Templates
The table below lists the Nuclei vulnerability templates available for scans. The full set of tuned templates can be found in our nuclei-templates repository.
2,522
Templates
1,058
CVEs Covered
3
Scan Categories
2522 of 2522 templates
Loading templates…
.NET Framework - Leaking ObjRefs via HTTP .NET Remoting
runzero-match
service["http.head.server"] matches "(?i)ms .net remoting"Description
.NET Framework Information Disclosure Vulnerability
Impact
Attackers can exploit leaked ObjRefs to access remote objects via .NET Remoting, potentially gaining unauthorized access to application data.
Remediation
Apply security patches for .NET Framework addressing CVE-2024-29059.
1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure
Author: pussycat0xAdded: Feb 7, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/1-click-migration/"Description
1 Click WordPress Migration <= 2.2 contains an information disclosure caused by uncleared debug information, letting attackers retrieve embedded sensitive data, exploit requires no specific privileges.
Impact
Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
Remediation
Remove debug information and update to the latest version of 1 Click WordPress Migration.
1Password SCIM Bridge - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)1Password SCIM Bridge Login"})Description
1Password SCIM Bridge Login was detected.
3COM NJ2000 - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "ManageEngine Password"})Description
3COM NJ2000 contains a default login vulnerability. Default admin login password of 'password' was found. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
3CX Phone System Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Management Console panel was detected.
3CX Phone System Web Client Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Web Client Management Console panel was detected.
3Com Wireless 8760 Dual Radio - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3COM"})Description
3COM Wireless 8760 Dual Radio contains a default login vulnerability. Default admin login password 'password' was found.
3ware Controller 3DM2 - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3ware"})Description
The default password for logging in to the 3DM2 web interface of a 3ware controller is "3ware" for both the Administrator and User accounts.
74cms - ajax_common.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_common.php file.
74cms - ajax_officebuilding.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_officebuilding.php file.
74cms - ajax_street.php 'key' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 'key' parameter of ajax_street.php in 74cms.
74cms - ajax_street.php 'x' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the vendor-provided patch or update to the latest version of 74cms to mitigate the SQL Injection vulnerability.
AC Centralized Management System - Default password
Author: SleepingBag945Added: Sep 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)安网科技-智能路由系统"})Description
AC Centralized Management System default login credentials were discovered.
AC Smart II - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Doc/WebLogin\\.asp"Description
AC Smart II contains an authentication bypass caused by a hidden password reset form that can be manipulated to change the administrator password without verifying login or permissions, letting attackers change admin passwords without authorization.
Impact
Attackers can change the administrator password without authorization, leading to full system takeover.
Remediation
Update to the latest version that properly verifies login status and user permissions before password reset.
ACME Challenge Path - Reflected Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)acme-challenge"Description
Detects XSS vulnerabilities in ACME http-01 challenge implementations where hosting providers reflect the challenge key from the URL without proper sanitization
ACTi Video Monitoring Panel - Detection
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web Configurator"})AIC Intelligent Campus System - Password Exposure
Author: SleepingBag945Added: Sep 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AIC智能校园系统"})Description
Due to the design logic defects, the super password is leaked, which can kill more than 40 campus systems.<br>
AJ-Report < 1.4.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AJ-Report"})Description
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary Java code on the server through script engine injection, achieving complete system compromise and access to all application data.
Remediation
Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
AKHQ Panel - Detect
Author: DhiyaneshDKAdded: Apr 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "855432563"Description
AKHQ Panel was discovered.
AMD Pensando PSM - Default Login
Author: tpierruAdded: Aug 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1907840597"Description
The AMD Pensando Policy and Services Manager used a default password for the admin account.This allowed instances to be accessed using the default credentials.
AMR Printer Management Dashboard - Exposure
Author: ritikchaddhaAdded: Sep 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AMR Printer Management"})Description
Unauthorized access to the AMR Printer Management dashboard was possible, potentially exposing sensitive printer configuration and management interfaces without proper authentication.
APC Rack PDU Default Login
Author: tdiderichAdded: Aug 26, 2025
runzero-match
asset["hw"] matches `Schneider\s+Electric` || asset["os"] matches `Schneider\s+Electric\s+AOS` || any(each(service["html.titles"]), {# matches `APC \| Log On`})Description
APC Rack PDU with default administrator credentials discovered.
ARL Default Admin Login
runzero-match
service["http.url"] contains ":5003/" && service["http.body"] contains "Powered by TCC" && service["http.body"] contains "ARL"Description
An ARL default admin login was discovered.
ARRIS Touchstone Telephony Modem - Panel Detect
runzero-match
service["http.body"] matches "(?i)phy\\.htm"Description
ARRIS Touchstone Telephony Modem status panel was detected.
ASUS AiCloud Panel - Detect
Author: ritikchaddhaAdded: Jun 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AiCloud"})Description
ASUS AiCloud Panel was detected.
ASUS RT-N16 - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="RT-N16'})Description
ASUS RT-N16 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-500G - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# matches '(?i)realm="WL-500G'})Description
ASUS WL-500 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-520GU - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="WL-520GU'})Description
ASUS WL-520GU contains a default login vulnerability. The default admin login password 'admin' was found.
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ASUSTOR"Description
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the album_id parameter in the /photo-gallery/api/album/tree_lists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further compromise of the affected system.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire ASUSTOR ADM system and accessing stored data.
Remediation
Upgrade to a patched version of ASUSTOR ADM or apply vendor-provided security updates.
ATutor < 2.2.1 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)atutor"Description
ATutor < 2.2.1 was discovered with a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1 via token body parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Upgrade ATutor to version 2.2.2 or above to mitigate this vulnerability.
AVM FRITZ!Box 7530 AX - Unauthorized Access
runzero-match
service["http.body"] matches "(?i)FRITZ!Box 7530"Description
An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.
Impact
Unauthenticated attackers can access sensitive device information including firmware version, serial numbers, and configuration details through the boxinfo XML endpoint.
Remediation
Update AVM FRITZ!Box 7530 AX to a version later than 7.59 that addresses the unauthorized access vulnerability.
AVTECH DVR - Login Verification Code Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code.
Impact
Attackers can bypass authentication mechanisms and gain unauthorized access to the DVR system, potentially viewing camera feeds, modifying settings, or compromising the device.
Remediation
Update to the latest firmware version or contact the vendor for a security patch.
AVTECH DVR - SSRF
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR device, Search.cgi can be accessed directly. Search.cgi is responsible for searching and accessing cameras in the local network. Search.cgi provides the cgi_query function.
AVTECH Room Alert Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Room Alert"})Description
AVTECH Room Alert login panel was detected.
AVTECH Video Surveillance Product - Authentication Bypass
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH Video Surveillance Products password disclosure through /cgi-bin/user/Config.cgi.
AVTECH Video Surveillance Product - Unauthenticated File Download
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH video surveillance products unauthenticated file download from web root through /cgi-bin/cgibox, Since the .cab string is verified by the strstr method, the file download can be realized by adding ?.cab at the end of the file name.
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
Author: pussycat0xAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "(?i)AVideo"Description
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
Impact
Unauthenticated attackers can execute arbitrary system commands, leading to full server compromise.
Remediation
Update to the version including commit c85d076375fab095a14170df7ddb27058134d38c or later.
AWS EC2 Auto Scaling Lab
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)AWS EC2 Auto Scaling Lab"AWS Elastic Beanstalk Dockerrun.aws.json - Exposure
runzero-match
service["http.body"] matches "(?i)AWSEBDockerrunVersion"Description
Detected AWS Elastic Beanstalk Dockerrun.aws.json configuration file was publicly accessible, potentially revealing Docker container definitions, image names, hostnames, port mappings, and infrastructure details.
AWStats <= 7.5 - Full Path Disclosure
runzero-match
service["product"] contains "Laurent Destailleur:AWStats"Description
AWStats 7.6 contains a full path disclosure caused by improper handling of framename and update parameters in awstats.pl, letting remote attackers determine server file paths, exploit requires sending crafted parameters.
Impact
Attackers can discover server file paths, aiding further exploitation or reconnaissance.
Remediation
Update to the latest version of AWStats or apply security patches addressing this issue.
Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-abandoned-cart/"Description
The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping.
Impact
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.
Remediation
Fixed in 5.2.0
Academy LMS 6.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)academy lms"Description
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive database information including user credentials and payment data.
Remediation
Update Academy LMS to version 6.3 or later which includes proper SQL injection prevention.
AceNet AceReporter Report Panel - Detect
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1595726841"Ackee Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1495233116"Description
self-hosted, node.js based analytics tool for those who care about privacy.
Acrolinx Dashboard
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acrolinx Dashboard"})Description
An Acrolinx Analytics dashboard was detected.
Actifio Resource Center - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Actifio Resource Center"})Description
Actifio Resource Center was detected.
Activepieces Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Activepieces"})Description
Activepieces was detected. Activepieces was an open-source automation platform with AI and LLM integrations. Exposed instances may allow access to workflow automation configurations and connected integrations.
AcuToWeb server/10.5.0.7577c8b - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AcuToWeb"})Description
AcuToWeb server/10.5.0.7577c8b is vulnerable to reflected cross-site scripting (XSS) via the portgw parameter. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
Remediation
Update AcuToWeb to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the portgw parameter.
Acunetix Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acunetix"})Description
Acunetix login panel was detected.
AdGuard Panel - Detect
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AdGuard Home"})Description
AdGuard panel has been detected.
Adapt Authoring Tool - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adapt authoring tool"})Description
Login panel for adapt was detected.
AddOnFinance Portal - Detect
Author: ritikchaddhaAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AddOnFinancePortal"})Description
AddOnFinance Portal Panel was detected.
Adfinity Login Panel - Detect
Author: righettodAdded: Apr 3, 2025
runzero-match
service["http.body"] matches "(?i)Adfinity"Description
Adfinity products was detected.
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
runzero-match
service["product"] contains "Adminer:Adminer"Description
Adminer <= 5.4.1 contains a denial of service caused by lack of origin validation in version check endpoint, letting attackers trigger server errors via crafted POST requests, exploit requires no special privileges.
Impact
Attackers can cause server errors resulting in denial of service for all users.
Remediation
Upgrade to Adminer 5.4.2 or later.
Adminer <4.7.9 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage.
Remediation
Upgrade to version 4.7.9 or later.
Adminer <=4.8.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled).
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the Adminer interface, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
This vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
Adminer Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adminer"})Description
Adminer contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
An Adminer login panel was detected.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer login panel was detected.
Adobe AEM CRX Package Manager - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe AEM CRX Package Manager panel was detected.
Adobe AEM Default Login
runzero-match
service["http.body"] contains `href="/etc.clientlibs/`Description
Adobe AEM default login credentials were discovered.
Adobe AEM JCR Compare Exposure
Author: pussycat0xAdded: Jan 2, 2026
runzero-match
service["product"] contains "Adobe:Experience Manager"Description
Detected an exposed Adobe AEM JCR compare functionality that was accessible without proper authorization. This exposure may have allowed attackers to infer repository structure or sensitive content through comparison operations.
Adobe ColdFusion - Access Control Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the necessary security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Access Control Bypass
Author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearchAdded: Jul 12, 2023CWE-284,NVD-CWE-OTHERCVE-2023-29298
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the latest security patches or updates provided by Adobe to fix the access control bypass vulnerability.
Adobe ColdFusion - Arbitrary File Read
runzero-match
service["http.head.server"] matches `(?i)coldfusion`Description
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can read and write arbitrary files on the server, potentially leading to complete system compromise.
Remediation
Update Adobe ColdFusion to version 2023.7, 2021.13 or later depending on your version.
Adobe ColdFusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Local File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Unauthenticated Arbitrary File Read vulnerability due to deserialization of untrusted data in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier
Impact
This vulnerability can lead to unauthorized access to sensitive information stored on the server.
Remediation
Apply the necessary security patches or updates provided by Adobe to fix the vulnerability.
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Impact
This vulnerability can lead to unauthorized access to sensitive information and potential compromise of the affected system.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Adobe ColdFusion Component Browser Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An Adobe ColdFusion Component Browser login panel was detected.
Adobe ColdFusion WDDX Deserialization Gadgets
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute arbitrary code without user interaction and completely compromise ColdFusion installations.
Remediation
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
Adobe Coldfusion - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can bypass access controls to access Adobe ColdFusion administration endpoints, potentially allowing full control over the ColdFusion server and access to sensitive application data.
Remediation
Upgrade to Adobe ColdFusion 2023.6 or 2021.12 or later versions that address this access control vulnerability.
Adobe Coldfusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser
Impact
Unauthenticated attackers can inject malicious JavaScript through crafted URLs to execute code in victim browsers, potentially stealing ColdFusion administrator session cookies and gaining access to sensitive application configurations.
Remediation
Update Adobe ColdFusion to version 2023.6 or 2021.12 or later that properly escapes URLs in the CFIDE administrator and wizards interfaces.
Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
runzero-match
service["product"] contains "Adobe:ColdFusion"Description
Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade Adobe Coldfusion to a version higher than 8.0.1 or apply the necessary patches provided by the vendor.
Adobe Connect < 12.1.5 - Local File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Connect"}) || any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction
Impact
Unauthenticated attackers can exploit improper access control to download arbitrary files through the system/download endpoint, potentially accessing sensitive Adobe Connect meeting recordings and configuration files.
Remediation
Update Adobe Connect to version 12.1.5 or later that implements proper access control checks for the system/download functionality.
Adobe Connect Central Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
An Adobe Connect Central login panel was detected.
Adobe Experience Manager Felix Console - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "AEM Sign In"})Description
Adobe Experience Manager Felix Console contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. Remote code execution may also be possible via installation of OSGI bundle.
Adobe Experience Manager Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
An Adobe Experience Manager login panel was detected.
Adobe Experience Manager Sling User Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe Experience Manager Sling user login panel was detected.
Adobe Media Server Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Media Server"})Description
An Adobe Media Server login panel was detected.
Ads Pro Plugin <= 4.89 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ap-plugin-scripteo"Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
Remediation
Update the Ads Pro Plugin to version later than 4.89. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
Advanced eMail Solution DEEPMail - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced eMail Solution DEEPMail"})Description
Advanced eMail Solution DEEPMail login panel was detected.
Advantech R-SeeNet - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the graph parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in the R-SeeNet application.
Advantech R-SeeNet 2.4.12 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Update to the latest version of Advantech R-SeeNet to mitigate this vulnerability.
Aerohive NetConfig UI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aerohive NetConfig UI"})Description
An Aerohive NetConfig user interface was detected. The NetConfig UI provides a fundamental set of configurations for configuring basic network and HiveManager connectivity settings, and uploading new IQ Engine images to Extreme Networks APs.
Aethra Telecommunications Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aethra Telecommunications Operating System"})Description
Aethra Telecommunication login Panel was detected.
Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Agent Zero"})Description
Agent-Zero v0.8.0 - 0.9.4 contains a path traversal caused by improper validation in /api/download_work_dir_file.py, letting attackers access unauthorized files, exploit requires crafted request.
Impact
Attackers can access unauthorized files, potentially exposing sensitive data or system information.
Remediation
Update to the latest version of Agent-Zero
AgentGPT Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AgentGPT"})Description
AgentGPT was detected. AgentGPT was a browser-based autonomous AI agent platform that allows users to create, configure and deploy AI agents directly in the browser.
Agentejo Cockpit < 0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate the vulnerability.
Agentejo Cockpit <0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, potentially leading to unauthorized access, data manipulation, or denial of service.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.
Agentejo Cockpit <0.12.0 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
Impact
Successful exploitation of this vulnerability could allow an attacker to manipulate database queries, potentially leading to unauthorized access, data leakage, or data corruption.
Remediation
Upgrade Agentejo Cockpit to version 0.12.0 or later to mitigate this vulnerability.
AirNotifier Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AirNotifier"})Description
AirNotifier login panel was detected.
AirOS Panel - Detect
Author: rxeriumAdded: Aug 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-697231354"Description
AirOS panel was detected.
Airflow Experimental <1.10.11 - REST API Auth Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || service["http.body"] matches "(?i)apache airflow"Description
Airflow's Experimental API prior 1.10.11 allows all API requests without authentication.
Impact
Allows unauthorized access to Airflow Experimental REST API
Remediation
From Airflow 1.10.11 forward, the default has been changed to deny all requests by default. Note - this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide linked in the references.
Akuiteo Login Panel - Detect
Author: righettodAdded: Nov 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Akuiteo"})Description
Akuiteo products was detected.
Alamos GmbH Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alamos GmbH \\| FE2"})Description
Alamos GmbH panel was detected.
Alcatel-Lucent OmniPCX - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)omnipcx for enterprise"})Description
The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
Impact
Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.
Remediation
Update to supported versions that filter shell metacharacters in the "user" parameter.
Alfresco - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Alfresco"}) && service["http.body"] contains "/share/res/js/alfresco"Description
Detected Alfresco Content Services was found to have been using the default administrator credentials (admin:admin). An attacker could have gained full administrative access to manage content, users, and repository configuration.
Alfresco Content App Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alfresco Content App"})Description
Alfresco Content App panel was detected.