CVE-2026-9082 is a SQL injection vulnerability in Drupal Core when Drupal uses PostgreSQL. The vulnerable PostgreSQL Entity Query condition handling can place attacker-controlled array keys into PDO placeholder names, allowing raw SQL to reach PostgreSQL from anonymous HTTP entry points that build entity queries. In exposed configurations, this can lead to arbitrary SQL execution, data disclosure, privilege escalation, and, when the PostgreSQL role has sufficient privileges, remote code execution. The affected Drupal Core versions are 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9, only for sites using PostgreSQL. This module targets the JSON:API filter entry point. It automatically discovers a usable JSON:API resource and filter field, validates the SQL injection by leaking PostgreSQL context, and commits CVE-2026-9082 when the primitive is confirmed. If the PostgreSQL role is superuser, the module writes an Impact agent and an embedded PostgreSQL preload library through large objects, updates PostgreSQL preload settings, reloads the configuration, and launches the agent from a fresh PostgreSQL backend. If the role is not superuser, the module collects bounded PostgreSQL and Drupal evidence, then finishes gracefully after reporting that agent deployment is not possible.

NGINX Plus and NGINX Open Source have a heap overflow vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the "rewrite" directive with a query string is followed (in the same location) by the "if" or "set" directive with an unnamed Perl-Compatible Regular Expression (PCRE) capture. An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. This module will first check if the endpoint given in the ENDPOINT parameter is present. If no parameter is provided, the module will use "/api" as the default value. Then it will send a HTTP request to the endpoint to cause the DoS and try to determine if the attack was successful.

This module verifies CVE-2026-41940, an authentication bypass vulnerability affecting cPanel and WHM. The issue can be triggered by injecting CRLF-controlled values through an HTTP Basic Authorization header, allowing a pre-authenticated WHM session file to be poisoned and later accepted as an authenticated root WHM session. The module first discovers the canonical cPanel hostname, requests a pre-authenticated WHM session cookie, sends the crafted Authorization payload with that session cookie, and extracts the resulting cpsess token from the WHM redirect. After obtaining the cpsess token, the module triggers WHM session propagation and verifies the bypass by reaching the authenticated WHM JSON API version endpoint. Successful access to that endpoint confirms that authenticated WHM API access was reached through the bypass. Once verified, the module attempts to create a cPanel account using the USERNAME, PASSWORD, and DOMAIN parameters. If those values are not provided, the module generates safe defaults for the username, password, and domain. Successfully created credentials are stored in an Impact Identity for later use. If the LIST USERS parameter is enabled, the module also queries WHM json-api/listaccts and reports the cPanel usernames returned by the target.

This module authenticates to the Zabbix JSON-RPC API with the supplied account, discovers the remote API version, and attempts SQLi-based administrator session extraction through CUser::addRelatedObjects(), reachable from the user.get method. CVE-2024-42327 does not require an administrator account. A non-admin user with the default User role, or any role with API access, can reach the vulnerable user.get API path. The affected Zabbix application versions are 6.0.x before 6.0.32rc1, 6.4.x before 6.4.17rc1, and 7.0.x before 7.0.1rc1. When SQLi session extraction succeeds, the module uses the extracted session to check whether Zabbix system.run is enabled and installs a Core Impact agent only if system.run is enabled. The module performs the following steps: 1. Discovers a reachable Zabbix JSON-RPC API endpoint and reads the remote version. 2. Authenticates with the supplied Zabbix credentials. 3. Checks whether the detected version is within the publicly affected CVE-2024-42327 ranges. 4. Attempts to extract an administrator session through SQLi-based timing checks. 5. Commits CVE-2024-42327 when administrator session extraction succeeds. 6. Uses the extracted session to resolve the target host and interface context. 7. Checks whether Zabbix system.run is enabled on the target Zabbix agent. 8. installs a Core Impact agent through system.run only when that capability is available. 9. Removes temporary Zabbix items created during probing or deployment.

rtsold passes unvalidated domain search list options from router advertisement messages directly to the resolvconf shell script, which fails to properly quote its input. This allows an attacker on the local network to inject arbitrary shell commands that are executed with root privileges when the vulnerable system processes a malicious router advertisement. The deployed network agent will run with root privileges. The exploit performs the following steps: Builds the Ethernet envelope to ensure the data travels without OS restrictions. Generates a fake Router Advertisement message to trick the victim into thinking the attacker is a legitimate gateway. Calculates a checksum so the target's kernel accepts the packet as valid. Hides malicious commands inside DNS configuration options using a specific format that triggers execution on FreeBSD.

The vulnerability exists in the WebObjects request handling mechanism where improper validation of the badparam parameter allows attackers to bypass authentication controls. The exploit performs the following steps: Connects to SolarWinds Web Help Desk and retrieves initial session cookies. Searches through headers, cookies, and HTML for the WebObjects session identifier. Accesses a special route with manipulated 'badparam' parameters to test the bypass. Exploits the improperly validated 'badparam' parameter to bypass login and obtain admin session. Creates a persistent URL that allows direct unauthorized access to the administrative panel.

This module exploits an unauthenticated arbitrary file upload in SmarterMail. The vulnerability consists of the arbitrary uploading of a non-binary file (asp, html, txt, etc.) to any location on the target machine without user authentication. However, the SmarterMail server listening on port 9998 (SYSTEM) simply uploads the file but cannot execute ASPX files. Furthermore, if the IIS server on port 80 is active, the file can be written to the root directory of that server and executed through it, with the permissions of the IIS user (a High Integrity Level user). The exploit first verifies that the target SmarterMail service is active and listening on its default administrative port, TCP/9998. It crafts a specially formed multipart/form-data POST request containing a malicious ASPX web shell. The request exploits an improper input validation vulnerability to perform directory path traversal (e.g., using sequences like ../../../). This bypasses the intended upload directory restrictions, allowing the file to be written to critical locations such as: 1)The SmarterMail web root (e.g., /interface/app/authentication/) 2)The root directory of the IIS web server hosting the application. After a successful upload, the script verifies the shell's deployment by sending an HTTP GET request to access the uploaded .aspx file. Primary access is attempted via the SmarterMail service on port 9998. A second check is performed via the standard IIS web service on port 80 (if listening). The web shell is designed to execute operating system commands passed via HTTP query parameters and return the command output within the HTTP response. As a demonstration of post-exploitation capabilities, If port 80 is listening can optionally deploy a Core Impact agent fileless HTA.

MongoDB Server is vulnerable to a memory disclosure flaw due to improper validation of length parameters in Zlib-compressed protocol headers. This vulnerability allows unauthenticated remote attackers to read sensitive information from server memory. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window and also writes them in a file. This memory dump may contain sensitive data, as explained above. This module performs the following steps: Establishes TCP connection to the target MongoDB server on port 27017. Sends crafted malicious packets containing BSON documents with intentionally inflated length values, Zlib-compressed OP_MSG messages wrapped in OP_COMPRESSED headers and a crafted Buffer size. Iterates through document lengths. Extracts and collects leaked memory from server error responses. Show collected memory leaks in the module output, and save it to disk (if output folder specified) for further analysis.

This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' via LDAP to the domain controller, pointing to the attacker's IP address. 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3. RPC Coercion: Forces the victim system to authenticate to the attacker-controlled DNS name using coercion techniques. Domain credentials from a regular user are required. The deployed agent gains SYSTEM privileges, allowing complete control of the compromised system. Affected versions: Windows 10 - 21H2 with os build less than 19044.5965 Windows 10 - 22H2 with os build less than 19045.5965 Windows 11 - 22H2 with os build less than 22621.5472 Windows 11 - 23H2 with os build less than 22631.5472 Windows 11 - 24H2 with os build less than 26100.4349 Windows Server 2019 with os build less than 17763.7434 Windows Server 2022 with os build less than 20348.3807

This module exploits an authentication bypass vulnerability combined and a buffer overflow in Cisco Secure ASA to cause a denial of service effect. First, the module will check if the target is vulnerable to the authentication bypass. If the target is vulnerable, it will proceed to cause the denial of service.