A technical deep dive into the discovery of an unauthenticated zero-day vulnerability in the Ninja Forms - File Uploads WordPress extension, which allows arbitrary file uploads, remote code execution, and full server compromise.

An authentication bypass vulnerability was found on Jupiter X Core Plugin <= 4.7.5 (CVE-2024-7781).

A pre-authentication remote code execution vulnerability was found on Jupiter X Core Plugin <= 4.6.5 (CVE-2024-7772).

We identified a vulnerability in SPIP's SQL engine, which allowed us to access the backoffice of the hacking platform Root-Me.

Several flaws have been identified in the latest version of Magento 2, allowing an attacker to obtain complete control over the server. We're now releasing the exploit for the unauthenticated SQL injection. We'll release the details for the RCE vulnerability at a later time.

Prestashop 1.6.1.19 sessions can be read and written by an attacker, resulting in a range of vulnerabilities including privilege escalation and remote code execution.