CVE-2026-9082 is a SQL injection vulnerability in Drupal Core when Drupal uses PostgreSQL. The vulnerable PostgreSQL Entity Query condition handling can place attacker-controlled array keys into PDO placeholder names, allowing raw SQL to reach PostgreSQL from anonymous HTTP entry points that build entity queries. In exposed configurations, this can lead to arbitrary SQL execution, data disclosure, privilege escalation, and, when the PostgreSQL role has sufficient privileges, remote code execution. The affected Drupal Core versions are 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9, only for sites using PostgreSQL. This module targets the JSON:API filter entry point. It automatically discovers a usable JSON:API resource and filter field, validates the SQL injection by leaking PostgreSQL context, and commits CVE-2026-9082 when the primitive is confirmed. If the PostgreSQL role is superuser, the module writes an Impact agent and an embedded PostgreSQL preload library through large objects, updates PostgreSQL preload settings, reloads the configuration, and launches the agent from a fresh PostgreSQL backend. If the role is not superuser, the module collects bounded PostgreSQL and Drupal evidence, then finishes gracefully after reporting that agent deployment is not possible.

This module exploits Fragnesia, a local privilege escalation vulnerability in the Linux kernel XFRM ESP-in-TCP subsystem. The vulnerability can be abused to corrupt cached pages of read-only privileged files through kernel networking components. The trigger binary temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The module uses this mechanism to execute a generated Core Impact agent ELF. The module uploads the Fragnesia trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.

This module verifies CVE-2026-41940, an authentication bypass vulnerability affecting cPanel and WHM. The issue can be triggered by injecting CRLF-controlled values through an HTTP Basic Authorization header, allowing a pre-authenticated WHM session file to be poisoned and later accepted as an authenticated root WHM session. The module first discovers the canonical cPanel hostname, requests a pre-authenticated WHM session cookie, sends the crafted Authorization payload with that session cookie, and extracts the resulting cpsess token from the WHM redirect. After obtaining the cpsess token, the module triggers WHM session propagation and verifies the bypass by reaching the authenticated WHM JSON API version endpoint. Successful access to that endpoint confirms that authenticated WHM API access was reached through the bypass. Once verified, the module attempts to create a cPanel account using the USERNAME, PASSWORD, and DOMAIN parameters. If those values are not provided, the module generates safe defaults for the username, password, and domain. Successfully created credentials are stored in an Impact Identity for later use. If the LIST USERS parameter is enabled, the module also queries WHM json-api/listaccts and reports the cPanel usernames returned by the target.

This module exploits an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve arbitrary code execution with SYSTEM privileges. The vulnerability resides in the HsmOsBlockPlaceholderAccess routine and abuses the Cloud Files abort hydration path to create attacker-controlled registry keys in the .DEFAULT user hive without proper access checks. MiniPlasma is the same issue previously tracked as CVE-2020-17103, which was reported by Google Project Zero and later claimed to be patched, but it remains exploitable on current Windows builds. The steps performed by the exploit are: Creates a controlled Cloud Files synchronization root and uses the abort hydration path to trigger the race condition. Redirects privileged registry key creation into the .DEFAULT user hive. Abuses the writable .DEFAULT Volatile Environment registry key to control the windir environment used by a SYSTEM process. Triggers the elevated process to launch a CORE Impact agent with SYSTEM privileges in the target user's interactive session.

A local unprivileged user can coerce "cupsd" into authenticating to an attacker-controlled localhost IPP service with a reusable "Authorization: Local" token. That token is enough to drive "/admin/" requests on "localhost", and the attacker can combine "CUPS-Create-Local-Printer" with "printer-is-shared=true" to persist a "file:///" queue even though the normal "FileDevice" policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; allowing root command execution. This module uses the previous vulnerability to escalate privileges and deploy a new agent that will run with root user privileges. The module starts a local capture server on the port given by the CAPTURE_PORT parameter. If no parameter is provided, the module will use 9189 as the default port value. Also, the IPP port can be set with the IPP_PORT parameter. If no parameter is provided, the module will use 631 as the default port value. Then it will find and use the "ipptool" executable to trigger the local admin print to leak the auth token. The module will try to leak the token 5 times. Once the token is leaked, the module will create a temporary directory and upload the trigger and agent executables. Then it will locate the "sudo" and "whoami" executables and proceed to trigger the vulnerability to create a file inside the "/etc/sudoers.d/" directory that will allow the current user to use the "sudo" command without a password. If the attack succeeds, the agent will be executed via "sudo" which will deploy a new agent with root user privileges. Once the agent is deployed, the module will delete the trigger executable and the root file in the "/etc/sudoers.d/" directory.

This module exploits DirtyFrag, a local privilege escalation vulnerability chain in the Linux kernel that can corrupt cached pages of privileged files through kernel networking components. The trigger binary supports two exploitation paths. The ESP path temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The rxrpc/rxkad path temporarily corrupts the page-cache contents of "/etc/passwd" to allow passwordless root authentication through "su" and then executes the supplied custom ELF. Before running either path, the trigger binary creates a temporary full backup of the target file it may corrupt. The ESP path restores "/usr/bin/su" from its backup after the patched "su" process is launched. The rxrpc/rxkad path restores "/etc/passwd" from its backup and removes that backup before handing execution to the custom ELF. The module uploads the DirtyFrag trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.

This module abuses Jolokia access to invoke the ActiveMQ Broker MBean addNetworkConnector operation. The crafted connector uses the VM transport brokerConfig option to load a Spring XML document from the IMPACT web server. The XML instantiates java.lang.ProcessBuilder and executes the agent deployment command sequence. The exploitation process performs the following steps: Starts the IMPACT web server and registers a randomized Spring XML payload path. Checks that the target Jolokia endpoint is reachable with the configured credentials. Discovers the ActiveMQ broker name through Jolokia, or uses the configured broker name when provided. Builds a malicious network connector URI using vm:// and brokerConfig=xbean to reference the Spring XML payload hosted by IMPACT. Sends a Jolokia exec request to call addNetworkConnector(java.lang.String) on the ActiveMQ Broker MBean. Waits for the target to fetch the Spring XML payload and execute the generated agent deployment command sequence. The deployed agent will run with the same privileges as the Apache ActiveMQ service.

This module exploits CVE-2026-33017 by abusing Langflow's public temporary flow build endpoint to inject and execute a custom component. The component runs operating system commands through the Langflow Python process. If AUTO_LOGIN is enabled on the target, the module can automatically create a public flow. Otherwise, provide a known public FLOW ID. If no FLOW ID is provided, the module can use AUTO_LOGIN to obtain an access token and create a public Langflow flow. The module then submits a crafted temporary custom component to the /api/v1/build_public_tmp/{flow_id}/flow endpoint. That component executes operating system commands through the Langflow Python process and returns command output through Langflow build events. When DEPLOY OSCI AGENT is enabled, the module commits an OSCI agent that reuses the same Langflow primitive to relaunch commands later. When DEPLOY NETWORK AGENT is enabled, the module stages an Impact payload from the embedded web server and launches it through the vulnerable Langflow service. The module polls Langflow job events to track execution and confirm whether command execution or agent deployment succeeded. The deployed agent will run with the privileges of the Langflow service account.

This module uses an incorrect 'in-place operation' vulnerability in the Linux kernel's algif_aead cryptographic algorithm interface by abusing the authencesn AEAD wrapper to deploy a network agent. The vulnerability will overwrite kernel's cached pages of a given SUID file. The module will upload a trigger binary for the vulnerability in the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The binary SUID file given in the TARGET_SUID_BINARY parameter will be used for the attack. If no parameter is provided, the module will use "/usr/bin/su" as the default value. Once the attack is complete a new Core Impact agent will be deployed in the target system that will run with root user privileges. Finally, the module will use the "sysctl" command to restore the cache.

This module authenticates to the Zabbix JSON-RPC API with the supplied account, discovers the remote API version, and attempts SQLi-based administrator session extraction through CUser::addRelatedObjects(), reachable from the user.get method. CVE-2024-42327 does not require an administrator account. A non-admin user with the default User role, or any role with API access, can reach the vulnerable user.get API path. The affected Zabbix application versions are 6.0.x before 6.0.32rc1, 6.4.x before 6.4.17rc1, and 7.0.x before 7.0.1rc1. When SQLi session extraction succeeds, the module uses the extracted session to check whether Zabbix system.run is enabled and installs a Core Impact agent only if system.run is enabled. The module performs the following steps: 1. Discovers a reachable Zabbix JSON-RPC API endpoint and reads the remote version. 2. Authenticates with the supplied Zabbix credentials. 3. Checks whether the detected version is within the publicly affected CVE-2024-42327 ranges. 4. Attempts to extract an administrator session through SQLi-based timing checks. 5. Commits CVE-2024-42327 when administrator session extraction succeeds. 6. Uses the extracted session to resolve the target host and interface context. 7. Checks whether Zabbix system.run is enabled on the target Zabbix agent. 8. installs a Core Impact agent through system.run only when that capability is available. 9. Removes temporary Zabbix items created during probing or deployment.