PoC Week 2025-06-30
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.
CVE-2025-50201
- Severity: 9.8 CRITICAL
- Impacted Products: WeGIA < 3.4.2
- Description: WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server’s operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-50201
- PoC: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf
CVE-2025-49132
- Severity: 10 CRITICAL
- Impacted Products: Pterodactyl < 1.11
- Description: Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel’s server, read credentials from the Panel’s config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-49132
- PoC: https://www.exploit-db.com/exploits/52341
CVE-2025-46157
- Severity: 10 CRITICAL
- Impacted Products: EfroTech Time Trax v.1.0
- Description: An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-46157
- PoC: https://github.com/morphine009/CVE-2025-46157/blob/main/README.md
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.