exploits

Public proof-of-concept exploits for CVEs I've reverse-engineered or researched.

Each exploit is a self-contained script that takes the target as a command-line argument. Use against authorised targets only (written permission, your own lab, etc.). No exploit in this repo is intended for unauthorised use.

What's in here

Every exploit published in this repository meets all of the following before it appears here:

• Original research — developed independently from my own patch reverse-engineering, prior to any other public proof-of-concept for the CVE.
• Tested — confirmed working.
• Embargoed at least 30 days from the date the exploit was developed, often much longer depending on what's still out there unpatched.

Published

CVE-2026-43975 — Apache Wicket FolderUploadsFileManager path traversal

Apache Wicket 8.0.0–8.17.0, 9.0.0–9.22.0 and 10.0.0–10.8.0 build file-upload paths in FolderUploadsFileManager by concatenating the attacker-controlled uploadId query parameter (and the multipart filename) into the destination path without normalization. .. segments escape the intended upload folder, giving arbitrary file write — and read — as the JVM user. No authentication is required by the component itself; exploitability depends on the application having mounted a FileUploadResourceReference backed by FolderUploadsFileManager.

• Script: cve-2026-43975.py
• Patch: apache/wicket#1432
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43975
• Vendor fix: wicket-core 10.9.0

CVE-2026-41059 — OAuth2 Proxy skip-auth allowlist bypass

OAuth2 Proxy 7.5.0 through 7.15.1 has a configuration-dependent authentication bypass in its skip_auth_routes / skip_auth_regex allowlist matching. The proxy matches a request path that still contains %23, while the upstream treats %23 as a # fragment delimiter and routes a shorter path — so a crafted /<protected>%23<public-suffix> can match a permissive public rule while the backend serves a protected resource. Exploitable only when an operator's skip-auth pattern uses a wildcard spanning a / boundary.

• Script: cve-2026-41059.py
• Advisory: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41059
• Vendor fix: OAuth2 Proxy 7.15.2

CVE-2025-62166 — FreshRSS authentication bypass

FreshRSS < 1.28.0 fails to authenticate users supplying an &user=<name>&token=bypass query string to its RSS / OPML export endpoints. Anyone can read any user's RSS subscriptions and feed contents without credentials.

• Script: cve-2025-62166.py
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62166
• Vendor fix: FreshRSS 1.28.0

---

Naming convention

cve-YYYY-NNNNN.py — always dashes, always the exact CVE ID.

License

Apache 2.0 — see the LICENSE file.