execute arbitrary code remotely, leading to full system compromise.
Remediation
Update to version 12.5.329 or later.
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Impact
Attackers can access sensitive functionalities and data without authentication, potentially leading to data disclosure or unauthorized actions.
Remediation
Update to version 11302 or later.
Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or upgrade to a patched version of Zoho ManageEngine ServiceDesk Plus.
ZoneMinder - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1218152116"Description
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.
Impact
Unauthenticated attackers can exploit time-based SQL injection to extract sensitive database information from ZoneMinder.
Remediation
Update ZoneMinder to version 1.36.34 or 1.37.61 or later.
ZoneMinder Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)zm - login"Description
ZoneMinder panel was detected.
ZoneMinder Snapshots - Command Injection
runzero-match
service["http.body"] matches "ZM - Login"Description
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id.
Impact
Unauthenticated attackers can execute arbitrary commands on the ZoneMinder server by exploiting missing authorization checks, potentially compromising all monitored camera systems and recorded footage.
Remediation
Upgrade to ZoneMinder version 1.36.33 or 1.37.33 or later.
Zoraxy Login Panel - Detect
Author: righettodAdded: Mar 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Zoraxy"})Description
Zoraxy products was detected.
Zuul Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1127895693"Description
ZUUL panel was detected.
ZyXel Router Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)web-based configurator"})Description
ZyXel Router login panel was detected.
ZyXel USG - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)usg flex 100"})Description
A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network.
Remediation
Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue.
Zyxel - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/2fa-access\\.cgi"Description
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
Impact
Unauthenticated attackers can bypass web authentication and obtain administrative access to Zyxel devices, potentially gaining complete control over firewalls and network security configurations.
Remediation
Apply security updates provided by Zyxel for affected USG/ZyWALL, USG FLEX, ATP, VPN, and NSG series devices.
Zyxel Firewall - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "USG FLEX 100\",\"USG FLEX 100w\",\"USG FLEX 200\",\"USG FLEX 500\",\"USG FLEX 700\",\"USG FLEX 50\",\"USG FLEX 50w\",\"ATP100\",\"ATP200\",\"ATP500\",\"ATP700"})Description
An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the latest security patches or firmware updates provided by Zyxel to mitigate this vulnerability.
Zyxel Firewall Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-440644339"Description
Zyxel Firewall panel was detected.
Zyxel NAS Firmware 5.21- Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "943925975"Description
Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by Zyxel to mitigate this vulnerability.
Zyxel VMG1312-B10D - Login Detection
Author: princechaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)vmg1312-b10d"Zyxel VSG1432-B101 - Login Detection
Author: princechaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)VSG1432-B101"Zyxel ZyWall UAG/USG - Account Creation Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zywall"})Description
Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the "Free Time" component. This can lead to unauthorized network access or DoS attacks.
Impact
An attacker can exploit this vulnerability to create unauthorized accounts with administrative privileges.
Remediation
Apply the latest firmware update provided by Zyxel to fix the vulnerability.
ZzzCMS 1.75 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "ZzzCMS"Description
ZzzCMS (A Lightweight ASP.NET content management system) is vulnerable to SSRF(Server-Side Request Forgery).
aaPanel Linux Panel - Detect
runzero-match
service["http.body"] matches "(?i)aaPanel Linux panel"Description
Detected aaPanel Linux management panel login interface.
airCube Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AirCube Dashboard"})Description
airCube Dashboard login panel was detected.
airCube Login - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1249285083"Description
airCube login panel was detected.
b2evolution CMS <6.11.6 - Open Redirect
runzero-match
service["product"] matches "(?i)b2evolution"Description
b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
This vulnerability can be exploited by attackers to trick users into visiting malicious websites, potentially leading to phishing attacks, malware infections, or unauthorized access to sensitive information.
Remediation
Upgrade b2evolution CMS to version 6.11.6 or later to mitigate the open redirect vulnerability (CVE-2020-22840).
big-AGI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "big-AGI"})Description
big-AGI is a generative AI suite for power users, teams, and developers. It provides
an AI chat interface with support for multiple LLM providers
bloofoxCMS - Default Login
Author: theamanrawatAdded: Aug 7, 2023
runzero-match
service["http.body"] matches "(?i)Powered by bloofoxCMS"Description
bloofoxCMS contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
cPH2 Charging Station v1.87.0 - OS Command Injection
runzero-match
service["http.body"] matches "Salia PLCC"Description
An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.
Impact
Unauthenticated attackers can exploit OS command injection through the connectivity check feature to execute arbitrary system commands and completely compromise cPH2 charging station installations.
Remediation
Fixed in version 2.0.0
cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
Author: watchtowr,hadrian.io,DhiyaneshDkAdded: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)(?:cPanel|WHM) Login"})Description
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Impact
Unauthenticated remote attackers can gain unauthorized access to the control panel, compromising system security.
Remediation
Update to version 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5 or later.
cPanel API Codes Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cpanel - api codes"}) || any(each(service["html.titles"]), {# matches "(?i)cpanel"})Description
cPanel API Codes panel was detected.
cgit < 1.2.1 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)git repository browser"})Description
cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Impact
Unauthenticated attackers can access arbitrary files on the server through path traversal in cgit when HTTP clone functionality is enabled, potentially exposing sensitive repository data, source code, configuration files, and credentials.
Remediation
Upgrade cgit to version 1.2.1 or later to mitigate the vulnerability.
coreBOS Panel - Detect
runzero-match
service["http.body"] matches "(?i)corebos"Description
coreBOS panel was detected.
dbt Docs Panel - Detect
Author: johnk3rAdded: Mar 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dbt Docs"})Description
dbt Docs panel was detected.
dotAdmin Login Panel- Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dotcms"})Description
dotAdmin login panel was detected.
draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
runzero-match
service["http.body"] matches "draw\\.io"Description
Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy endpoint, allowing attackers to make requests to internal services or external servers. This can lead to unauthorized access to internal resources and potential data exfiltration.
Impact
Unauthenticated attackers can perform SSRF attacks via the proxy endpoint to access internal resources, scan internal networks, or retrieve sensitive data from internal systems.
Remediation
Update to draw.io/diagrams.net version 18.0.5 or later. The patch adds isLinkLocalAddress() checks to restrict proxy request destinations. If patching isn't possible, implement network controls to limit server connections to internal systems.
draw.io Flowchart Maker Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)flowchart maker"})Description
draw.io Flowchart Maker panel was detected.
eArcu Panel - Detect
Author: righettodAdded: May 25, 2023
runzero-match
service["http.body"] matches "(?i)'content=\"eArcu'"Description
eArcu was detected.
eMerge E3 1.00-06 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are vulnerable to local file inclusion.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.
Remediation
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
eMerge E3 1.00-06 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
eMessage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emessage"})Description
eMessage login panel was detected.
eZ Publish Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)eZ Publish"Description
eZ Publish login panel was detected.
eyoucms v.1.6.5 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)eyoucms"})Description
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
Impact
Allows attackers to execute malicious scripts on the victim's browser.
Remediation
Upgrade eyoucms to version 1.6.6 or later to fix the XSS vulnerability.
iClock Automatic Data Master Server Admin Panel - Detect
runzero-match
service["http.body"] matches "(?i)iClock Automatic"Description
An iClock Automatic Data Master Server Admin login panel was detected.
iSAMS Panel - Detect
Author: righettodAdded: May 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-81573405"Description
iSAMS was detected.
iSpy 7.2.2.0 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)ispy is running"Description
iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system.
Remediation
Upgrade to the latest version of iSpy (7.2.2.1 or higher) which includes a fix for the authentication bypass vulnerability.
iTop - User Enumeration via REST Endpoint
runzero-match
service["http.body"] matches "(?i) itop login"Description
From the webservices/rest.php file, several operations are accessible from an unauthenticated user. One of them is `do_reset_pwd`, allowing to reset a user password. This feature can be abused to perform user enumeration when a non-existent user is provided.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51739.
iTop Hub Connector - Information Disclosure
runzero-match
service["http.body"] matches "(?i)iTop login"Description
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0.
Impact
Unauthenticated attackers can access sensitive server, database, and iTop configuration information.
Remediation
Update iTop to version 2.7.11, 3.0.5, 3.1.2, or 3.2.0 or later.
iXBus Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)iXBus"})Description
iXBus login panel was detected.
idcCMS V1.60 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)idcCMS"})Description
idcCMS V1.60 is vulnerable to reflected cross-site scripting (XSS) via the idName parameter in read.php. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
Remediation
Update idcCMS to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the idName parameter in read.php.
ipTIME A2004 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ipTIME"})Description
An access control issue exists in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 that allows attackers to obtain sensitive information without authentication. The vulnerability allows unauthenticated access to device settings and configuration information.
Impact
Unauthenticated attackers can access sensitive device settings and configuration information through the hostinfo2.cgi endpoint.
Remediation
Update ipTIME A2004 router to a version later than 12.17.0 that addresses the unauthorized access vulnerability.
ipTIME A2004 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ipTIME"})Description
An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.
Impact
Unauthenticated attackers can access sensitive device configuration information through the hostinfo.cgi endpoint without authentication.
Remediation
Update ipTIME A2004 router to a version later than 12.17.0 that addresses the unauthorized access vulnerability.
kkFileView 4.1.0 - Server-Side Request Forgery
runzero-match
service["http.body"] matches "kkFileView"Description
kkFileView 4.1.0 is susceptible to server-side request forgery via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. An attacker can force the application to make arbitrary requests via injection of crafted URLs into the url parameter and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, potential data leakage, and further attacks on the server.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SSRF vulnerability in kkFileView 4.1.0.
kkFileView Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kkFileView"})Description
kkFileView panel was detected.
mTheme Unus < 2.3 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)wp-content/themes/mTheme-Unus/"Description
The mTheme-Unus theme for WordPress, prior to version 2.3, contained a directory traversal flaw that let attackers access arbitrary files. This was possible by exploiting the files parameter in css/css.php with .. sequences.
Impact
Attackers can read sensitive files including database credentials and configuration files, potentially leading to full site compromise.
Remediation
Upgrade to 2.3 or later version
macOS Server Panel - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)macOS Server"})mantisbt - Anonymous Login
Author: pussycat0xAdded: Jun 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
mantisbt Anonymous login were discovered.
modoboa 2.0.4 - Admin TakeOver
runzero-match
service["http.body"] matches "(?i)modoboa" || service["favicon.ico.image.mmh3"] == "1949005079"Description
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Impact
Unauthenticated attackers can exploit authentication bypass using default credentials to gain administrator access and completely compromise Modoboa email server installations.
Remediation
update to version 2.0.4
mongo-express Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "Mongo Express"})Description
mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade mongo-express to version 0.54.0 or higher.
mooSocial 3.1.8 - External Service Interaction
runzero-match
service["favicon.ico.image.mmh3"] == "702863115clear"Description
mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function.
Impact
An attacker can exploit this vulnerability to interact with external services.
Remediation
Upgrade to a patched version of mooSocial to mitigate CVE-2023-43323.
myLittleAdmin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)myLittleAdmin"Description
myLittleAdmin login panel was detected.
myLittleBackup Panel - Detect
runzero-match
service["http.body"] matches "(?i)myLittleBackup"Description
myLittleBackup panel was detected.
n8n Panel - Detect
Author: userdehghani,rxeriumAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-831756631"Description
The worlds most popular workflow automation platform for technical teams
n8n Webhooks - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)^n8n[.]io\s*-\s*Workflow\s+Automation`})Description
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Impact
Unauthenticated remote attackers can access sensitive files, potentially leading to information disclosure and further system compromise.
Remediation
Update to version 1.121.0 or later.
nMon Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^nMon"})Description
nMon login interface was discovered.
ngSurvey Login Panel - Detect
Author: righettodAdded: Jun 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ngSurvey enterprise survey software"})Description
ngSurvey products was detected.
nginxWebUI ≤ 3.5.0 - Remote Command Execution
Author: ritikchaddhaAdded: Sep 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginxwebui"})Description
There is a command execution vulnerability in the nginxWebUI backend. After logging in to the backend, the attacker can execute any command to obtain server permissions.
nginxWebUI ≤ 3.5.0 runCmd - Remote Command Execution
Author: DhiyaneshDkAdded: Jul 27, 2023
runzero-match
service["http.body"] matches "(?i)nginxWebUI"Description
nginxWebUI’s runCmd feature and is caused by incomplete validation of user input. Attackers can exploit the vulnerability by crafting malicious data to execute arbitrary commands on a vulnerable server without authorization.
nitely/spirit 0.12.3 - Open Redirect
runzero-match
service["product"] matches "(?i)spirit.project.spirit"Description
Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.
Remediation
Upgrade to a patched version of nitely/spirit to mitigate the open redirect vulnerability (CVE-2022-0869).
noVNC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)noVNC"})Description
noVNC login panel was detected.
nostromo 1.9.6 - Remote Code Execution
runzero-match
service["http.head.server"] matches "(?i)^nostromo"Description
nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
Upgrade to a patched version of nostromo web server (1.9.7 or later) or apply the vendor-supplied patch.
npm ansi_up v4 - Cross-Site Scripting
runzero-match
service["product"] matches "(?i)ansi.up"Description
npm package ansi_up v4 is vulnerable to cross-site scripting because ANSI escape codes can be used to create HTML hyperlinks.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a user's browser, leading to potential data theft or unauthorized actions.
Remediation
Upgrade to v5.0.0 or later.
ntopng - Default Login
Author: 0x_AkokoAdded: Mar 24, 2026
runzero-match
service["product"] contains "ntop:ntopng"Description
Detected the ntopng network traffic monitoring tool was found to be using default credentials (admin:admin). An attacker could have gained full administrative access to network traffic data, flow analysis, and system configuration.
openSIS Classic v9.1 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openSIS"})Description
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
openSIS v9.0 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openSIS"})Description
A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
Impact
Unauthenticated attackers can read arbitrary files from the server by manipulating the filename parameter in DownloadWindow.php, potentially exposing student records, staff information, and database credentials.
Remediation
Update openSIS to a version newer than 9.0 that validates file paths in DownloadWindow.php and restricts file access to authorized directories only.
osTicket Installer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)osticket installer"}) || any(each(service["html.titles"]), {# matches "(?i)osticket"}) || service["http.body"] matches "(?i)powered by osticket"Description
osTicket installer panel was detected.
osTicket Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)powered by osticket" || any(each(service["html.titles"]), {# matches "(?i)osticket"}) || any(each(service["html.titles"]), {# matches "(?i)osticket installer"})Description
osTicket login panel was detected.
ownCloud Guests - User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ownCloud"})Description
ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerability caused by insufficient validation of the token in showPasswordForm at /apps/guests/register/{email}/{token}, letting unauthenticated attackers enumerate valid guest users, exploit requires no authentication.
Impact
Unauthenticated attackers can enumerate valid guest users, potentially aiding further targeted attacks.
Remediation
Update to version 0.12.5 or later.
pCOWeb - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "pCOWeb"})pCOWeb Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pCOWeb"})pREST < 1.5.4 - SQL Injection Via Authentication Bypass
Author: mihail8531,iamnoooob,rootxharsh,pdresearchAdded: Aug 28, 2024
runzero-match
service["http.body"] matches "(?i)authorization token is empty"Description
An authentication bypass vulnerability was introduced by changing the JWT whitelist configuration to use a regex pattern, allowing unauthorized access to any path containing /auth and leading to SQL Injection.
perfSONAR 4.x <= 4.4.4 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "perfSONAR Toolkit"})Description
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.
Impact
Unauthenticated attackers can exploit SSRF vulnerabilities in the graphData.cgi component to access internal resources, bypass firewall restrictions, and potentially access sensitive performance measurement data from internal network monitoring systems.
Remediation
Upgrade to perfSONAR version 4.4.5 or later that validates and restricts URL parameters in the graphData.cgi component.
pfSense - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["product"] contains "pfSense:pfSense" || service["product"] contains "Netgate:pfSense"Description
Detected pfSense firewall was found using default administrator credentials (admin:pfsense). An attacker could have gained full administrative access to manage firewall rules, routing, and network configuration.
pfSense Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pfsense - login"})Description
pfSense login panel was detected.
pfSense pfBlockerNG <=2.1..4_26 - OS Command Injection
runzero-match
service["product"] matches "(?i)netgate.pfblockerng"Description
pfSense pfBlockerNG through 2.1.4_26 is susceptible to OS command injection via root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade to a patched version of pfSense pfBlockerNG (>=2.1..4_27) to mitigate this vulnerability.
pgAdmin < 6.17 - Unauthenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pgAdmin"})Description
pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication.
Impact
Attackers can execute arbitrary external utilities on the server, potentially leading to remote code execution or system compromise.
Remediation
Update to version 6.17 or later to fix the security issue.
phpCollab Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpcollab"})Description
phpCollab login panel was detected.
phpLDAPadmin <= 1.2.3 - Reflected XSS
runzero-match
service["product"] contains "phpLDAPadmin Project:phpLDAPadmin"Description
phpLDAPadmin <= 1.2.3 contains a reflected cross-site scripting caused by unsanitized input in htdocs/entry_chooser.php via the form, element, rdn, or container parameter, letting attackers execute malicious scripts in victim browsers, exploit requires sending crafted input.
Impact
Attackers can execute malicious scripts in victim browsers, potentially leading to session hijacking or defacement.
Remediation
Update to the latest version of phpLDAPadmin where the vulnerability is fixed.
phpMiniAdmin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)phpMiniAdmin"Description
phpMiniAdmin login panel was detected.
phpMyAdmin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "phpMyAdmin"})Description
phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
phpMyAdmin - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 1, 2026
runzero-match
service["product"] contains "phpMyAdmin:phpMyAdmin"Description
Detected potential Full Path Disclosure (FPD) via directly accessible phpMyAdmin files that may throw PHP errors revealing filesystem paths when error display is enabled.
phpMyAdmin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
phpMyAdmin panel was detected.
phpMyFAQ - Configuration Backup Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpMyFAQ"})Description
phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
Impact
Remote attackers can access sensitive configuration files, exposing database credentials and enabling further compromise.
Remediation
Update to version 4.0.16 or later.
phpPgAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phppgadmin"})Description
phpPgAdmin login ipanel was detected.
phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
runzero-match
service["http.body"] matches "(?i)phpvms"Description
phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
Impact
Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
Remediation
Update to version 7.0.6 or later.
playSMS <1.4.3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)playSMS`})Description
PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability.
pyLoad Flask Config - Access Control
runzero-match
service["http.body"] matches "(?i)pyload" || any(each(service["html.titles"]), {# matches "(?i)login - pyload"}) || any(each(service["html.titles"]), {# matches "(?i)pyload"})Description
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
Impact
Unauthenticated attackers can access the Flask SECRET_KEY and other sensitive configuration variables, potentially enabling session hijacking or other attacks.
Remediation
Update pyLoad to version 0.5.0b3.dev77 or later.
pyload-ng js2py - Remote Code Execution
runzero-match
service["http.body"] matches "pyload"Description
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Impact
Attackers can execute arbitrary code on the server through malicious JavaScript code execution via js2py.
Remediation
Update pyload-ng to a version that removes or secures the js2py dependency.
qBittorrent Web UI Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qbittorrent"})qdPM 9.2 - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "762074255"Description
qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.
Impact
Successful exploitation could allow an attacker to read sensitive files on the server.
Remediation
Upgrade qdPM to a non-vulnerable version to mitigate the directory traversal vulnerability.
qdPM Login Panel
Author: theamanrawatAdded: Jul 7, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "762074255"rConfig - Default Login
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "rConfig"})Description
rConfig contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
rConfig 3.9 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to a patched version of rConfig or apply the necessary security patches provided by the vendor.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to the latest version of rConfig or apply the provided patch to fix the SQL Injection vulnerability.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to the latest version of rConfig or apply the provided patch to fix the SQL Injection vulnerability.
rConfig <=3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and prior has unauthenticated snippets.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade rConfig to version >3.9.4 or apply the provided patch to mitigate the SQL Injection vulnerability.
sar2html <=3.2.2 Plot Parameter - Remote Code Execution
runzero-match
service["product"] matches "(?i)cemtan.sar2html"Description
sar2html version 3.2.2 and prior contains an OS command injection vulnerability in the plot parameter of index.php. A remote, unauthenticated attacker can append shell metacharacters to the plot parameter and execute arbitrary operating system commands.
Impact
Successful exploitation allows unauthenticated remote command execution on the underlying server in the web application process context.
Remediation
Remove public access to affected sar2html deployments or apply vendor-provided fixes when available. Restrict access to trusted users and monitor for shell metacharacters in requests to index.php with the plot parameter.
temBoard Panel - Detect
Author: righettodAdded: Dec 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)temBoard"})Description
temBoard was detected — a powerful management tool for PostgreSQL.
tshirtecommerce PrestaShop Module - SQL Injection
runzero-match
service["http.body"] matches "(?i)Prestashop"Description
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the tshirtecommerce_design_cart_id parameter, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database. This is due to lack of input sanitization, as shown in the patch where pSQL() is now used.
Impact
Unauthenticated attackers can execute SQL injection through the tshirtecommerce_design_cart_id parameter to extract the complete PrestaShop database including customer data and payment information.
Remediation
Update the tshirtecommerce module to the latest version and apply all security patches.
txAdmin Panel - Detect
Author: s4e-ioAdded: Oct 11, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)txAdmin Login"})Description
txAdmin panel was discovered.
u5cms v8.3.5 - Open Redirect
runzero-match
service["product"] matches "(?i)yuba.u5cms"Description
u5cms version 8.3.5 contains a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Apply the latest patch or update to a version that has fixed this vulnerability.
vBulletin - Open Redirect
runzero-match
any(each(service["html.titles"]), {# matches "powered by vbulletin"})Description
vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
Remediation
Apply the latest security patches and updates provided by vBulletin to fix the open redirect vulnerability.
vBulletin 5.0.0-5.5.4 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade vBulletin to a version that is not affected by CVE-2019-16759.
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade vBulletin to a version that is not affected by CVE-2020-17496.
vBulletin <= 4.2.3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vbulletin"}) || any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin"Description
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.
vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
runzero-match
service["http.body"] matches "(?i)powered by vbulletin"Description
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
vBulletin SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of vBulletin.
vCenter Server - Improper Access Control
runzero-match
service["product"] contains "VMware:vCenter Server"Description
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.
Impact
Attackers can bypass proxy restrictions and access internal endpoints, potentially leading to information disclosure or further internal network compromise.
Remediation
Apply the latest security patches or updates provided by VMware for vCenter Server.
vRealize Hyperic Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sign In - Hyperic"})Description
vRealize Hyperic login panel was detected
vRealize Log Insight - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
Detect vRealize Log Insight login panel was detected.
webp_server_go 0.4.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)Webp"Description
webp_server_go 0.4.0 contains a path traversal caused by insufficient sanitization in file handling, letting attackers read arbitrary files on the server, exploit requires attacker to send crafted requests.
Impact
Unauthenticated attackers can read arbitrary files from the server including /etc/passwd via path traversal using double URL encoding.
Remediation
Upgrade to webp_server_go version 0.4.1 or later that properly sanitizes file paths.
wpDiscuz <= 5.3.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdiscuz"Description
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract database contents including user credentials, posts, and sensitive WordPress configuration data.
Remediation
Upgrade to wpDiscuz version 5.3.6 or later.
x-amz-meta-s3cmd-attrs Header Username Disclosure
Author: DhiyaneshDKAdded: Jan 19, 2026
runzero-match
service["http.head.xAmzMetaS3cmdAttrs"] != ""Description
Detected exposure of the x-amz-meta-s3cmd-attrs header in S3 objects, which can disclose sensitive information including the username (uname), user ID (uid), group name (gname), and group ID (gid) of the user who uploaded the file using s3cmd.
Remediation
Use s3cmd with --no-preserve flag or set preserve_attrs = False in s3cmd configuration to prevent storing filesystem attributes in S3 object metadata.
zhttpd - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)VMG1312-B10D"Description
zhttpd is vulnerable to unauthenticated local inclusion including privileged files such as /etc/shadow. An attacker can read all files on the system by using this endpoint.
Р7-Office 12.5 - Cross-Site Scripting
Author: 0xpugalAdded: Oct 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Р7-Офис"})Description
A failure to implement proper measures to protect the structure of the web page in the P7-Office corporate server could have allowed a remote attacker to perform a cross-site scripting (XSS) attack.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
In addition to query-based vulnerability reporting, runZero natively detects exposures using an embedded version of the open-source Nuclei vulnerability scanner and it’s YAML-based vulnerability check templates. To maintain fast scan times and minimize network disruption, runZero dynamically selects appropriate templates based on the scan’s configured categories and precise asset and service fingerprinting.