30
Findings
205
Queries
30 of 30 findings (205 queries)
Loading findings…
Best Practice
finding:rz-finding-best-practiceSource queries (1)
Low HTTP Directory Indexing Enabled
The web server is configured to show directory listings when no default web page is present. This can expose sensitive information about the server’s content to attackers.
]]>2,665
Templates
1,089
CVEs Covered
3
Scan Categories
2665 of 2665 templates
Loading templates…
.NET Framework - Leaking ObjRefs via HTTP .NET Remoting
runzero-match
service["http.head.server"] matches "(?i)ms .net remoting"Description
.NET Framework Information Disclosure Vulnerability
Impact
Attackers can exploit leaked ObjRefs to access remote objects via .NET Remoting, potentially gaining unauthorized access to application data.
Remediation
Apply security patches for .NET Framework addressing CVE-2024-29059.
1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure
Author: pussycat0xAdded: Feb 7, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/1-click-migration/"Description
1 Click WordPress Migration <= 2.2 contains an information disclosure caused by uncleared debug information, letting attackers retrieve embedded sensitive data, exploit requires no specific privileges.
Impact
Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
Remediation
Remove debug information and update to the latest version of 1 Click WordPress Migration.
1Password SCIM Bridge - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)1Password SCIM Bridge Login"})Description
1Password SCIM Bridge Login was detected.
3COM NJ2000 - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "ManageEngine Password"})Description
3COM NJ2000 contains a default login vulnerability. Default admin login password of 'password' was found. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
3CX Phone System Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Management Console panel was detected.
3CX Phone System Web Client Management Console - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3cx webclient"}) || any(each(service["html.titles"]), {# matches "(?i)3cx phone system management console"}) || service["favicon.ico.image.mmh3"] == "970132176"Description
3CX Phone System Web Client Management Console panel was detected.
3Com Wireless 8760 Dual Radio - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3COM"})Description
3COM Wireless 8760 Dual Radio contains a default login vulnerability. Default admin login password 'password' was found.
3ware Controller 3DM2 - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)3ware"})Description
The default password for logging in to the 3DM2 web interface of a 3ware controller is "3ware" for both the Administrator and User accounts.
74cms - ajax_common.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_common.php file.
74cms - ajax_officebuilding.php SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_officebuilding.php file.
74cms - ajax_street.php 'key' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 'key' parameter of ajax_street.php in 74cms.
74cms - ajax_street.php 'x' SQL Injection
runzero-match
service["http.body"] matches "(?i)74cms"Description
SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying database.
Remediation
Apply the vendor-provided patch or update to the latest version of 74cms to mitigate the SQL Injection vulnerability.
AC Centralized Management System - Default password
Author: SleepingBag945Added: Sep 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)安网科技-智能路由系统"})Description
AC Centralized Management System default login credentials were discovered.
AC Smart II - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Doc/WebLogin\\.asp"Description
AC Smart II contains an authentication bypass caused by a hidden password reset form that can be manipulated to change the administrator password without verifying login or permissions, letting attackers change admin passwords without authorization.
Impact
Attackers can change the administrator password without authorization, leading to full system takeover.
Remediation
Update to the latest version that properly verifies login status and user permissions before password reset.
ACME Challenge Path - Reflected Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)acme-challenge"Description
Detects XSS vulnerabilities in ACME http-01 challenge implementations where hosting providers reflect the challenge key from the URL without proper sanitization
ACTi Video Monitoring Panel - Detection
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web Configurator"})AIC Intelligent Campus System - Password Exposure
Author: SleepingBag945Added: Sep 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AIC智能校园系统"})Description
Due to the design logic defects, the super password is leaked, which can kill more than 40 campus systems.<br>
AJ-Report < 1.4.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AJ-Report"})Description
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary Java code on the server through script engine injection, achieving complete system compromise and access to all application data.
Remediation
Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
AKHQ Panel - Detect
Author: DhiyaneshDKAdded: Apr 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "855432563"Description
AKHQ Panel was discovered.
AMD Pensando PSM - Default Login
Author: tpierruAdded: Aug 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1907840597"Description
The AMD Pensando Policy and Services Manager used a default password for the admin account.This allowed instances to be accessed using the default credentials.
AMR Printer Management Dashboard - Exposure
Author: ritikchaddhaAdded: Sep 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AMR Printer Management"})Description
Unauthorized access to the AMR Printer Management dashboard was possible, potentially exposing sensitive printer configuration and management interfaces without proper authentication.
APC Rack PDU Default Login
Author: tdiderichAdded: Aug 26, 2025
runzero-match
asset["hw"] matches `Schneider\s+Electric` || asset["os"] matches `Schneider\s+Electric\s+AOS` || any(each(service["html.titles"]), {# matches `APC \| Log On`})Description
APC Rack PDU with default administrator credentials discovered.
ARL Default Admin Login
runzero-match
service["http.url"] contains ":5003/" && service["http.body"] contains "Powered by TCC" && service["http.body"] contains "ARL"Description
An ARL default admin login was discovered.
ARRIS Touchstone Telephony Modem - Panel Detect
runzero-match
service["http.body"] matches "(?i)phy\\.htm"Description
ARRIS Touchstone Telephony Modem status panel was detected.
ASUS AiCloud Panel - Detect
Author: ritikchaddhaAdded: Jun 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AiCloud"})Description
ASUS AiCloud Panel was detected.
ASUS RT-N16 - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="RT-N16'})Description
ASUS RT-N16 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-500G - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# matches '(?i)realm="WL-500G'})Description
ASUS WL-500 contains a default login vulnerability. Default admin login password 'admin' was found.
ASUS WL-520GU - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="WL-520GU'})Description
ASUS WL-520GU contains a default login vulnerability. The default admin login password 'admin' was found.
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ASUSTOR"Description
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the album_id parameter in the /photo-gallery/api/album/tree_lists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further compromise of the affected system.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire ASUSTOR ADM system and accessing stored data.
Remediation
Upgrade to a patched version of ASUSTOR ADM or apply vendor-provided security updates.
ATutor < 2.2.1 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)atutor"Description
ATutor < 2.2.1 was discovered with a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1 via token body parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Upgrade ATutor to version 2.2.2 or above to mitigate this vulnerability.
AVEVA Edge SCADA - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `content\s*=\s*"AVEVA Edge"`Description
AVEVA Edge SCADA web interface panel has been detected.
AVEVA InTouch Access Anywhere - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)InTouch Access Anywhere Server"Description
Detected AVEVA InTouch Access Anywhere was a secure gateway that provided browser-based remote access to InTouch HMI applications over the internet. It was widely used in industrial process control, utilities, and manufacturing environments. Exposed instances may have provided access to industrial HMI displays and SCADA interfaces.
AVM FRITZ!Box 7530 AX - Unauthorized Access
runzero-match
service["http.body"] matches "(?i)FRITZ!Box 7530"Description
An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.
Impact
Unauthenticated attackers can access sensitive device information including firmware version, serial numbers, and configuration details through the boxinfo XML endpoint.
Remediation
Update AVM FRITZ!Box 7530 AX to a version later than 7.59 that addresses the unauthorized access vulnerability.
AVTECH DVR - Login Verification Code Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code.
Impact
Attackers can bypass authentication mechanisms and gain unauthorized access to the DVR system, potentially viewing camera feeds, modifying settings, or compromising the device.
Remediation
Update to the latest firmware version or contact the vendor for a security patch.
AVTECH DVR - SSRF
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH DVR device, Search.cgi can be accessed directly. Search.cgi is responsible for searching and accessing cameras in the local network. Search.cgi provides the cgi_query function.
AVTECH Room Alert Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Room Alert"})Description
AVTECH Room Alert login panel was detected.
AVTECH Video Surveillance Product - Authentication Bypass
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH Video Surveillance Products password disclosure through /cgi-bin/user/Config.cgi.
AVTECH Video Surveillance Product - Unauthenticated File Download
Author: ritikchaddhaAdded: May 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" product:\"Avtech"})Description
AVTECH video surveillance products unauthenticated file download from web root through /cgi-bin/cgibox, Since the .cab string is verified by the strstr method, the file download can be realized by adding ?.cab at the end of the file name.
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
Author: pussycat0xAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "(?i)AVideo"Description
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
Impact
Unauthenticated attackers can execute arbitrary system commands, leading to full server compromise.
Remediation
Update to the version including commit c85d076375fab095a14170df7ddb27058134d38c or later.
AWS EC2 Auto Scaling Lab
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)AWS EC2 Auto Scaling Lab"AWS Elastic Beanstalk Dockerrun.aws.json - Exposure
runzero-match
service["http.body"] matches "(?i)AWSEBDockerrunVersion"Description
Detected AWS Elastic Beanstalk Dockerrun.aws.json configuration file was publicly accessible, potentially revealing Docker container definitions, image names, hostnames, port mappings, and infrastructure details.
AWStats <= 7.5 - Full Path Disclosure
runzero-match
service["product"] contains "Laurent Destailleur:AWStats"Description
AWStats 7.6 contains a full path disclosure caused by improper handling of framename and update parameters in awstats.pl, letting remote attackers determine server file paths, exploit requires sending crafted parameters.
Impact
Attackers can discover server file paths, aiding further exploitation or reconnaissance.
Remediation
Update to the latest version of AWStats or apply security patches addressing this issue.
Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-abandoned-cart/"Description
The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping.
Impact
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.
Remediation
Fixed in 5.2.0
Academy LMS 6.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)academy lms"Description
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive database information including user credentials and payment data.
Remediation
Update Academy LMS to version 6.3 or later which includes proper SQL injection prevention.
AceNet AceReporter Report Panel - Detect
Author: DhiyaneshDkAdded: Aug 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1595726841"Ackee Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1495233116"Description
self-hosted, node.js based analytics tool for those who care about privacy.
Acrolinx Dashboard
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acrolinx Dashboard"})Description
An Acrolinx Analytics dashboard was detected.
Actifio Resource Center - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Actifio Resource Center"})Description
Actifio Resource Center was detected.
Activepieces Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Activepieces"})Description
Activepieces was detected. Activepieces was an open-source automation platform with AI and LLM integrations. Exposed instances may allow access to workflow automation configurations and connected integrations.
AcuToWeb server/10.5.0.7577c8b - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AcuToWeb"})Description
AcuToWeb server/10.5.0.7577c8b is vulnerable to reflected cross-site scripting (XSS) via the portgw parameter. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
Remediation
Update AcuToWeb to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the portgw parameter.
Acunetix Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Acunetix"})Description
Acunetix login panel was detected.
AdGuard Panel - Detect
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AdGuard Home"})Description
AdGuard panel has been detected.
Adapt Authoring Tool - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adapt authoring tool"})Description
Login panel for adapt was detected.
AddOnFinance Portal - Detect
Author: ritikchaddhaAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AddOnFinancePortal"})Description
AddOnFinance Portal Panel was detected.
Adfinity Login Panel - Detect
Author: righettodAdded: Apr 3, 2025
runzero-match
service["http.body"] matches "(?i)Adfinity"Description
Adfinity products was detected.
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
runzero-match
service["product"] contains "Adminer:Adminer"Description
Adminer <= 5.4.1 contains a denial of service caused by lack of origin validation in version check endpoint, letting attackers trigger server errors via crafted POST requests, exploit requires no special privileges.
Impact
Attackers can cause server errors resulting in denial of service for all users.
Remediation
Upgrade to Adminer 5.4.2 or later.
Adminer <4.7.9 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage.
Remediation
Upgrade to version 4.7.9 or later.
Adminer <=4.8.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled).
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the Adminer interface, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
This vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
Adminer Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adminer"})Description
Adminer contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
An Adminer login panel was detected.
Adminer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - adminer"})Description
Adminer login panel was detected.
Adobe AEM CRX Package Manager - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe AEM CRX Package Manager panel was detected.
Adobe AEM Default Login
runzero-match
service["http.body"] contains `href="/etc.clientlibs/`Description
Adobe AEM default login credentials were discovered.
Adobe AEM JCR Compare Exposure
Author: pussycat0xAdded: Jan 2, 2026
runzero-match
service["product"] contains "Adobe:Experience Manager"Description
Detected an exposed Adobe AEM JCR compare functionality that was accessible without proper authorization. This exposure may have allowed attackers to infer repository structure or sensitive content through comparison operations.
Adobe ColdFusion - Access Control Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the necessary security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Access Control Bypass
Author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearchAdded: Jul 12, 2023CWE-284,NVD-CWE-OTHERCVE-2023-29298
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Apply the latest security patches or updates provided by Adobe to fix the access control bypass vulnerability.
Adobe ColdFusion - Arbitrary File Read
runzero-match
service["http.head.server"] matches `(?i)coldfusion`Description
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can read and write arbitrary files on the server, potentially leading to complete system compromise.
Remediation
Update Adobe ColdFusion to version 2023.7, 2021.13 or later depending on your version.
Adobe ColdFusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Adobe to mitigate this vulnerability.
Adobe ColdFusion - Local File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Unauthenticated Arbitrary File Read vulnerability due to deserialization of untrusted data in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier
Impact
This vulnerability can lead to unauthorized access to sensitive information stored on the server.
Remediation
Apply the necessary security patches or updates provided by Adobe to fix the vulnerability.
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Impact
This vulnerability can lead to unauthorized access to sensitive information and potential compromise of the affected system.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Adobe ColdFusion Component Browser Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
An Adobe ColdFusion Component Browser login panel was detected.
Adobe ColdFusion WDDX Deserialization Gadgets
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute arbitrary code without user interaction and completely compromise ColdFusion installations.
Remediation
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
Adobe Coldfusion - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Impact
Unauthenticated attackers can bypass access controls to access Adobe ColdFusion administration endpoints, potentially allowing full control over the ColdFusion server and access to sensitive application data.
Remediation
Upgrade to Adobe ColdFusion 2023.6 or 2021.12 or later versions that address this access control vulnerability.
Adobe Coldfusion - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser
Impact
Unauthenticated attackers can inject malicious JavaScript through crafted URLs to execute code in victim browsers, potentially stealing ColdFusion administrator session cookies and gaining access to sensitive application configurations.
Remediation
Update Adobe ColdFusion to version 2023.6 or 2021.12 or later that properly escapes URLs in the CFIDE administrator and wizards interfaces.
Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
runzero-match
service["product"] contains "Adobe:ColdFusion"Description
Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade Adobe Coldfusion to a version higher than 8.0.1 or apply the necessary patches provided by the vendor.
Adobe Connect < 12.1.5 - Local File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Connect"}) || any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction
Impact
Unauthenticated attackers can exploit improper access control to download arbitrary files through the system/download endpoint, potentially accessing sensitive Adobe Connect meeting recordings and configuration files.
Remediation
Update Adobe Connect to version 12.1.5 or later that implements proper access control checks for the system/download functionality.
Adobe Connect Central Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
An Adobe Connect Central login panel was detected.
Adobe Experience Manager Felix Console - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "AEM Sign In"})Description
Adobe Experience Manager Felix Console contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. Remote code execution may also be possible via installation of OSGI bundle.
Adobe Experience Manager Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
An Adobe Experience Manager login panel was detected.
Adobe Experience Manager Sling User Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aem sign in"})Description
Adobe Experience Manager Sling user login panel was detected.
Adobe Media Server Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Adobe Media Server"})Description
An Adobe Media Server login panel was detected.
Ads Pro Plugin <= 4.89 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ap-plugin-scripteo"Description
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
Remediation
Update the Ads Pro Plugin to version later than 4.89. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
Advanced eMail Solution DEEPMail - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced eMail Solution DEEPMail"})Description
Advanced eMail Solution DEEPMail login panel was detected.
Advantech R-SeeNet - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the graph parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in the R-SeeNet application.
Advantech R-SeeNet 2.4.12 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)r-seenet"Description
Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Update to the latest version of Advantech R-SeeNet to mitigate this vulnerability.
Advantech WebAccess/SCADA - Panel
Author: 0x_AkokoAdded: Jun 2, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advantech WebAccess"}) and service["favicon.ico.image.mmh3"] == "2047556588"Description
Detected Advantech WebAccess/SCADA login panel, a web-browser-based HMI/SCADA software used in critical manufacturing, energy, and water systems.
Aerohive NetConfig UI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aerohive NetConfig UI"})Description
An Aerohive NetConfig user interface was detected. The NetConfig UI provides a fundamental set of configurations for configuring basic network and HiveManager connectivity settings, and uploading new IQ Engine images to Extreme Networks APs.
Aethra Telecommunications Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aethra Telecommunications Operating System"})Description
Aethra Telecommunication login Panel was detected.
Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Agent Zero"})Description
Agent-Zero v0.8.0 - 0.9.4 contains a path traversal caused by improper validation in /api/download_work_dir_file.py, letting attackers access unauthorized files, exploit requires crafted request.
Impact
Attackers can access unauthorized files, potentially exposing sensitive data or system information.
Remediation
Update to the latest version of Agent-Zero
AgentGPT Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AgentGPT"})Description
AgentGPT was detected. AgentGPT was a browser-based autonomous AI agent platform that allows users to create, configure and deploy AI agents directly in the browser.
Agentejo Cockpit < 0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate the vulnerability.
Agentejo Cockpit <0.11.2 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, potentially leading to unauthorized access, data manipulation, or denial of service.
Remediation
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.
Agentejo Cockpit <0.12.0 - NoSQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "688609340" || service["http.body"] matches "(?i)cockpit"Description
Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
Impact
Successful exploitation of this vulnerability could allow an attacker to manipulate database queries, potentially leading to unauthorized access, data leakage, or data corruption.
Remediation
Upgrade Agentejo Cockpit to version 0.12.0 or later to mitigate this vulnerability.
AirNotifier Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AirNotifier"})Description
AirNotifier login panel was detected.
AirOS Panel - Detect
Author: rxeriumAdded: Aug 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-697231354"Description
AirOS panel was detected.
Airbyte Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Airbyte"})Description
Airbyte panel was detected. Airbyte is a popular open-source data integration platform.
Airflow Experimental <1.10.11 - REST API Auth Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || service["http.body"] matches "(?i)apache airflow"Description
Airflow's Experimental API prior 1.10.11 allows all API requests without authentication.
Impact
Allows unauthorized access to Airflow Experimental REST API
Remediation
From Airflow 1.10.11 forward, the default has been changed to deny all requests by default. Note - this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide linked in the references.
Akuiteo Login Panel - Detect
Author: righettodAdded: Nov 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Akuiteo"})Description
Akuiteo products was detected.
Alamos GmbH Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alamos GmbH \\| FE2"})Description
Alamos GmbH panel was detected.
Alcatel-Lucent OmniPCX - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)omnipcx for enterprise"})Description
The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
Impact
Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.
Remediation
Update to supported versions that filter shell metacharacters in the "user" parameter.
Alfresco - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Alfresco"}) && service["http.body"] contains "/share/res/js/alfresco"Description
Detected Alfresco Content Services was found to have been using the default administrator credentials (admin:admin). An attacker could have gained full administrative access to manage content, users, and repository configuration.
Alfresco Content App Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Alfresco Content App"})Description
Alfresco Content App panel was detected.
Alibaba Druid Monitor Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)druid monitor"})Description
Alibaba Druid Monitor default login information (admin/admin) was discovered.
Alibaba Nacos - Default Login
Author: SleepingBag945Added: Aug 22, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nacos"})Description
The default username and password for Nacos are both nacos.
AlienVault USM Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AlienVault USM"})Description
An AlienVault USM login panel was detected.
All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/all-in-one-wp-migration"Description
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87.
Impact
An unauthenticated attacker can access the error.log file, which may contain sensitive information such as full server path disclosures, backup filenames, and other debugging details. This information could be used in further attacks.
Remediation
Update the All-in-One WP Migration and Backup plugin to version 7.87 or later.
Allied Telesis Device GUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)allied telesis device gui"})Description
Allied Telesis Device GUI login panel was detected.
Allnet - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-121681558"Description
Allnet contains a default login vulnerability. Default admin login password 'admin' was found.
Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/pojo-accessibility/"Description
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Impact
Unauthenticated attackers can extract sensitive database information via blind SQL injection, risking data disclosure.
Remediation
Update to a version later than 4.0.3 or the latest available version.
AlphaWeb XE Default Login
runzero-match
service["http.body"] contains ">AlphaWeb XE<"Description
An AlphaWeb XE default login was discovered.
Altenergy Power Control Software - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)altenergy power control software"})Description
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely.
Impact
Authenticated attackers can execute SQL injection through the date parameter in the status_zigbee function to extract sensitive power system data including energy metrics and device configurations.
Remediation
Validate and sanitize all user inputs before processing them in SQL queries. Use parameterized queries or prepared statements to prevent SQL injection attacks.
AlternC Desktop Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AlternC Desktop"})Description
AlternC Desktop panel was detected.
Amazon EC2 - Server-side request forgery (SSRF)
runzero-match
service["http.head.server"] matches "EC2ws"Description
SSRF vulnerability exists in Amazon EC2, or Amazon Elastic Compute Cloud which is a web service provided by Amazon Web Services (AWS) that offers resizable compute capacity in the cloud.
Ambassador API Gateway Diagnostics - Exposure
Author: 0x_AkokoAdded: Dec 12, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ambassador Diagnostic Overview"})Description
Detected Ambassador API Gateway diagnostics portal, revealing service mappings, API endpoints, routing configurations, and internal cluster information.
Amcrest IP Camera Web Management - Data Exposure
runzero-match
service["http.body"] matches "(?i)Amcrest"Description
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.
Impact
An attacker can gain unauthorized access to sensitive data.
Remediation
Apply the latest firmware update provided by the vendor to fix the vulnerability.
Amcrest Login
runzero-match
service["http.body"] matches "(?i)amcrest"Description
An Amcrest LDAP user login was discovered.
AmpJuke - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-121681558"Description
AmpJuke contains a default login vulnerability. Default admin login password 'pass' was found.
Ampache Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)for the love of music"})Description
Ampache login panel was detected.
Anaqua Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Anaqua User Sign On"})Description
Checks for the presence of Anaqua login page
Andover Continuum BMS - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Andover Continuum"Description
Andover Continuum Building Management System panel has been detected.
Ansible Semaphore Panel Detect
runzero-match
service["http.body"] matches "(?i)Semaphore</title>"Description
An Ansible Semaphore login panel was detected.
Ansible Tower - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ansible tower"})Description
Ansible Tower was detected. Ansible Tower is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments.
AnteeoWMS < v4.7.34 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ANTEEO"Description
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
Impact
Unauthenticated attackers can execute arbitrary SQL commands via the username parameter, potentially extracting sensitive database information.
Remediation
Update AnteeoWMS to version 4.7.34 or later.
Anyscale Ray - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "463802404" || service["http.body"] matches "(?i)ray dashboard" || any(each(service["html.titles"]), {# matches "(?i)ray dashboard"})Description
Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
Impact
Unauthenticated attackers with network access to the Ray Dashboard API can execute arbitrary code remotely as root, leading to complete system compromise.
Remediation
Upgrade Anyscale Ray to version 2.6.4 or later, or version 2.8.1 or later, and restrict network access to the Ray Dashboard API.
AnythingLLM - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AnythingLLM"})Description
AnythingLLM suffers from an information disclosure vulnerability through the `/api/setup-complete` API endpoint. By accessing this endpoint, a remote and unauthenticated attacker can access sensitive configuration of the target AnythingLLM instance. This detection is included in the AI and LLM category.
Impact
An attacker can use the vulnerability to obtain device administrator rights.
Remediation
Update AnythingLLM to the latest version and implement proper authentication for the setup-complete API endpoint.
AnythingLLM - Information Disclosure
runzero-match
service["http.body"] matches "(?i)AnythingLLM"Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Impact
Unauthenticated attackers can read and write to the Qdrant database, compromising semantic search and leaking confidential documents.
Remediation
Update to version 1.10.0 or later.
AnythingLLM Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AnythingLLM \\| Your personal LLM trained on anything"})Description
Detects the AnythingLLM web interface.
Apache 2.4.49 - Path Traversal and Remote Code Execution
runzero-match
service["http.head.server"] matches `Apache/2\.4\.49`Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade Apache to version 2.4.50 or apply the relevant patch provided by the vendor.
Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
runzero-match
service["http.head.server"] matches `Apache/2\.4\.(49|59)`Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code and gain unauthorized access to sensitive information.
Remediation
Upgrade to Apache HTTP Server 2.4.51 or later.
Apache APISIX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache apisix dashboard"})Description
An Apache APISIX login panel was detected.
Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ActiveMQ"})Description
Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
Impact
Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
Remediation
Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
Apache ActiveMQ Artemis Console Default Login
Author: pdteamAdded: Jun 5, 2025
runzero-match
any(each(service["html.titles"]), {# contains "ActiveMQ Artemis Console"})Description
Detected Apache ActiveMQ Artemis console default login credentials were discovered.
Apache ActiveMQ Default Login
Author: pdteamAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# contains "Apache ActiveMQ"})Description
Apache ActiveMQ default login credentials were discovered.
Apache ActiveMQ Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache ActiveMQ"})Description
An Apache ActiveMQ implementation was discovered.
Apache Airflow <1.10.14 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"})Description
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized execution of arbitrary code.
Remediation
Change default value for [webserver] secret_key config.
Apache Airflow <=1.10.10 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || service["http.body"] matches "(?i)apache airflow" || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"})Description
Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
Apache Airflow Admin Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"})Description
An Apache Airflow admin login panel was discovered.
Apache Airflow Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Sign In - Airflow"})Description
Apache Airflow default login credentials were discovered.
Apache Airflow OS Command Injection
runzero-match
service["http.body"] matches "(?i)apache airflow" || any(each(service["html.titles"]), {# matches "(?i)airflow - dags"}) || any(each(service["html.titles"]), {# matches "(?i)airflow"}) || any(each(service["html.titles"]), {# matches "(?i)airflow - dags\" \\|\\| http\\.html:\"apache airflow"}) || any(each(service["html.titles"]), {# matches "(?i)sign in - airflow"})Description
Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Airflow.
Apache Airflow v3 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Airflow"})Description
Apache Airflow v3 default login credentials were discovered.
Apache Ambari Default Login
runzero-match
service["http.body"] contains `>See third-party tools/resources that Ambari uses and their respective authors<`Description
An Apache Ambari default admin login was discovered.
Apache Apisix Admin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Apache APISIX Dashboard"})Description
An Apache Apisix default admin login was discovered.
Apache Apollo - Default Login
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Apache Apollo"})Apache Apollo Panel - Detect
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Apollo"})Apache Axis2 Default Login
runzero-match
service["http.body"] matches "(?i)Apache Axis"Description
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or the ability to modify or delete data.
Remediation
Disable or restrict access to the Axis2 web interface, or apply the necessary patches or updates provided by the vendor.
Apache CloudStack - Default Login
Author: DhiyaneshDKAdded: Jul 30, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Apache CloudStack"})Description
CloudStack instance discovered using weak default credentials, allows the attacker to gain admin privilege.
Apache Cocoon 2.1.12 - XML Injection
runzero-match
service["http.body"] matches "(?i)Apache Cocoon"Description
Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade to Apache Cocoon 2.1.13 or later.
Apache DolphinScheduler Default Login
runzero-match
any(each(service["html.titles"]), {# matches "DolphinScheduler"})Description
Apache DolphinScheduler default admin credentials were discovered.
Apache Doris - Default Login
Author: icarotAdded: Oct 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "24048806"Description
Tests if Apache Doris Panel, it is an easy-to-use, high performance and unified analytics database, is using the default password on root/admin user accounts.
Apache Flink - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches `^Apache Flink Web Dashboard`})Description
Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).
Impact
Unauthenticated attackers can read arbitrary files from the JobManager local filesystem, potentially exposing sensitive configuration files, credentials, and proprietary data.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Flink to mitigate the vulnerability.
Apache HTTP Server - ACL Bypass
runzero-match
any(each(service["html.titles"]), {# matches "Apache HTTP Server"})Description
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
Impact
Authenticated attackers can bypass ACL restrictions by crafting requests with incorrect encoding, potentially accessing protected backend services or resources that should be restricted by authentication mechanisms.
Remediation
Upgrade to Apache HTTP Server version 2.4.60 or later.
Apache HertzBeat - Default Credentials
Author: securitytaters,icarotAdded: Sep 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "HertzBeat"})Description
Apache HertzBeat enables default admin (and others) credentials. An attacker can execute unauthorized operations.
Apache HugeGraph-Server <1.5.0 - Authentication Bypass
runzero-match
service["product"] contains "Apache:HugeGraph"Description
Apache HugeGraph-Server versions prior to 1.5.0 contain an authentication bypass vulnerability caused by assumed-immutable data. This flaw allows attackers to bypass authentication mechanisms without requiring specific privileges or user interaction.
Impact
Attackers can bypass authentication, gaining unauthorized access to sensitive data or functionalities.
Remediation
Upgrade to Apache HugeGraph-Server version 1.5.0 or later.
Apache JMeter Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache jmeter dashboard"})Description
Apache JMeter Dashboard login panel was detected.
Apache Kafka Center Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Kafka Center"})Description
Apache Kafka Center default admin credentials were discovered.
Apache Kafka Consumer Offset Monitor Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"}) || any(each(service["html.titles"]), {# matches "(?i)kafka center"})Description
Apache Kafka Consumer Offset Monitor panel was detected.
Apache Kafka Control Center Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka center"}) || any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"})Description
Apache Kafka Control Center login panel was detected.
Apache Kafka Monitor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kafka center"}) || any(each(service["html.titles"]), {# matches "(?i)kafka consumer offset monitor"})Description
Apache Kafka Monitor login panel was detected.
Apache Karaf - Default Login
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="karaf'})Description
Apache Karaf contains a default login vulnerability. Default login credentials were detected. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Apache Mesos - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mesos"})Description
Apache Mesos panel was detected.
Apache NiFi - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nifi"})Description
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.
Impact
Attackers can create Process Groups bound to Parameter Contexts without proper authorization checks, enabling them to download non-sensitive parameter values and potentially access sensitive configuration data.
Remediation
Update Apache NiFi to version 2.1.0 or later to address the missing authorization checks for Parameter Contexts.
Apache NiFi - Remote Code Execution
Author: arliyaAdded: Jan 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NiFi"})Description
Apache NiFi is designed for data streaming. It supports highly configurable data routing, transformation, and system mediation logic that indicate graphs. The system has unauthorized remote command execution vulnerability.
Apache OFBiz - Directory Traversal & Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ofbiz"})Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache OFBiz - Improper Authorization & Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OFBiz"}) || service["http.head.setCookie"] matches "^OFBiz.Visitor" || service["last.http.head.setCookie"] matches "^OFBiz.Visitor"Description
Improper Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache OFBiz - XML External Entity Injection
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
Impact
Attackers can disclose sensitive filesystem data, probe network ports, and determine file existence, leading to information disclosure and potential further exploitation.
Remediation
Update to the latest OFBiz version or apply security patches addressing XML external entity vulnerabilities.
Apache OFBiz 17.12.03 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache OFBiz.
Apache OFBiz < 18.12.07 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)OFBiz"Description
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
Impact
Unauthenticated attackers can read arbitrary files from the server filesystem through the Solr plugin debug endpoint in Apache OFBiz, potentially accessing configuration files, credentials, and other sensitive system information.
Remediation
Upgrade to Apache OFBiz version 18.12.07 or later to mitigate this local file inclusion vulnerability.
Apache OFBiz <=16.11.07 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ofbiz"Description
Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade Apache OFBiz to a version higher than 16.11.07 to mitigate this vulnerability.
Apache OFBiz Directory Traversal - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OFBiz"}) || service["http.head.setCookie"] matches "^OFBiz.Visitor" || service["last.http.head.setCookie"] matches "^OFBiz.Visitor"Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.13
Impact
An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
Remediation
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
Apache OfBiz Default Login
runzero-match
service["http.head.setCookie"] matches "^OFBiz.Visitor="Description
Apache OfBiz default admin credentials were discovered.
Apache Pinot < 1.3.0 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1696974531"Description
This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.
Impact
Unauthenticated attackers can bypass authentication by injecting special characters in URIs, gaining unauthorized access to Apache Pinot administrative functions.
Remediation
Update Apache Pinot to version 1.3.0 or later to address the authentication bypass vulnerability.
Apache Polaris - Default Login
Author: icarotAdded: Mar 17, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Polaris"})Description
The Apache Polaris server is configured with default administrative credentials, allowing an attacker to perform unauthorized operations. This template verifies the use of the default username root and password s3cr3t.
Apache Polaris - Information Disclosure
Author: icarotAdded: Mar 17, 2026
runzero-match
service["http.body"] matches "(?i)org\\.apache\\.polaris"Description
Detects a Apache Polaris server, the interoperable, open source catalog for Apache Iceberg.
Apache Ranger - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Ranger - Sign In"})Description
Apache Ranger contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Apache RocketMQ Console Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rocketmq"}) || any(each(service["html.titles"]), {# matches "(?i)rocketmq-console-ng"})Description
Apache RocketMQ Console panel was detected.
Apache S2-032 Struts - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).
Impact
Remote code execution
Remediation
Upgrade to Apache Struts version 2.3.20.2, 2.3.24.2, or 2.3.28.1.
Apache ShardingSphere ElasticJob-UI privilege escalation
runzero-match
service["favicon.ico.image.mmh3"] == "816588900"Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
Impact
Successful exploitation of this vulnerability could result in unauthorized access and control of the ElasticJob-UI application.
Remediation
Apply the latest security patches or updates provided by Apache ShardingSphere to mitigate the privilege escalation vulnerability.
Apache Sling - Default Login
Author: icarotAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Sling"})Description
Apache Sling default login was discovered.
Apache Solr - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Apache Solr"Description
Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass.A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path.This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.This issue affects Apache Solr- from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.
Impact
Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Apache Solr - Host Environment Variables Leak via Metrics API
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache solr"}) || any(each(service["html.titles"]), {# matches "(?i)solr admin"})Description
Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Apache Solr.
The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users can specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host,unlike Java system properties which are set per-Java-proccess.
Impact
This vulnerability can lead to the exposure of sensitive information, potentially allowing an attacker to gain unauthorized access or perform further attacks.
Remediation
Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
Apache Solr Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)solr admin"}) || any(each(service["html.titles"]), {# matches "(?i)apache solr"})Description
Apache Solr admin panel was detected.
Apache Spark Panel - Detect
runzero-match
service["http.body"] matches "(?i)/apps/imt/html/" || any(each(service["html.titles"]), {# matches "(?i)spark master at"})Description
Apache Spark panel was detected.
Apache Spark UI - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spark master at"}) || service["http.body"] matches "(?i)/apps/imt/html/"Description
Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Apply the latest security patches or updates provided by Apache Spark to fix the remote command injection vulnerability.
Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache streampipes"})Description
Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens.
Impact
Successful exploitation of this vulnerability could allow an attacker to take over user accounts.
Remediation
Update to Apache StreamPipes 0.95.0 or later.
Apache Streampark - Default Login
Author: icarotAdded: Sep 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache StreamPark"})Description
Apache Streampark server enables default admin credentials. An attacker can execute unauthorized operations.
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.
Impact
This vulnerability can lead to remote code execution, allowing attackers to take control of the affected system.
Remediation
Developers should immediately upgrade to Struts 2.3.15.1 or later.
Apache Struts 2 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
Impact
Remote attackers can execute arbitrary commands on the target system.
Remediation
Upgrade to Apache Struts 2.3.32 or 2.5.10.1 or apply the necessary patches.
Apache Struts 2.0.0-2.5.25 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts.
Apache Struts <=2.5.20 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.
Remediation
Upgrade Apache Struts to a version higher than 2.5.20 or apply the necessary patches provided by the vendor.
Apache Struts2 S2-008 RCE
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
Remediation
Developers should immediately upgrade to at least Struts 2.3.18.
Apache Struts2 S2-012 RCE
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
Remediation
Developers should immediately upgrade to Struts 2.3.14.3 or later.
Apache Struts2 S2-053 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report"Description
Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Struts2 S2-053 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Struts2 S2-057 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"}) || service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts"Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.
Impact
Remote code execution
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
Apache Superset - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1582430156" || service["http.body"] matches "(?i)apache superset"Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to sensitive information.
Remediation
Apply the latest security patches or upgrade to a patched version of Apache Superset.
Apache Superset - Default Login
Author: theamanrawatAdded: Apr 23, 2026
runzero-match
(any(each(service["html.titles"]), {# matches "(?i)Superset"}) && service["http.body"] contains `alt="Superset"`) || service["favicon.ico.image.mmh3"] == "1582430156"Description
Apache Superset instance discovered using weak default credentials, allows the attacker to gain admin privilege.
Apache Superset Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1582430156" || service["http.body"] matches "(?i)apache superset"Description
Apache Superset login panel was detected.
Apache Tika - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tika"})Description
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5) contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input.
Impact
Attackers can exploit XXE to read local files or cause denial of service, potentially exposing sensitive information or disrupting service.
Remediation
Upgrade tika-core to \u003E= 3.2.2 and ensure tika-pdf-module and tika-parsers are updated to latest versions.
Apache Tomcat - Default Login Discovery
runzero-match
service["http.head.server"] contains "Apache Tomcat"Description
Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 default login credentials were successful.
Apache Tomcat - HTTP Request Smuggling
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tomcat"})Description
Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.
Impact
Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls.
Remediation
Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.
Apache Tomcat JK Connect <=1.2.44 - Manager Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Apache Tomcat"})Description
Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
Impact
Unauthenticated attackers can gain unauthorized access to the Apache Tomcat Manager interface, potentially leading to further compromise of the server.
Remediation
Upgrade to a patched version of Apache Tomcat JK Connect (1.2.45 or higher) or apply the recommended security patches.
Apache Tomcat Manager Default Login
Author: pdteam,sinKettu,nybble04Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Apache Tomcat"})Description
Apache Tomcat Manager default login credentials were discovered.
Apache Tomcat Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache tomcat"}) || service["http.body"] matches "(?i)apache tomcat"Description
Apache Tomcat Manager login panel was detected.
Apache Tomcat Remote Command Execution
runzero-match
service["http.body"] matches "(?i)apache tomcat" || any(each(service["html.titles"]), {# matches "(?i)apache tomcat"})Description
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if
a) an attacker is able to control the contents and name of a file on the server; and
b) the server is configured to use the PersistenceManager with a FileStore; and
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to succeed.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, allowing attackers to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patches provided by Apache to mitigate this vulnerability.
Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)apache tomcat"Description
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Impact
Attackers can execute arbitrary system commands on Windows systems when CGI Servlet is enabled with enableCmdLineArguments, leading to complete server compromise.
Remediation
Upgrade to Tomcat 9.0.18, 8.5.40, 7.0.94 or later, and ensure enableCmdLineArguments is disabled.
Apache `mod_proxy_cluster` Cluster Manager Interface - Exposure
Author: oleveloperAdded: Oct 10, 2025
runzero-match
service["http.body"] contains "Mod_cluster Status" || service["http.body"] contains "mod_proxy_cluster"Description
The Apache mod_proxy_cluster management interface provides administrative control and visibility into the load balancer’s nodes and contexts.
Apereo CAS Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'CAS - Central Authentication Service'"})Description
Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, data theft, or defacement.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Aperio eSlideManager - Panel
Author: Th3l0newolfAdded: May 12, 2025
runzero-match
service["http.body"] matches "(?i)eSlideManager - Login"Description
Aperio eSlideManager Login Panel was discovered.
Apigee Login Panel - Detect
Author: righettodAdded: Feb 12, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-839356603"Description
Apigee login panel was detected.
Apollo Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "11794165"Description
An Apollo default login was discovered.
Application Management Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)amp - application management panel"})Description
Application Management Panel was detected.
Appsmith User Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appsmith"})Description
Appsmith user login panel was detected.
Appspace Login Panel - Detect
Author: ritikchaddhaAdded: Jul 25, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appspace"})Description
Appspace is the workplace experience platform for your whole team that lets you manage it all – from employee communications to your physical office spaces.
Appsuite Login Panel - Detect
Author: DhiyaneshDKAdded: Nov 7, 2023
runzero-match
service["http.body"] matches "(?i)appsuite"Appwrite Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - appwrite"}) || service["favicon.ico.image.mmh3"] == "-633108100"Description
Appwrite login panel was detected.
Aptus Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aptus Login"})Description
Aptus login panel was detected.
Aqua Enterprise - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Aqua Enterprise"})Description
Aqua Enterprise panel was detected.
Aquatronica Controller System <= 5.1.6 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)aquatronica"Description
Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.
Impact
Unauthenticated attackers can retrieve sensitive configuration data including plaintext credentials through the tcp.php endpoint, potentially gaining full administrative access to the controller system.
Remediation
Upgrade to Aquatronica Controller System firmware version 5.1.7 or later and web interface version 2.1 or later that implements proper authentication controls.
ArangoDB Web Interface - Detect
Author: pussycat0xAdded: Jul 4, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)arangodb web interface"})Description
ArangoDB Web Interface was detected.
ArcGIS REST Services Directory - Detect
Author: HeeresSAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)arcgis"})Description
Check for the existence of the "/arcgis/rest/services" path on an ArcGIS server.
ArcServe Panel - Detect
Author: DhiyaneshDkAdded: Jun 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1889244460"Arcane Login Panel - Detect
Author: KazgangapAdded: Mar 24, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-313371739"Description
Detects the presence of the Arcane login panel, a modern Docker management platform.
Archibus Web Central Login - Panel Detect
runzero-match
service["favicon.ico.image.mmh3"] == "889652940"Description
Archibus Web Central login panel was detected.
Arcserve UDP <= 9.0.6034 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1889244460"Description
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
Impact
Unauthenticated attackers can bypass authentication by leaking the AuthUUID token, allowing them to execute any administrative task and potentially compromise all backup data managed by Arcserve UDP.
Remediation
Upgrade to Arcserve UDP version 9.1 or later that addresses this authentication bypass vulnerability.
Arcserve Unified Data Protection - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1015186617"Description
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
Impact
Attackers can bypass authentication, gaining unauthorized access to the system.
Remediation
Update to the latest version of Arcserve Unified Data Protection or apply security patches provided by the vendor.
Argilla Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Argilla"})Description
Argilla is an open-source data labelling platform for AI and LLM fine-tuning workflows.
It provides a web interface for annotating datasets used in machine learning model training.
Argo CD Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Argo CD"})Description
An Argo CD login panel was discovered.
Argo CD Unauthenticated Access to sensitive setting
runzero-match
service["http.body"] matches "(?i)Argo CD"Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern.
Impact
Unauthenticated attackers can access sensitive password patterns and application settings exposed by the /api/v1/settings endpoint.
Remediation
Update Argo CD to a version that patches CVE-2024-37152.
Aria2 WebUI - Path traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aria2 webui"})Description
webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.
Impact
An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.
Remediation
Upgrade to the latest version of Aria2 WebUI to fix the path traversal vulnerability.
Arize Phoenix - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Arize Phoenix`Description
Arize Phoenix is an open-source AI observability and evaluation platform for monitoring,
debugging, and evaluating LLM applications.
Artica Pandora FMS 7.44 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
Impact
Unauthenticated attackers can execute arbitrary system commands via the events feature, leading to complete server compromise and access to all monitoring data.
Remediation
Upgrade to Pandora FMS version 7.45 or later, or apply vendor-provided security patches.
Artica Pandora FMS <=7.42 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Artica Pandora FMS through 7.42 is susceptible to arbitrary file read. An attacker can read the chat history, which is in JSON format and contains user names, user IDs, private messages, and timestamps. This can potentially lead to unauthorized data modification and other operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system.
Remediation
Upgrade Artica Pandora FMS to version 7.43 or later to mitigate this vulnerability.
Artica Proxy - Unauthenticated LFI
runzero-match
service["http.body"] matches "(?i)artica"Description
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
Impact
Unauthenticated attackers can read arbitrary files on the server including configuration files with credentials and other sensitive data.
Remediation
Update Artica Proxy to a version newer than 4.50.
Artica Proxy 4.30.000000 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Artica"Description
Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php.
Impact
Attackers can inject malicious JavaScript through the password parameter in the Artica Proxy login page that reflects back to users, potentially stealing credentials or session tokens when victims submit the login form.
Remediation
Upgrade to a patched version of Artica Proxy or apply the vendor-supplied patch to mitigate the vulnerability.
Artica Proxy Community Edition <4.30.000000 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)artica"Description
Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.
Remediation
Upgrade to Artica Proxy Community Edition version 4.30.000000 or later to fix the Local File Inclusion vulnerability.
Aruba Instant - Default Login
Author: SleepingBag945Added: Sep 8, 2023
runzero-match
service["http.body"] matches "(?i)jscripts/third_party/raphael-treemap\\.min\\.js"Description
Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions.
AstrBot - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AstrBot"})Description
AstrBot contains a default login vulnerability. An attacker can access the AstrBot dashboard using default credentials and gain control over the chatbot framework, modify configurations, manage LLM providers, and execute unauthorized operations.
AstrBot WebUI Login Panel - Detect
Author: theamanrawatAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AstrBot"})Description
Astrbot WebUI login panel was detected.
Astro - Information Disclosure
runzero-match
service["http.body"] matches "(?i)astro"Description
Astro versions v5.0.3 through v5.0.7 and Astro v4.16.17 or older with sourcemaps enabled contain a source code disclosure caused by sourcemap files being publicly accessible in the build output folder, letting unauthenticated users read server source code, exploit requires sourcemaps to be enabled.
Impact
Unauthenticated users can access server source code, potentially leading to discovery of further vulnerabilities or sensitive information.
Remediation
Update Astro to version 5.0.8 or later for server-output projects, and to 5.0.9 or later (or 4.16.18 for Astro v4) for static-output projects with sourcemaps enabled.
Astro - Reflected XSS via server islands feature
runzero-match
service["http.body"] matches "(?i)_server-islands"Description
Astro 5.15.8 contains a reflected XSS caused by improper handling of server islands feature, letting remote attackers execute scripts, exploit requires use of server islands in the application.
Impact
Remote attackers can execute scripts in users' browsers, potentially leading to session hijacking or data theft.
Remediation
Update to version 5.15.8 or later.
Atarim < 4.2.2 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)atarim"Description
Vito Peleg Atarim <= 4.2 contains an insertion of sensitive information into sent data vulnerability caused by improper handling of embedded sensitive data, letting attackers retrieve embedded sensitive data remotely, exploit requires no special privileges.
Impact
Attackers can retrieve embedded sensitive data, potentially leading to information disclosure.
Remediation
Update to the latest version beyond 4.2.
Atlantis Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1706783005"Description
Atlantis panel was detected.
Atlassian Bamboo Login Panel - Detect
Author: righettodAdded: Mar 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Bamboo"})Description
Atlassian Bamboo login panel was detected.
Atlassian Confluence End-of-Life - Detect
Author: Shivam KambojAdded: Mar 15, 2026
runzero-match
service["product"] contains "Atlassian:Confluence"Description
Detected Atlassian Confluence instances versions that have reached End-of-Life (EOL) and no longer receive security updates.
Atlassian Jira Server-Side Template Injection
runzero-match
any(each(service["html.titles"]), {# matches `(?i)^system\s+dashboard\s+-\s+`}) || service["favicon.ico.image.md5"] matches `(?i)^(1391664373e72311a656c4a5504682af|88717398db158e3330ce94fc1784e4a7|04d89d5b7a290334f5ce37c7e8b6a349|08aa365c2d0863df2735d386f77c22c2)$`Description
Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the necessary security patches or upgrade to a fixed version provided by Atlassian to mitigate this vulnerability.
Atlassian Questions For Confluence - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)confluence"}) || service["favicon.ico.image.md5"] matches `(?i)^(bad2c1f96cd66e70b4aa119e7270cc62|966e60f8eb85b7ea43a7b0095f3e2336)$`Description
Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Confluence instance.
Remediation
Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials.
Atom.CMS 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)atomcms"Description
Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_uploads.php which allows an attacker to execute arbitrary SQL commands.
Impact
Successful exploitation could lead to unauthorized access, data leakage, and potential data manipulation.
Remediation
Apply the latest security patches provided by the vendor to mitigate the SQL Injection vulnerability in Atom.CMS 2.0.
AudioCodes 310HD, 320HD, 420HD, 430HD & 440HD - Default Login
runzero-match
service["http.head.server"] contains "AudioCodes Web Server"Description
AudioCodes devices 310HD, 320HD, 420HD, 430HD & 440HD contain a default login vulnerability. Default login credentials were discovered. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
AudioCodes Device Manager Express - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)audiocodes"})Description
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
Impact
Unauthenticated attackers can exploit SQL injection in the login form to bypass authentication, extract sensitive VoIP configuration data, and potentially gain administrative access to the AudioCodes Device Manager system.
Remediation
Update AudioCodes Device Manager Express to a version newer than 7.8.20002.47752 that uses parameterized queries and properly validates input.
AudioCodes Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Audiocodes"Description
AudioCodes login panel was detected.
Audiobookshelf Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Audiobookshelf"})Aurelia-Path < 1.1.7 - Prototype Pollution
runzero-match
service["product"] contains "Blue Spire:Aurelia"Description
Aurelia-path before 1.1.7 contains a prototype pollution caused by parsing malicious URL parameters, letting attackers modify Object.prototype, exploit requires the application to parse user-controlled URLs.
Impact
Update to version 1.1.7 or later.
Remediation
Aurelia-path parseQueryString function was found vulnerable to prototype pollution via crafted __proto__ URL parameters.
Authelia Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Authelia"})Description
Authelia is an open-source authentication and authorisation service providing two-factor authentication and single sign-on (SSO) for applications via a web portal.
Authentik Panel - Detect
Author: rxeriumAdded: Sep 9, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-178113786"Description
An Authentik search engine was detected.
AutoSet Page - Detect
Author: MaStErChoAdded: Dec 31, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AutoSet"})Automation By Autonami < 3.3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/wp-marketing-automations/"Description
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.
Impact
Unauthenticated attackers can exploit time-based SQL injection through the bwfan-track-id parameter to extract sensitive database information including user credentials, email addresses, WooCommerce customer data, and marketing automation information.
Remediation
Fixed in 3.3.0
Automatisch Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Automatisch"})Description
The open source Zapier alternative.
AvantFAX Login Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)avantfax - login"})Description
An AvantFAX login panel was discovered.
Avatier Password Management Panel
runzero-match
service["favicon.ico.image.mmh3"] == "983734701"Description
An Avatier password management panel was detected.
Avaya Phone Web Interface - Default Login
runzero-match
service["http.body"] matches `(?i)Avaya J1\d9 Phone`Description
Avaya phone web interface contains a default login vulnerability. An attacker can obtain access to sensitive information, modify data, and/or execute unauthorized operations.
Aviatrix Cloud Controller Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)aviatrix cloud controller"})Description
An Aviatrix Cloud Controller login panel was detected.
Avigilon Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - avigilon control center"})Description
Avigilon login panel was detected.
Avtech AVN801 Network Camera Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches `(?i):::\s+login\s+:::`})Description
An Avtech AVN801 Network Camera administration panel was detected.
Axel WebServer - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axel"})Description
Axel WebServer panel was detected.
Axigen Web Admin Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axigen\u00a0WebAdmin"})Description
An Axigen Web Admin panel was discovered.
Axigen WebMail PanelDetection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axigen WebMail"})Description
An Axigen webmail panel was discovered.
Axway API Manager Panel - Detect
Author: johnk3r,righettodAdded: May 25, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Axway API Manager Login"})Description
Axway API Manager panel was detected.
Axway SecureTransport Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securetransport"}) || any(each(service["html.titles"]), {# matches "(?i)st web client"})Description
AXWAY SecureTransport login panel was detected.
Axway SecureTransport Web Client Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)st web client"}) || any(each(service["html.titles"]), {# matches "(?i)securetransport"})Description
AXWAY Secure Transport Web Client panel was detected.
Axxon Next Client Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)axxon next client"})Description
Axxon One is a limitlessly scalable video management software
Azkaban Web Client
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Azkaban Web Client"})Description
An Azkaban web client panel was discovered.
Azkaban Web Client Default Credential
runzero-match
any(each(service["html.titles"]), {# matches "Azkaban Web Client"})Description
Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs. Default web client credentials were discovered.
BEdita Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bedita"})Description
BEdita login panel was detected.
BMC Control-M MFT Login Panel - Detect
Author: righettodAdded: Apr 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)File Exchange"})Description
BMC Control-M MFT products was detected.
BMC Discovery Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BMC Software"})Description
BMC Discovery login panel was detected.
BMC FootPrints - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/footprints/servicedesk/"Description
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Impact
Unauthenticated attackers can bypass access controls to access and modify application data and system resources.
Remediation
Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
BMC Remedy SSO Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BMC Remedy Single Sign-On domain data entry"})Description
BMC Remedy Single Sign-On domain data entry login panel was detected.
Barco ClickShare - Default Login
Author: ritikchaddhaAdded: Apr 11, 2024
runzero-match
service["http.head.setCookie"] contains "ClickShareSession"Description
Barco ClickShare contains a default login vulnerability. Default login password 'admin' was found.
Barracuda Message Archiver - Panel Detect
Author: inokiiAdded: Sep 15, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1436966696" || any([service["http.body"], service["last.http.body"]], {# matches "/css/archiver.css"})Description
Barracuda Networks Barracuda Message Archiver (BMA) panel was detected.
Baserow Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches `^Login \/\/ Baserow`})Description
Baserow login interface was discovered.
Batflat CMS - Default Login
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] contains "Powered by Batflat"Description
Batflat CMS is vulnerable to default login vulnerability that most commonly affects devices having some pre-set (default) administrative credentials to access all configuration settings.
Bazarr < 1.4.3 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Bazarr"})Description
Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability.
Impact
Unauthenticated attackers can read arbitrary files from the Bazarr server via path traversal.
Remediation
Update Bazarr to version 1.4.4 or later.
Beckhoff TwinCAT HMI Server - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)TwinCAT" && service["http.body"] matches "(?i)Beckhoff"Description
Beckhoff TwinCAT HMI (Human Machine Interface) Server is part of the TwinCAT
industrial automation platform used in manufacturing, robotics, and process
automation. It exposes a web-based HMI accessible via browser for monitoring
and controlling PLC-driven systems.
Beego Admin Dashboard Panel- Detect
runzero-match
service["http.body"] matches "(?i)beego admin dashboard"Description
Beego Admin Dashboard panel was detected.
Beszel Login Panel - Detect
Author: righettodAdded: Mar 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)beszel"})Description
Beszel products was detected.
Beszel Unfinished Installation
Author: 0x_AkokoAdded: Jan 20, 2026
runzero-match
service["http.body"] matches "(?i)globalThis\\.BESZEL"Description
Detected Beszel server monitoring hub had an unfinished installation with no admin account configured, allowing attackers to create an admin account and gain full control.
Better Search Replace < 1.4.5 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/better-search-replace/"Description
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Impact
Attackers can execute arbitrary code, delete files, or retrieve sensitive data on the server.
Remediation
Update to the latest version of the plugin, version 1.4.5 or later.
BeyondTrust Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BeyondInsight"Description
BeyondTrust login panel was detected.
BeyondTrust Privileged Remote Access - Panel
Author: righettodAdded: Apr 10, 2024
runzero-match
service["http.body"] matches "(?i)BeyondTrust Privileged Remote Access Login"Description
BeyondTrust Privileged Remote Access login panel was detected.
BeyondTrust Remote Support Panel - Detect
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-694003434"Description
Detect BeyondTrust Remote Support Panel.
BigAnt - Default Password
runzero-match
any(each(service["html.titles"]), {# matches "BigAnt"})Description
Misconfiguratoin leads to Default Login into BigAnt Super Admin Account.
BigAnt Admin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BigAnt Admin"Description
BigAnt admin login panel was detected.
BigAnt Server 5.6.06 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)bigant"Description
BigAnt Server 5.6.06 is susceptible to improper access control. The software utililizes weak password hashes. An attacker can craft a password hash and thereby possibly possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Unauthenticated attackers can access the ms_admin.php file containing weak password hashes for administrative accounts, potentially facilitating password cracking and unauthorized access.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the access control issue.
BigAnt Server v5.6.06 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)BigAnt"Description
BigAnt Server v5.6.06 is vulnerable to local file inclusion.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in BigAnt Server v5.6.06.
BioTime Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BioTime"})Description
BioTime Web login panel was detected.
Bitbucket Panel - Detect
Author: Shivam KambojAdded: Dec 27, 2025
runzero-match
service["product"] contains "Atlassian:Bitbucket"Description
Bitbucket panel was detected. Bitbucket is a Git-based source code repository hosting service owned by Atlassian, providing CI/CD and collaboration features.
Bitdefender GravityZone Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bitdefender gravityzone"})Description
Bitdefender GravityZone panel was detected.
Bitrix Component - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.
Impact
Unauthenticated attackers can inject malicious JavaScript and potentially execute arbitrary PHP code if the victim has administrator privileges, compromising the entire Bitrix24 collaboration platform and accessing sensitive business data.
Remediation
Update Bitrix24 to a version newer than 22.0.300 that properly initializes variables and sanitizes input in the bitrix/modules/main/tools.php component.
Bitrix Login Panel
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface.
Bitrix Path Disclosure
Author: DhiyaneshDkAdded: Dec 26, 2025
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
Detected Full Path Disclosure (FPD) in Bitrix by sending requests request to specific paths and identifying fatal error stack traces that leaked absolute filesystem paths.
Bitrix Site Manager - Log File Disclosure
runzero-match
service["http.body"] matches "(?i)bitrix"Description
Detected Bitrix Site Manager log files, potentially exposing sensitive information including database credentials, file paths, SQL queries, and user session data.
Bitrix24 <=20.0.0 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/bitrix/"Description
The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability.
Bitwarden Web Vault Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bitwarden web vault"})Black Duck Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Black Duck"})Description
Black Duck login panel was detected.
Blinko - Login Panel Detection
Author: 0x_AkokoAdded: May 11, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Blinko"})Description
Detected A Blinko self-hosted personal note application login panel.
Blue Iris Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Blue Iris Login"})Description
Blue Iris login panel was detected.
Blue Yonder Panel - Detect
runzero-match
service["http.body"] matches "(?i)title=\\\\"Description
Blue Yonder login panel was discovered
Bluemind Panel - Detect
Author: TigibusAdded: Apr 30, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to BlueMind"})Description
Bluemind application panel was discovered.
Boa 0.94.13 - Information Disclosure
runzero-match
service["http.head.server"] matches "Boa/0.94.13"Description
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE- multiple third parties report that this is a site-specific issue because those files are not part of Boa.
Impact
Unauthenticated attackers can access sensitive JavaScript files exposing logging functionality and potentially other configuration details.
Remediation
Update Boa web server to a version newer than 0.94.13 or apply vendor security patches.
Bonita - Default Login
Author: DhiyaneshDkAdded: Sep 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1197926023"Description
Bonita login was using default credentials which can led to gain super administrator access.
Bonita Portal Login - Detect
Author: DhiyaneshDKAdded: Sep 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1197926023"Description
Detects the presence of Bonita Portal login page.
Bonobo Git Server Login Panel - Detect
Author: bhutchAdded: Apr 23, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-219625874"Description
Bonobo Git Server login panel was detected.
BookStack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)bookstack"})Description
Bookstack login panel was detected.
Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
Author: r3naissanceAdded: May 6, 2025
runzero-match
service["http.body"] matches "(?i)bootstrap-multiselect"Description
A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
Remediation
Only use the necessary components (css/js) in production applications
Botpress Admin Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)@botpress/ui-admin"Description
Botpress admin panel was detected. Botpress is an open-source conversational AI platform for building chatbots and virtual assistants.
Brickcom Camera - Default Login
Author: 0x_AkokoAdded: Mar 18, 2026
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Brickcom'})Description
Detected Brickcom IP cameras accessible using default credentials (admin/admin). Successful authentication exposed full camera configuration, live video streams, LED control, and network settings to remote attackers.
Brickcom Camera - Unauthenticated Snapshot Access
Author: 0xr2rAdded: Mar 17, 2026
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Brickcom'})Description
Detected Brickcom IP cameras was exposed live camera snapshots without authentication via the ONVIF media endpoint.
Brother MFC-L9570CDW - Information Disclosure
runzero-match
service["http.body"] matches "(?i)MFC-L9570CDW"Description
An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51977.
Browser Configuration "browserconfig.xml" Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
service["http.body"] matches "(?i)browserconfig\\.xml"Description
Browser Configuration "browserconfig.xml" File was exposed.
Buddy Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-850502287"Description
Buddy panel was detected.
Budibase Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)budibase"})Description
Budibase login panel was detected.
Buffalo WSR-2533DHPL2 - Path Traversal
runzero-match
service["service.port"] == "9000" && any(each(service["html.titles"]), {# matches `(?i)^Redirecting...`})Description
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
Impact
An attacker can exploit this vulnerability to read sensitive files, such as configuration files, credentials, or other sensitive information.
Remediation
Apply the latest firmware update provided by Buffalo to fix the path traversal vulnerability.
Buildbot Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)buildbot"})Description
Buildbot panel was detected.
Busybox Repository Browser - Detect
Author: ritikchaddhaAdded: May 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Busybox Repository Browser"})Description
Busybox Repository Browser was detected.
Bylancer Quicklancer 2.4 G - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1099370896"Description
A SQL injection vulnerability exists in the Quicklancer 2.4, GET parameter 'range2', that has time-based blind SQL injection and a boolean-based blind SQL injection, which can be exploited remotely by unauthenticated attacker to execute arbitrary SQL queries in the database.
Impact
Unauthenticated attackers can exploit time-based and boolean-based blind SQL injection to extract sensitive database information, modify data, and potentially compromise the entire Quicklancer application.
Remediation
Update Quicklancer to a version later than 2.4 G to address the SQL injection vulnerability in the range2 parameter.
Bynder Login Panel - Detect
Author: righettodAdded: Mar 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1017650009"Description
Bynder login panel was detected.
CAIMORE Gateway Default Login - Detect
Author: pussycat0xAdded: Aug 18, 2023
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# matches '(?i)realm="CaiMore Gateway'})Description
The gateway of Xiamen Caimao Communication Technology Co., Ltd. is designed with open software architecture. It is a metal shell design, with two Ethernet RJ45 interfaces, and an industrial design wireless gateway using 3G/4G/5G wide area network for Internet communication. There is a command execution vulnerability in the formping file of the gateway of Xiamen Caimao Communication Technology Co., Ltd. An attacker can use this vulnerability to arbitrarily execute code on the server side, write to the back door, obtain server permissions, and then control the entire web server.
CAREL Boss Mini - Login Panel Detected
Author: KazgangapAdded: Mar 5, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1092427843"Description
CAREL Boss Mini login panel was detected. Boss Mini is a local supervisor solution by CAREL used for monitoring and managing HVAC/R systems in commercial facilities. Exposed panels may indicate misconfigured network segmentation.
CAREL Boss Mini <= 1.4.0 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1092427843"Description
Boss Mini 1.4.0 Build 6221 contains a file inclusion caused by manipulation of the 'path' argument in boss/servlet/document, letting remote attackers include arbitrary files, exploit requires remote access.
Impact
Remote attackers can include arbitrary files, potentially leading to remote code execution or full system compromise.
Remediation
Update to the latest version of Boss Mini or apply security patches provided by the vendor.
CAS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'cas"})Description
CAS login panel was detected.
CData API Server < 23.4.8844 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData - API Server"})Description
A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
Impact
Unauthenticated attackers can exploit path traversal to gain complete administrative access to the CData API Server.
Remediation
Update CData API Server to version 23.4.8844 or later.
CData Arc < 23.4.8839 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Arc"})Description
A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
Impact
Unauthenticated attackers can access sensitive information and perform limited unauthorized actions via path traversal.
Remediation
Update CData Arc to version 23.4.8839 or later.
CData Connect < 23.4.8846 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Connect"})Description
A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
Impact
Unauthenticated attackers can exploit path traversal to gain complete administrative access to CData Connect.
Remediation
Update CData Connect to version 23.4.8846 or later.
CData Sync < 23.4.8843 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CData Sync"})Description
A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
Impact
Unauthenticated attackers can access sensitive information and perform limited unauthorized actions via path traversal.
Remediation
Update CData Sync to version 23.4.8843 or later.
CERIO-DT Interface - Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DT-100G-N"})Description
CERIO DT series routers have an operation command injection vulnerability in specific versions. An attacker could exploit this vulnerability to execute commands.
CGIT - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)git repository browser"})Description
CGIT panel was detected.
CISCO Expressway Login Panel - Detect
Author: righettodAdded: Mar 16, 2024
runzero-match
service["http.body"] matches "(?i)Cisco Expressway"Description
CISCO Expressway login panel was detected.
CODESYS WebVisu - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)WEBVISU LOGIN"Description
CODESYS WebVisu is the web-based HMI (Human-Machine Interface) component of the
CODESYS industrial automation runtime. It provides browser-based access to PLC
visualizations and industrial control interfaces. Exposed instances may reveal
real-time process data and control functions without authentication.
CRM Perks Forms <= 1.1.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/crm-perks-forms/"Description
CRM Perks CRM Perks Forms (affected versions 1.1.4 and earlier) contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of CRM Perks Forms, version 1.1.5 or later.
CRMEB v.5.2.2 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CRMEB"})Description
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
Impact
Attackers can execute SQL injection via the selectId parameter in getProductList to obtain sensitive database information.
Remediation
Update CRMEB to a version later than 5.2.2 that patches the SQL injection vulnerability.
CVAT Computer Vision Annotation Tool - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Computer Vision Annotation Tool"})Description
CVAT (Computer Vision Annotation Tool) was detected. CVAT is a widely used open-source annotation platform for labelling images, video, and 3D point clouds used to train AI/ML computer vision models.
Cachet <=2.3.18 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1606065523"Description
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor.
Cacti 1.2.24 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cacti"}) || service["favicon.ico.image.mmh3"] == "-1797138069" || any(each(service["html.titles"]), {# matches "(?i)login to cacti"})Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Cacti Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1797138069" || any(each(service["html.titles"]), {# matches "(?i)login to cacti"}) || any(each(service["html.titles"]), {# matches "(?i)cacti"})Description
Cacti login panel was detected.
Calibre <= 7.14.0 Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)Calibre"Description
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
Impact
Attackers can exploit the content server's export functionality to read arbitrary files from the system through path traversal.
Remediation
Update Calibre to version 7.15.0 or later to address the arbitrary file read vulnerability.
Calibre <= 7.14.0 Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Calibre"Description
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
Impact
Unauthenticated attackers can execute arbitrary Python code through the content server's template functionality, achieving complete system compromise.
Remediation
Update Calibre to version 7.15.0 or later to address the remote code execution vulnerability.
Camaleon CMS - Default Login
Author: DhiyaneshDKAdded: Sep 26, 2024
runzero-match
service["http.body"] matches "(?i)camaleon_cms"Description
Camaleon CMS default login credentials was discovered.
Camaleon CMS Login - Panel
Author: DhiyaneshDKAdded: Sep 26, 2024
runzero-match
service["http.body"] matches "(?i)camaleon_cms"Description
Camaleon CMS admin login panel was discovered.
Camunda - Default Login
runzero-match
service["http.body"] matches "Camunda Welcome"Description
Camunda login panel contains a default login vulnerability.
Canon Devices - Authentication Bypass in Catwalk Server
runzero-match
any(each(service["html.titles"]), {# matches "(?i)imageRUNNER"})Description
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Impact
Unauthenticated attackers can modify email settings and redirect FAX and scan data to attacker-controlled email addresses when PIN protection is disabled, potentially intercepting sensitive business communications.
Remediation
Configure a PIN for General User Mode or apply Canon firmware updates that address this vulnerability.
Canon R-ADV C3325 - Default-Login
Author: ritikchaddhaAdded: Sep 20, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)c3325"})Canon iR-ADV Panel - Detect
Author: ritikchaddha,matejsmyckaAdded: Sep 9, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Canon iR-ADV"})Canopy 5.7GHz Access Point - Default Login
Author: defektiveAdded: May 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Canopy"})Description
Cambium Networks / Motorola Canopy 5750AP ADVANTAGE Access Point 5.7GHz login credentials were discovered.
Caprover - Default Login
Author: ritikchaddhaAdded: Jun 28, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "988422585"Description
Caprover defaultl login has been detected.
Car Rental Management System 1.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)car rental management system"Description
Car Rental Management System 1.0 allows an unauthenticated user to perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, leading to code execution.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in the Car Rental Management System 1.0.
Car Rental Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)car rental management system"Description
Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/ajax.php?action=login. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Carel pCOWeb <B1.2.4 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)pCOWeb"Description
Carel pCOWeb prior to B1.2.4 is vulnerable to stored cross-site scripting, as demonstrated by the config/pw_snmp.html "System contact" field.
Impact
Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.
Remediation
Apply the latest patch or upgrade to a version that addresses the vulnerability.
CasaOS < 0.4.4 - Authentication Bypass via Internal IP
runzero-match
service["http.body"] matches "(?i)/casaos-ui/public/index\\.html"Description
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Impact
Successful exploitation allows unauthorized access to the CasaOS system.
Remediation
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
CasaOS < 0.4.4 - Authentication Bypass via Random JWT Token
runzero-match
service["http.body"] matches "(?i)/casaos-ui/public/index\\.html"Description
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Impact
Successful exploitation allows unauthorized access to the CasaOS system.
Remediation
The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.
CasaOS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)CasaOS"Description
CasaOS login panel was detected.
Cascade CMS Panel - Detect
Author: righettodAdded: Nov 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cascade CMS"})Description
Cascade CMS was detected — a web content management system for managing stand-out websites.
Casdoor - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Casdoor"})Description
Detected Casdoor platform was found to have been using the default administrator credentials (admin:123). An attacker could have gained full administrative access to manage organizations, users, applications, and OAuth providers.
Casdoor 1.13.0 - Unauthenticated SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)casdoor"})Description
Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Upgrade to a patched version of Casdoor or apply the necessary security patches to mitigate the SQL injection vulnerability.
Casdoor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)casdoor"})Description
Casdoor login panel was detected.
CaseManager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CaseManager"})Description
CaseManager login panel was detected.
Cassia Bluetooth Gateway Panel - Detect
Author: DhiyaneshDkAdded: Apr 23, 2024
runzero-match
service["http.body"] matches "(?i)Cassia Bluetooth Gateway Management Platform"Description
Cassia Bluetooth Gateway Management Platform login page was discovered.
Caton Network Manager System Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Caton Network Manager System"})Description
Caton Network Manager System login panel was detected.
Cellinx NVT Web Server - Local File Disclosure
runzero-match
service["http.body"] matches "(?i)/viewer/viewer\\.html"Description
Cellinx NVT v1.0.6.002b was discovered to contain a local file disclosure vulnerability via the component /cgi-bin/GetFileContent.cgi.
Impact
Unauthenticated attackers can read arbitrary files from the server through the PATH parameter in GetFileContent.cgi, potentially exposing system credentials, configuration files, and sensitive video surveillance data.
Remediation
Update Cellinx NVT to a version newer than 1.0.6.002b that validates file paths in GetFileContent.cgi and restricts file access to authorized directories only.
Celonis Login - Panel
Author: r3dg33kAdded: Nov 16, 2025
runzero-match
service["http.body"] matches "(?i)Amazing insights\\. Better results\\." || any(each(service["html.titles"]), {# matches "(?i)Celonis"})Description
Detects Celonis Process Intelligence login panels.
CentOS Web Panel - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Control WebPanel"})Description
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
Impact
Unauthenticated attackers can execute arbitrary OS commands with root privileges via command injection in the idsession parameter, leading to complete server compromise.
Remediation
Apply security updates provided by CentOS Web Panel.
CentOS Web Panel - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Control WebPanel"})Description
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
Impact
Unauthenticated attackers can exploit SQL injection via the idsession parameter to extract database contents or execute arbitrary commands with root privileges.
Remediation
Apply security updates provided by CentOS Web Panel.
CentreStack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack"})Description
Gladinet CentreStack login panel was detected.
Centreon Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)centreon"})Description
Centreon login panel was detected.
Chainlit Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)content\s*=\s*"https://github.com/Chainlit/chainlit"`Description
Chainlit panel was detected. Chainlit is an open-source framework for building production-ready conversational AI applications.
ChanCMS <= 3.3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ChanCMS"Description
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
Remediation
Update to the latest version.
Change Detection - Server Side Template Injection
runzero-match
service["http.body"] matches "(?i)Change Detection"Description
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
Impact
Unauthenticated attackers can execute arbitrary code on the server through Server Side Template Injection.
Remediation
Update changedetection.io to version 0.45.21 or later.
Changedetection.io <= 0.47.4 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)change detection"})Description
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51483.
Changedetection.io Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Change Detection"})Description
Change Detection is an open-source service which allows you to detect changes on websites
Changedetection.io RSS Single Watch - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Change Detection"})Description
changedetection.io < 0.54.1 contains a stored XSS caused by unescaped reflection of UUID path parameter in RSS single-watch endpoint, letting remote attackers execute JavaScript in victim's browser, exploit requires victim to visit crafted URL.
Impact
Attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking or other client-side attacks
Remediation
Update to version 0.54.1 or later.
Changjietong Remote Communication GNRemote.dll - SQL Injection
runzero-match
service["http.body"] matches "(?i)远程通CHANJET_Remote"Description
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
Check Point Quantum Gateway - Information Disclosure
runzero-match
service["http.body"] matches "(?i)check point ssl network"Description
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Impact
Unauthenticated attackers can read arbitrary files on Check Point Security Gateways, potentially exposing sensitive configuration files and credentials.
Remediation
Apply Check Point security fixes for CVE-2024-24919 as specified in SK182337.
CheckPoint SSL Network Extender Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)check point ssl network extender"}) || any(each(service["html.titles"]), {# matches "(?i)ssl network extender login"})Description
CheckPoint SSL Network Extender login panel was detected.
Checkmarx Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)CxSASTManagerUri"Description
Checkmarx login panel was detected.
Checkmate Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Checkmate$" })Description
Checkmate administrative login page was found.
Checkmk - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Check_MK"})Description
Checkmk monitoring instance is accessible with default credentials (cmkadmin/cmkadmin). This provides full administrative access to the monitoring platform, including the ability to view all monitored hosts, execute commands on agents, and access stored credentials.
Impact
An attacker with admin access to Checkmk can view the entire monitored infrastructure, access stored SNMP community strings and SSH credentials, execute commands on monitored hosts via the agent, and gain visibility into the organization's network topology.
Remediation
Change the default cmkadmin password immediately after installation using 'cmk-passwd cmkadmin' or through the web interface.
Checkmk Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Check_MK"})Description
Checkmk login panel was detected.
Chef Automate < 4.13.295 — SQL Injection
runzero-match
service["http.body"] matches "(?i)Chef Automate"Description
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
Impact
Authenticated attackers with knowledge of a well-known token can execute arbitrary SQL queries through the compliance service, potentially gaining access to restricted functionality and sensitive data.
Remediation
Upgrade to version 4.13.295 or later.
Chemotargets Clarity Vista Login Panel - Detect
Author: righettodAdded: Apr 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ClarityVista"})Description
Chemotargets Clarity Vista login panel was detected.
ChirpStack - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "ChirpStack LoRaWAN"})Description
Fresh ChirpStack installations use the default credentials (admin/admin), allowing attackers to easily access the admin console.
ChirpStack LoRaWAN Detection
Author: ProjectDiscoveryAIAdded: Mar 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ChirpStack LoRaWAN"})Description
Detects the presence of ChirpStack LoRaWAN Network-Server by identifying unique page characteristics in the HTML response.
Chronos Panel - Detect
Author: righettodAdded: Oct 24, 2023
runzero-match
service["http.body"] matches "(?i)chronoslogin\\.js"Description
Chronos Login Panel was detected.
ChurchCRM - API Authentication Bypass via URL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
Impact
Unauthenticated attackers can access all protected API endpoints, exposing sensitive church member data and system information.
Remediation
Update to version 7.1.0 or later.
ChurchCRM - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ChurchCRM"})Description
A reflected cross-site scripting (XSS) vulnerability was discovered in ChurchCRM via the 'username' parameter in /session/begin.
ChurchCRM - Default Login
Author: KazgangapAdded: Nov 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM contains a default login vulnerability.
ChurchCRM Panel - Detect
Author: KazgangapAdded: Nov 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)churchcrm"})Description
ChurchCRM panel was discovered.
Ciphertrust - Default Login
Author: SleepingBag945Added: Sep 8, 2023
runzero-match
any(each(service["html.titles"]), {# contains "(?i)CipherTrust Manager"})Description
Attackers can control the entire platform through the default password (initpass) vulnerability, and use administrator privileges to operate core functions.
Circutor Line-TCPRS1 - Default Login
Author: s4e-ioAdded: Mar 2, 2026
runzero-match
service["http.body"] matches "(?i)Line-TCPRS1"Description
A default login was discovered on a Circutor Line-TCPRS1 device. An attacker can obtain access to user accounts, access sensitive information, modify data, and execute unauthorized operations.
Cisco ACE 4710 Device Manager Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ACE 4710 Device Manager"Description
Cisco ACE 4710 Device Manager login panel was detected.
Cisco ASA - Local File Inclusion
runzero-match
asset["hw_product"] matches `(?i)adaptive\s+security\s+appliance`Description
Cisco Adaptive Security Appliances (ASA) web interfaces could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.
Impact
An attacker can read sensitive files on the Cisco ASA firewall, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the necessary security patches or updates provided by Cisco to fix the local file inclusion vulnerability.
Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
runzero-match
asset["hw_product"] matches `(?i)adaptive\s+security\s+appliance`Description
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is vulnerable to local file inclusion due to directory traversal attacks that can read sensitive files on a targeted system because of a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
Impact
An attacker can exploit this vulnerability to read sensitive files on the affected system.
Remediation
Apply the necessary security patches or updates provided by Cisco to fix the vulnerability.
Cisco Edge 340 Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cisco edge 340"})Description
Cisco Edge 340 panel was detected.
Cisco Email Security Appliance - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco\\s+(?:Cloud\\s+)?Gateway"})Description
Detected Cisco Email Security Appliance login panel.
Cisco IOS XE - Impant Detection
Author: DhiyaneshDK,rxeriumAdded: Oct 26, 2023
runzero-match
service["http.body.mmh3"] == "1076109428"Description
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
Remediation
Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'.
Cisco IOS XE Web UI - Command Injection
runzero-match
service["http.body.mmh3"] == "1076109428"Description
A vulnerability in the web UI component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. This vulnerability is due to improper input validation in the web UI. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.
Impact
Unauthenticated attackers can execute arbitrary commands with root privileges through crafted HTTP requests to the web UI component, potentially compromising the entire Cisco IOS XE router and all managed network traffic.
Remediation
Apply Cisco security patches from advisory cisco-sa-iosxe-webui-privesc-j22SaA4z that validate input in the web UI and prevent command injection in the SOAP API.
Cisco ISE Admin Login Panel - Detect
Author: bhutchAdded: Jun 11, 2025
runzero-match
service["http.body"] matches "(?i)Identity Services Engine"Description
Cisco Identity Services Engine (ISE) admin login panel was discovered.
Cisco Identity Services Engine Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)identity services engine"})Description
Cisco Identity Services Engine admin login panel was detected.
Cisco Prime Infrastructure Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)prime infrastructure"})Description
A Cisco Prime Infrastructure login panel was discovered.
Cisco Secure CN Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Secure CN"})Description
Cisco Secure CN login panel was detected.
Cisco Secure Firewall ASA & FTD - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/\\+CSCOE\\+/logon\\.html"Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests.
Impact
An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
Remediation
Update to the latest available version of Cisco Secure Firewall ASA and FTD Software.
Cisco Secure Firewall Management Center - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)BackdraftSyncIntegration"Description
Cisco Secure Firewall Management Center Software contains an authentication bypass caused by improper system process creation at boot, letting unauthenticated remote attackers execute scripts and gain root access, exploit requires crafted HTTP requests.
Impact
Unauthenticated remote attackers can gain root access by executing scripts, leading to full system compromise.
Remediation
Update to the latest available version.
Cisco ServiceGrid Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco ServiceGrid"})Description
Cisco ServiceGrid login panel was detected.
Cisco Smart Software Manager On-Prem Panel - Detect
Author: irshad ahamedAdded: Jul 28, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)on-prem license workspace"})Description
Cisco Smart Software Manager On-Prem is an on-premises software license management solution offered by Cisco. It enables organizations to manage and optimize their Cisco software licenses, entitlements, and usage in their local data centers, providing greater control and visibility over software assets.
Cisco Systems Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Systems Login"})Description
Cisco Systems login panel was detected.
Cisco TelePresence Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Telepresence"})Description
Cisco TelePresence login panel was detected.
Cisco UCS Manager KVM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cisco ucs kvm direct"})Description
Cisco UCS Manager KVM login panel was detected.
Cisco Unified Communications Manager - Cluster Enumeration
Author: Morgan RobertsonAdded: Jan 28, 2026
runzero-match
service["product"] contains "Cisco:Unified Communications Manager"Description
Enumerated Cisco UCM cluster nodes (servers) using the unauthenticated UDS API (XML), allowing identification of backend servers without authentication.
Cisco Unified Communications Self-Service User Portal - Detection
Author: Morgan RobertsonAdded: Jan 25, 2026
runzero-match
service["product"] contains "Cisco:Unified Communications Manager"Description
Detected the presence of the Cisco Unified Communications User Management Panel.
Cisco Unity Connection Panel - Detect
Author: HeeresSAdded: Feb 29, 2024
runzero-match
service["http.body"] matches "(?i)Cisco Unity Connection"Description
A Cisco Unity Connection instance was detected.
Cisco Web UI Login - Detect
Author: drewvravickAdded: Mar 26, 2025
runzero-match
service["http.body"] matches "(?i)webui-centerpanel"Description
Detects the presence of Cisco Web UI login panels
Cisco Webex Meetings - Panel
Author: EyonnAdded: Jan 22, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco Webex Meetings"})Description
Detects Cisco Webex Meetings panel by requesting the modern Webex dashboard and matching unique Webex HTML markers.
Cisco vManage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cisco vManage"})Description
Cisco vManage login panel was detected.
Citrix ADC Gateway Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix ADC Gateway login panel was detected.
Citrix Bleed - Leaking Session Tokens
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway\" \\|\\| title:\"netscaler gateway"})Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.
Impact
Unauthenticated attackers can leak session tokens from memory, potentially hijacking authenticated sessions and accessing sensitive Gateway resources.
Remediation
Apply Citrix security updates immediately. Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-8.50, 13.1 before 13.1-49.15, 13.0 before 13.0-92.19, and 12.1 (EOL).
Citrix Gateway and Citrix ADC - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix ADC and Citrix Gateway versions before 13.1 and 13.1-45.61, 13.0 and 13.0-90.11, 12.1 and 12.1-65.35 contain a cross-site scripting vulnerability due to improper input validation.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the necessary patches or updates provided by Citrix to mitigate this vulnerability.
Citrix NetScaler Memory Disclosure - CitrixBleed 2
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Gateway"}) || any(each(service["html.titles"]), {# matches "(?i)NetScaler AAA"}) || service["favicon.ico.image.mmh3"] == "-1166125415" || service["favicon.ico.image.mmh3"] == "-1292923998"Description
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
Impact
Unauthenticated attackers can trigger memory overread conditions to leak sensitive information from NetScaler memory, potentially exposing session tokens and credentials similar to CitrixBleed.
Remediation
Apply the security patches as described in Citrix support article CTX693420 and restrict access to the NetScaler Management Interface.
Citrix Netscaler ADC & Gateway - Out-Of-Bounds Memory Read
runzero-match
service["favicon.ico.image.mmh3"] == "-1292923998,-1166125415"Description
The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker.
Impact
The vulnerability allows an attacker to recover potentially sensitive data from memory. Although in most cases nothing of value is returned, we have observed instances where POST request bodies are leaked.
Remediation
Update to version 13.1-51.15 or later
Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix sd-wan"})Description
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 contain an SQL injection vulnerability. An unauthenticated attacker can exploit improper validation of input in specific components, which could allow for execution of arbitrary SQL queries against the backend database. This could result in information disclosure, manipulation of data, or complete compromise of affected systems.
Impact
Successful exploitation may allow a remote unauthenticated attacker to execute SQL commands on the system, potentially resulting in unauthorized access, data leakage, modification of critical data, or full compromise of the SD-WAN appliance.
Remediation
Apply the vendor patch: upgrade Citrix SD-WAN to version 10.2.3 or later, and NetScaler SD-WAN to version 10.0.8 or later as detailed in the official Citrix advisory.
Citrix StoreFront - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/citrix/storeweb"Description
Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow.
Impact
Unauthenticated attackers can inject malicious JavaScript via reflected XSS during XML parsing in the SSO flow, potentially stealing user credentials or session tokens.
Remediation
Apply Citrix security updates immediately. Update to StoreFront versions 2402, 2203 CU1, 2203 LTSR CU5, 1912 LTSR CU8, or later.
Citrix VPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)citrix gateway"})Description
Citrix VPN panel was detected.
Claris FileMaker Server Admin Console - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Claris FileMaker"})Description
Claris FileMaker Server Admin Console panel was detected.
Claris FileMaker WebDirect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Claris FileMaker WebDirect"})Description
Claris FileMaker WebDirect panel was detected.
CleanWeb Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CleanWeb"})Description
CleanWeb login panel was detected.
Clear-Com Core Configuration Manager Panel - Detect
runzero-match
service["http.body"] matches "(?i)CCM - Authentication Failure"Description
Clear-Com Core Configuration Manager panel was detected.
ClearML Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ClearML"})Description
ClearML was detected. ClearML is an open-source MLOps platform for experiment tracking, model management, and pipeline orchestration. Exposed instances may allow access to ML experiments, models, and infrastructure configurations.
ClearPass Policy Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)clearpass policy manager"})Description
ClearPass Policy Manager login panel was detected.
Cleo Harmony < 5.8.0.21 - Arbitary File Read
runzero-match
service["http.head.server"] matches "Cleo"Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50623.
Cloud OA System - SQL Injection
runzero-match
service["http.body"] matches "(?i)全程云办公"Description
cloud OA system /OA/PM/svc.asmx page parameters are not properly filtered, resulting in a SQL injection vulnerability, which can be used to obtain sensitive information in the database.
CloudPanel Login - Detect
Author: DhiyaneshDkAdded: Jun 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "151132309" || any(each(service["html.titles"]), {# matches "(?i)cloudpanel"})Cloudera Hue Default Admin Login
runzero-match
any(each(service["html.titles"]), {# matches "Hue - Welcome to Hue"})Description
Cloudera Hue default admin credentials were discovered.
Cloudflare Access - Login Panel Detection
Author: rxeriumAdded: Feb 5, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloudflare Access"})Description
Detected exposed Cloudflare Access login pages.
Remediation
- Ensure Cloudflare Access policies are properly configured to restrict access to authorized users only
- Review and enforce appropriate authentication rules and multi-factor authentication requirements
- Limit exposure of Access login pages to necessary endpoints only
Cloudlog Panel - Detect
Author: s4e-ioAdded: Jan 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Cloudlog"})Description
Cloudlog panel was discovered.
Cloudphysician RADAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloudphysician RADAR"})Description
Cloudphysician RADAR login panel was detected.
Cluster Control CMON API - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "160707013"Description
Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the Cluster Control server.
Remediation
Update Severalnines Cluster Control to version 1.9.8-9778, 2.0.0-9779, or 2.1.0-9780 or later.
Cnzxsoft System - Default Login
Author: SleepingBag945Added: Sep 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)中新金盾信息安全管理系统"})Description
Cnzxsoft Golden Shield Information Security Management System has a default weak password.
Cobbler 'XML-RPC' - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cobbler Web Interface"})Description
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.
Impact
Anyone with network access can connect to Cobbler XML-RPC with default credentials and make arbitrary changes, gaining full control.
Remediation
Update Cobbler to version 3.2.3 or 3.3.7 or later.
Cobbler - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
Impact
Unauthenticated attackers can bypass authentication to gain unauthorized access, leading to privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
Cobbler <3.3.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially resulting in complete compromise of the affected system.
Remediation
Upgrade Cobbler to version 3.3.0 or later, which includes a fix for this vulnerability.
Cobbler WebGUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cobbler web interface"})Description
Cobbler WebGUI login panel was detected.
Cockpit CMS 0.6.1 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)cockpit"Description
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Impact
Unauthenticated attackers can inject custom PHP code to achieve remote command execution, leading to complete Cockpit CMS compromise.
Remediation
Upgrade to Cockpit CMS version 0.6.1 or later.
Cockpit Project Login Panel - Detect
Author: righettodAdded: Apr 15, 2025
runzero-match
service["http.body"] matches "(?i)cockpit/static/login\\.css"Description
Cockpit Project products was detected.
Code-Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)code-server login"})Description
Code-Server login panel was detected.
CodeChecker <= 6.24.1 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1496590341"Description
Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others.
Impact
Unauthenticated attackers can bypass authentication by crafting API URLs ending with specific keywords, gaining superuser access to all API endpoints including product management and configuration.
Remediation
Upgrade CodeChecker to version 6.24.2 or later.
Cofense Vision Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "739801466"Description
Cofense Vision login panel was detected.
Cogent DataHub (OPC DataHub) - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^DataHub Web Server"}) || service["http.body"] matches "(?i)You have successfully configured the DataHub to run as a web server"Description
Cogent DataHub (OPC DataHub) is an industrial middleware platform for OPC connectivity,
data bridging, and SCADA integration. The embedded web server is commonly exposed on
port 80 or 443.
Cognita Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Sign in to Cognita"})Description
Cognita is an open-source RAG framework by Truefoundry for building modular and
production-ready RAG pipelines.
ColdFusion Administrator Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)coldfusion administrator login"})Description
ColdFusion Administrator login panel was detected.
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cmp-coming-soon-maintenance/"Description
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.
Impact
Unauthenticated attackers can bypass maintenance mode restrictions to access published posts and pages that should be protected during maintenance.
Remediation
Fixed in version 4.1.7
Commvault Unauthenticated Password Disclosure (WT-2025-0047)
Author: DhiyaneshDK,iamnoooob,pdresearch,watchtowrAdded: Aug 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-542502280"Description
An issue was discovered in Commvault before 11.36.60. A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.
Impact
Unauthenticated attackers can exploit the public sharing login mechanism to access API endpoints and retrieve sensitive user information including passwords.
Remediation
Upgrade Commvault to version 11.36.60 or later that properly restricts API access and removes the vulnerable login mechanism.
Commvault Web Console Panel - Detect
Author: rxeriumAdded: Oct 8, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-542502280"Description
Commvault web console login panel was detected.
Compalex Panel - Detect
Author: MaStErChoAdded: Jan 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)COMPALEX"})CompleteView Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CompleteView Web Client"})Description
CompleteView panel was detected.
Concourse CI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Concourse"})Description
Concourse CI login panel was detected.
Concrete5 Install Panel
Author: osamahamad,princechaddhaAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)install concrete5"}) || any(each(service["html.titles"]), {# matches "(?i)concrete5"})Description
A Concrete5 installation panel was discovered.
Concrete5 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)concrete5"}) || any(each(service["html.titles"]), {# matches "(?i)install concrete5"})Description
Concrete5 login panel was detected.
ConnectWise Control Remote Support Software Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-82958153"ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-82958153"Description
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Impact
Unauthenticated attackers can bypass authentication to access confidential information or critical systems, potentially leading to complete system compromise.
Remediation
Update ConnectWise ScreenConnect to version 23.9.8 or later.
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/fluentform/"Description
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
Impact
Unauthenticated attackers can grant Fluent Form management permissions to any user account, providing access to all plugin settings and sensitive data.
Remediation
Update Contact Form Plugin by Fluent Forms to version 5.1.17 or later.
Contao Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)contao open source cms" || any(each(service["html.titles"]), {# matches "(?i)contao"})Description
Contao login panel was detected.
Content Central Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Content Central Login"})Description
Content Central login panel was detected.
Contest Gallery < 13.1.0.6 - SQL injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/contest-gallery/"Description
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
Impact
Unauthenticated attackers can exploit SQL injection to extract database contents and enumerate all registered users including their email addresses, potentially facilitating targeted phishing attacks.
Remediation
Fixed in version 13.1.0.6
Control Web Panel (CWP) - File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-356182173"Description
In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
Impact
A remote, unauthenticated attacker can leverage this vulnerability to register arbitrary API keys, access sensitive files (such as /etc/passwd), and potentially achieve remote code execution. Successful exploitation results in full compromise of the web panel and host system, allowing for exposure of confidential data, server takeover, and further attacks on internal infrastructure.
Remediation
Update to version 0.9.8.1107 or later to fix input validation issues.
Control Web Panel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CWP \\|用户"})Description
Control Web Panel login panel was detected.
Copa-Data zenon - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)zenon Web Server"Description
Copa-Data zenon is an industrial automation platform used in manufacturing,
energy, and infrastructure. The zenon Web Server and Smart Server expose a
browser-based HMI interface for remote monitoring and control of SCADA processes.
CopyParty v1.8.6 - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
Impact
Unauthenticated attackers can inject malicious JavaScript through the k304 parameter to steal user session cookies when users click malicious links to CopyParty.
Remediation
Fixed in v1.8.6
Copyparty <= 1.8.2 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Unauthenticated attackers can exploit path traversal in the .cpr subfolder to read arbitrary files from the file server, potentially accessing sensitive system files and user data stored outside the web document root.
Remediation
Update Copyparty to version 1.8.2 or later that properly validates file paths in the .cpr subfolder and prevents directory traversal attacks.
Copyparty <=1.18.6 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)copyparty"})Description
Copyparty before 1.18.7 is vulnerable to reflected cross-site scripting (XSS) via the 'filter' parameter in the '/?ru' endpoint. Unsanitized user input is reflected in the HTML response, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser.
Impact
Attackers can execute arbitrary JavaScript in victim browsers through malicious URLs containing XSS payloads in the filter parameter, potentially leading to session hijacking.
Remediation
Upgrade Copyparty to version 1.18.7 or later to mitigate this vulnerability.
Cortex XSOAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cortex xsoar"})Description
Cortex XSOAR login panel was detected.
CouchDB - Default Login
runzero-match
service["http.head.server"] matches `^CouchDB/`Description
CouchDB weak admin credentials were discovered.
CouchDB Erlang Distribution - Remote Command Execution
runzero-match
service["service.transport"] == "tcp" and service["protocol"] contains "couchdb"Description
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
Couchbase Server - Broken Access Control
runzero-match
service["http.body"] matches "(?i)Couchbase"Description
Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit requires no special conditions.
Impact
Attackers can access and modify administrative settings, potentially leading to data tampering or system compromise.
Remediation
Update to the latest version where the /settings REST endpoint requires authentication.
Couchbase Server Console - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Couchbase Console"})Description
Couchbase Server administrative console was discovered.
Cox Business Dominion Gateway Login Panel - Detect
Author: DhiyaneshDKAdded: Jun 3, 2024
runzero-match
service["http.body"] matches "(?i)Cox Business"Description
Cox Business Dominion Gateway Login page was discovered.
Craft CMS - Remote Code Execution via Template Path Manipulation
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
Impact
Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
Remediation
Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
Craft CMS < 3.3.0 - Server-Side Template Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS" || service["product"] contains "nystudio107:SEOmatic"Description
Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server.
Remediation
Upgrade Craft CMS to version 3.3.0 or higher to mitigate this vulnerability.
Craft CMS <=v3.7.31 - SQL Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the GraphQL API endpoint, potentially compromising the database.
Remediation
Update Craft CMS to a version later than v3.7.31.
Craft CMS Admin Login Panel - Detect
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS admin login panel was detected.
Craft CMS Installation Wizard Exposure
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Detected Craft CMS installation wizard was exposed, allowing attackers to complete the installation process and gain administrative access to the CMS.
CraftCMS - Remote Code Execution
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
Impact
Unauthenticated attackers can exploit remote code execution vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
Remediation
This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CraftCMS Debug Methods Exposed
Author: 0x_AkokoAdded: Jan 27, 2026
runzero-match
service["product"] contains "CraftCMS:Craft CMS"Description
Detected CraftCMS with devMode enabled, which exposed the Yii2 debug toolbar and sensitive information. This misconfiguration could have leaked database queries, session data, cookies, stack traces, CSRF tokens, and internal application details to unauthenticated users.
CraftCMS SEOmatic - Server-Side Template Injection
runzero-match
service["product"] contains "CraftCMS:Craft CMS" || service["product"] contains "nystudio107:SEOmatic"Description
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
Impact
Unauthenticated attackers can exploit SSTI via X-Forwarded-Host header to execute arbitrary Twig templates and system commands, achieving complete server compromise.
Remediation
Upgrade to CraftCMS SEOmatic version 3.4.12 or later.
CrafterCMS Engine - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)craftercms"Description
CrafterCMS Engine is vulnerable to reflected cross-site scripting (XSS) via the transformerName parameter in the /api/1/site/url/transform endpoint, allowing attackers to execute arbitrary JavaScript in the context of the user.
Impact
Unauthenticated attackers can inject malicious JavaScript through the transformerName parameter in various API endpoints to steal CrafterCMS user credentials and session data.
Remediation
Update CrafterCMS Engine to the latest version that addresses this vulnerability.
CrafterCMS Login Panel - Detect
Author: righettodAdded: May 11, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)craftercms"})Description
CrafterCMS login panel was detected.
Creatio Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Creatio"})Description
Creatio login panel was detected.
Crestron Airmedia 2.0 - Default Login
Author: Andrew LentzAdded: Sep 27, 2025
runzero-match
service["http.body"] matches "(?i)airmedia"Description
Crestron AirMedia 2.0 devices contain default credentials (admin:admin) that allow unauthorized administrative access to device configuration and control.
Crontab UI - Dashboard Exposure
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)Crontab UI"CrushFTP - Anonymous Login
Author: pussycat0xAdded: Apr 26, 2024
runzero-match
service["http.body"] contains "CrushFTP" || service["http.head.server"] contains "CrushFTP" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP Anonymous login credentials were discovered.
CrushFTP - Authentication Bypass
Author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslimeAdded: Apr 14, 2025CWE-287CVE-2025-31161
runzero-match
any(each(service["html.titles"]), {# matches "(?i)crushftp webinterface"}) || service["favicon.ico.image.mmh3"] == "-1022206565" || service["http.body"] matches "(?i)crushftp"Description
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
Impact
Unauthenticated attackers can bypass authentication by forging session cookies, gaining unauthorized administrative access to CrushFTP and potentially compromising the entire file transfer infrastructure.
Remediation
Upgrade to CrushFTP version 10.8.4 or 11.3.1 or later that properly validates session authentication.
CrushFTP - Default Login
Author: pussycat0xAdded: Apr 26, 2024
runzero-match
service["http.body"] contains "CrushFTP" || service["http.head.server"] contains "CrushFTP" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP default login credentials were discovered.
CrushFTP VFS - Sandbox Escape LFR
runzero-match
service["http.body"] matches "(?i)crushftp"Description
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
CrushFTP WebInterface Panel - Detect
runzero-match
service["http.body"] matches "(?i)crushftp" || any(each(service["favicon.ico.image.mmh3"]), {# == "-1022206565"})Description
CrushFTP WebInterface login panel was detected.
Crypto <= 2.15 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/crypto"Description
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Impact
Unauthenticated attackers can bypass authentication to log in as any existing user including administrators if they know the username, gaining complete control of the WordPress site and all its data.
Remediation
Update Crypto plugin to a version later than 2.15 that properly restricts and validates method calls in the crypto_connect_ajax_process function.
Cryptobox Panel - Detect
Author: righettodAdded: Jun 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cryptobox"})Description
Cryptobox was detected.
Cryptocurrency Widgets Pack < 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cryptocurrency-widgets-pack/"Description
The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the columns[0][name] parameter in the mcwp_table AJAX action, potentially extracting sensitive database information including cryptocurrency data, user credentials, and plugin configuration.
Remediation
Fixed in version 2.0
Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/cryptocurrency-widgets-pack"Description
Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion of sensitive information.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
CudaTel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CudaTel"})Description
CudaTel login panel was detected.
Cvent Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Cvent Inc"Description
Cvent login panel was detected.
Cyber Chef Panel - Detect
Author: rxeriumAdded: May 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CyberChef"})Description
A Cyber Chef Panel was detected
CyberPanel - Command Injection
runzero-match
service["http.body"] matches "(?i)cyberpanel"Description
CyberPanel contains a command injection vulnerability in the /ftp/getresetstatus and /dns/getresetstatus endpoints.The vulnerability exists due to improper validation of the 'statusfile' parameter, which is directly used in a shell command.The security middleware only validates POST requests, allowing attackers to bypass protection using OPTIONS requests.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
CyberPower - Missing Authentication
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
Remediation
Upgrade CyberPower PowerPanel Enterprise to version 2.8.3 or later to address the SQL injection vulnerability.
CyberPower - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower < v2.8.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to .
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
CyberPower < v2.8.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>PDNU</title>"Description
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.
Impact
An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Cyberoam SSL VPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cyberoam ssl vpn portal"})Description
Cyberoam SSL VPN panel was detected.
Cyberpanel Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)cyberpanel"Description
Cyberpanel login panel was detected.
D-LINK DNS-320L,DNS-320LW and DNS-327L - Information Disclosure
runzero-match
service["http.body"] matches "(?i)Text:In order to access the ShareCenter"Description
A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler.
Impact
Unauthenticated attackers can access sensitive system information from D-Link NAS devices.
Remediation
Update D-Link NAS firmware to a version that patches the information disclosure vulnerability.
D-Link AC Centralized Management System - Default Login
Author: SleepingBag945Added: Sep 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AC集中管理平台"})Description
D-Link AC Centralized Management System default login credentials were discovered.
D-Link Central WiFi Manager CWM(100) - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)D-Link Central WiFiManager"Description
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
Impact
Unauthenticated attackers can execute arbitrary PHP code via cookie manipulation, leading to complete compromise of the D-Link Central WiFi Manager and potential access to all managed WiFi networks.
Remediation
Update D-Link Central WiFi Manager to version 1.03R0100_BETA6 or later.
D-Link D-View 8 v2.0.1.28 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1317621215"Description
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
Impact
Unauthenticated attackers can exploit static JWT keys to forge authentication tokens and bypass authentication to gain administrative access to D-Link D-View systems.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
D-Link DAR-8000-10 - Command Injection
runzero-match
service["http.body"] matches "(?i)dar-8000-10"Description
D-Link DAR-8000-10 version has an operating system command injection vulnerability. The vulnerability originates from the parameter id of the file /app/sys1.php which can lead to operating system command injection.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the id parameter in /app/sys1.php, potentially gaining full control of the D-Link DAR-8000-10 router and intercepting all network traffic.
Remediation
Update D-Link DAR-8000-10 firmware to a patched version that properly sanitizes the id parameter in sys1.php and prevents operating system command injection.
D-Link DIR-605 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)l_tb>DIR-605"Description
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version - 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
Impact
Unauthenticated attackers can obtain router credentials including usernames and passwords by exploiting information disclosure in the getcfg.php endpoint.
Remediation
Apply firmware updates provided by D-Link or replace the device with a supported model.
D-Link DIR-615 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Roteador Wireless"})Description
D-Link DIR-615 devices with firmware 20.06 are susceptible to unauthorized access. An attacker can access the WAN configuration page wan.htm without authentication, which can lead to disclosure of WAN settings, data modification, and/or other unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to the router, potentially compromising the network and exposing sensitive information.
Remediation
Apply the latest firmware update provided by D-Link to fix the vulnerability and ensure strong and unique passwords are set for router administration.
D-Link DIR-803 - Authentication Bypass
runzero-match
asset["hw_vendor"] == "D-Link" && asset["hw_product"] matches "(?i)DIR-803"Description
An authentication bypass vulnerability exists in D-Link DIR-803 routers (firmware A1 1.04 and earlier). By manipulating the AUTHORIZED_GROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication.
Impact
Remote attackers can disclose sensitive information, potentially compromising device confidentiality.
Remediation
Upgrade to the latest supported version or replace the device as it is no longer maintained.
D-Link DIR-816L - Improper Access Control
runzero-match
service["http.body"] matches "(?i)dir-816l"Description
D-Link DIR-816L_FW206b01 is susceptible to improper access control. An attacker can access folders folder_view.php and category_view.php and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected router.
Remediation
Apply the latest firmware update provided by D-Link to fix the access control issue.
D-Link DIR-859 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)D-Link"})Description
A critical information disclosure vulnerability exists in D-Link devices where sensitive device account information including credentials can be retrieved by sending an unauthenticated request to `/getcfg.php` endpoint with the parameter `SERVICES=DEVICE.ACCOUNT`. This could allow attackers to obtain administrative credentials and gain full control of the affected device.
Impact
Unauthenticated attackers can retrieve administrative credentials and sensitive device account information, enabling full device compromise.
Remediation
Update D-Link DIR-859 router to the latest firmware version that addresses CVE-2024-57045 as specified in D-Link's security bulletin.
D-Link DNS-320 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the affected device.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
D-Link DSL-2750B Devices Command Injection Vulnerability
runzero-match
asset["hw_vendor"] == "D-Link" && asset["hw_product"] matches "(?i)DSL-2750B"Description
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the
login.cgi cli parameter.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
D-Link NAS - Command Injection via Group Parameter
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection.
Impact
Unauthenticated attackers can execute arbitrary OS commands via the group parameter, potentially compromising the entire D-Link NAS device.
Remediation
Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028.
D-Link NAS - Command Injection via Name Parameter
runzero-match
service["http.body"] matches "(?i)sharecenter"Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection.
Impact
Unauthenticated attackers can execute arbitrary OS commands via the name parameter, potentially compromising the entire D-Link NAS device.
Remediation
Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028.
D-Link NAS `sc_mgr.cgi` - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/cgi-bin/login_mgr\\.cgi"Description
The D-Link NAS interface sc_mgr.cgi contains a command execution vulnerability that allows attackers to execute arbitrary commands on the device, potentially leading to unauthorized access or control over the system.
Remediation
To remediate this vulnerability, ensure that the device firmware is updated to the latest version provided by the manufacturer. Additionally, consider implementing network segmentation and firewall rules to restrict unauthorized access to the device.
D-Link Network Attached Storage - Backdoor Account
runzero-match
service["http.body"] contains `In order to access the ShareCenter` || service["last.http.body"] contains `In order to access the ShareCenter`Description
A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials.
Impact
Attackers can use hardcoded credentials to gain unauthorized access to D-Link NAS devices and execute commands.
Remediation
Update D-Link NAS firmware to a version that removes the backdoor account.
D-Link Network Attached Storage - Command Injection and Backdoor Account
runzero-match
service["http.body"] contains `In order to access the ShareCenter` || service["last.http.body"] contains `In order to access the ShareCenter`Description
UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Impact
Attackers can execute arbitrary commands on D-Link NAS devices using hardcoded credentials and command injection.
Remediation
Retire and replace the affected D-Link NAS devices as they are end-of-life and no longer supported.
D-Link Routers - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "968533676"Description
D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to complete compromise of the device and the network it is connected to.
Remediation
Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
DAEnetIP4 METO v1.25 - Session Hijacking
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DAEnetIP4"})Description
DAEnetIP4 METO v1.25 contains improper session management in the /login_ok.htm endpoint, letting attackers hijack sessions, exploit requires attacker to control or intercept session tokens.
Impact
Attackers can hijack user sessions, gaining unauthorized access to user accounts and sensitive information.
Remediation
Implement proper session management and secure session tokens, and update to the latest version if available.
DATAGERRY - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. An attacker can remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
DATAGERRY - REST API Auth Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
Impact
Allows unauthorized access to REST API
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
DELL iDRAC9 - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Integrated (?:Dell )?Remote Access Controller"})Description
DELL iDRAC9 default login credentials was discovered.
DPLUS Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DPLUS Dashboard"})Description
DPLUS Dashboard panel was detected.
DQS Superadmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DQS Superadmin"})Description
DQS Superadmin login panel was detected.
DVWA Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Login :: Damn Vulnerable Web Application"})Description
Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
Dahua IPC/VTH/VTO - Authentication Bypass
runzero-match
asset["hw_vendor"] == "Dahua"Description
Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Impact
An attacker can gain unauthorized access to the device, potentially compromising the security and privacy of the system.
Remediation
Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability.
Dahua IPC/VTH/VTO - Authentication Bypass
runzero-match
asset["hw_vendor"] == "Dahua"Description
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
Impact
Unauthenticated attackers can bypass device authentication by constructing malicious login packets, gaining full administrative access to Dahua IPC/VTH/VTO devices.
Remediation
Apply firmware updates provided by Dahua to address the authentication bypass vulnerability.
Dahua Security - Configuration File Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "2019488876"Description
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
Impact
This vulnerability can lead to unauthorized access to sensitive information, potentially compromising the security of the system.
Remediation
To remediate this vulnerability, ensure that the configuration file is properly secured and access to it is restricted to authorized personnel only.
Dahua Web Service Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1653394551"Description
A Dahua admin login panel was detected.
Danswer - Insecure Direct Object Reference
runzero-match
service["favicon.ico.image.mmh3"] == "484766002"Description
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
Impact
Authenticated attackers can access and view files belonging to other users without proper authorization checks through insecure direct object references, leading to unauthorized disclosure of sensitive chat files and data.
Remediation
Update Danswer to a version that implements proper authorization checks to verify file ownership before allowing access through the GET /api/chat/file/{file_id} and GET /api/chat/get-chat-session endpoints.
Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dapr dashboard"})Description
Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
The vulnerability allows unauthorized access to the Dapr Dashboard, potentially leading to unauthorized actions and data exposure.
Remediation
Upgrade Dapr Dashboard to a version that includes the fix for CVE-2022-38817 or apply the necessary patches provided by the vendor.
Darktrace Threat Visualizer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)darktrace threat visualizer"Description
Darktrace Threat Visualizer login panel was detected.
Dashy Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1013024216"Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
runzero-match
service["http.body"] matches "(?i)apriso"Description
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
Impact
Unauthenticated attackers can exploit unsafe deserialization to execute arbitrary code on DELMIA Apriso servers, achieving complete system compromise.
Remediation
Upgrade DELMIA Apriso to a version later than Release 2025 that properly validates deserialized data.
DataEase 2.10.4-2.10.7 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
Impact
Authenticated users can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to version 2.10.8 or later.
DataEase < 2.10.10 - JWT Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "^DataEase"})Description
DataEase < 2.10.10 contains a broken authentication caused by ineffective secret verification, letting users forge JWT tokens, exploit requires no special privileges.
Impact
Users can forge JWT tokens, potentially gaining unauthorized access to the system.
Remediation
Update to version 2.10.10 or later.
DataEase <= 2.4.1 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.
Impact
Attackers can access sensitive configuration and credential information from the DataEase system.
Remediation
Update DataEase to version 2.5.0 or later.
DataEase v2.10.2 - JWT Signature Verification Bypass
runzero-match
service["http.body"] matches "(?i)dataease"Description
DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Attackers can forge JWT tokens to bypass authentication and gain unauthorized access to any interface.
Remediation
Update DataEase to version 2.10.2 or later.
DataHub Metadata - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "DataHub"})Description
DataHub Metadata contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
DataTaker DT80 dEX 1.50.012 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datataker"})Description
DataTaker DT80 dEX 1.50.012 is susceptible to information disclosure. A remote attacker can obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI, thereby possibly accessing sensitive information, modifying data, and/or executing unauthorized operations.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, potentially compromising the confidentiality of the system.
Remediation
Apply the latest firmware update provided by the vendor to mitigate the information disclosure vulnerability.
Datadog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Datadog"})Description
Datadog login panel was detected.
Dataease - Default Login
Author: DhiyaneshDKAdded: Dec 5, 2023
runzero-match
service["http.body"] matches "Dataease"Description
Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password.
As a result, many Dataease can log in with this built-in account.
Dataease - Login Panel
Author: DhiyaneshDKAdded: Dec 5, 2023
runzero-match
service["http.body"] matches "(?i)dataease"Description
Dataease Login Panel is discovered
Datagerry - Default Login
Author: gy741Added: Sep 30, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Datagerry was using default username and password was discovered.
Datagerry Panel - Detect
Author: s4e-ioAdded: Feb 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)datagerry"})Description
Datagerry panel was discovered.
Dataiku - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dataiku"})Description
Dataiku contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. This vulnerability may also lead to server-side request forgery and/or remote code execution.
Dataiku Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dataiku"})Description
Dataiku panel was detected.
Davantis Video Analytics Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Davantis"})Description
Davantis Video Analytics panel was detected.
DaybydayCRM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)daybyday"})Description
DaybydayCRM login panel was detected.
DbGate Web Client Management - Panel Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1198579728"Description
The DbGate Web Client Management Panel is detected on the target system.
Debug Endpoint pprof - Exposure Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Impact
An attacker can exploit this vulnerability to gather sensitive information, potentially leading to further attacks.
Remediation
Disable or restrict access to the Debug Endpoint pprof to prevent unauthorized access.
Dede CMS - SQL Injection
runzero-match
service["http.body"] matches "(?i)DedeCms"Description
Dede CMS contains a SQL injection vulnerability which allows remote unauthenticated users to inject arbitrary SQL statements via the ajax_membergroup.php endpoint and the membergroup parameter.
DedeCMS 5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patch or upgrade to a newer version of DedeCMS to mitigate the SQL Injection vulnerability.
DedeCMS 5.7.87 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
Directory traversal vulnerability in DedeCMS 5.7.87 allows reading sensitive files via the $activepath parameter.
Impact
Unauthenticated attackers can exploit directory traversal through the activepath parameter in select_templets.php to read sensitive DedeCMS configuration files and source code.
Remediation
Update DedeCMS to a version newer than 5.7.87 that properly validates and sanitizes the activepath parameter in select_templets.php.
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
runzero-match
service["http.body"] matches "(?i)dedecms" || service["http.body"] matches "(?i)power by dedecms\" \\|\\| title:\"dedecms" || any(each(service["html.titles"]), {# matches "(?i)dedecms\" \\|\\| http\\.html:\"power by dedecms"})Description
DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Impact
Successful exploitation of these vulnerabilities can lead to unauthorized actions performed on behalf of the user and execution of arbitrary code.
Remediation
Apply the latest security patches and update to a newer version of DedeCMS.
Deep Sea Electronics DSE 855 Generator Controller - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "DSE 855"})Description
Deep Sea Electronics DSE 855 is a generator/mains automatic transfer switch (ATS) controller
with a built-in HTTP web server for remote monitoring and configuration of generator control systems.
The interface is commonly exposed on port 8090 and requires no authentication by default.
DefectDojo Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)DefectDojo Logo"Description
DefectDojo login panel was detected.
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/defender-security/"Description
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Impact
Unauthenticated attackers can bypass hidden login page protection through auth_redirect WordPress function to access the login page despite protection mechanisms.
Remediation
Fixed in 4.1.0
Dell BMC Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dell Remote Management Controller"})Description
Dell BMC web panel was detected.
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AVAMAR"})Description
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
Impact
Unauthenticated attackers can read or modify Local Download Service credentials, impersonate the service when accessing Dell EMC Online Support, or prevent legitimate connections by corrupting the configuration.
Remediation
Upgrade to a patched version of Dell EMC Avamar or apply vendor-provided security updates.
Dell EMC RecoverPoint Panel - Detect
Author: rxeriumAdded: Feb 18, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-742276344"Description
Dell EMC RecoverPoint management panel was detected.
Dell IDRAC Panel - Detect
runzero-match
service["http.body"] matches "(?i)thisIDRACText"Description
Dell IDRAC panel was detected.
Dell Laser Printer - Unauthenticated Detect
Author: pussycat0xAdded: Sep 18, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Laser Printer"})Description
The Dell Laser Printer web interface was accessible without authentication.
Dell OpenManage Switch Administrator Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Dell OpenManage Switch Administrator"Description
Dell OpenManage Switch Administrator login panel was detected.
Dell Remote Web Access Panel - Detect
Author: pussycat0xAdded: Sep 17, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dell Remote web"})Description
Dell Remote Web Access is a secure web portal that enables remote access to files, applications, and desktops hosted on Dell servers.
Dell iDRAC6/7/8 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Integrated (?:Dell )?Remote Access Controller"})Description
Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
Delmia Apriso - Pre-Authentication Unsafe .NET Object Deserialization
runzero-match
service["http.body"] matches "(?i)/apriso/"Description
An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to pre-authentication remote code execution.
Impact
Attackers can exploit unsafe .NET object deserialization to achieve pre-authentication remote code execution.
Remediation
Update DELMIA Apriso to a version that addresses the unsafe deserialization vulnerability.
Delta Controls Admin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Delta Controls ORCAview"Description
Delta Controls admin login panel was detected.
Deluge - Default Login
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Deluge"})Description
Deluge Default login credentials were discovered.
Deluge WebUI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)deluge webui"})Description
Deluge WebUI login panel was detected.
Dependency-Track Login - Panel
Author: Th3l0newolfAdded: Apr 10, 2025
runzero-match
service["http.body"] matches "(?i)Dependency-Track"Description
Dependency Track login panel was discovered.
Dericam Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dericam"})Description
Dericam login panel was detected.
Desktop Portal VMware Horizon DaaS Trade Platform
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)horizon daas"})DevDojo Voyager - Default login
Author: iamnoooob,rootxharsh,pdresearchAdded: Feb 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Voyager"})Description
DevDojo Voyager contains default credentials when run with dummy data. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
DevDojo Voyager <=1.8.0 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Voyager"})Description
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
Impact
Authenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, and application source code.
Remediation
Update DevDojo Voyager to version 1.8.1 or later to address the path traversal vulnerability.
Device42 Panel - Detect
Author: righettodAdded: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)device42"})Description
Device42 was detected — a Discovery, Asset Management and Dependency Mapping for Data Center and Cloud.
Devika - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Devika AI"})Description
A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server.
Impact
Successful exploitation could lead to unauthorized access to sensitive files and data.
Remediation
Ensure input validation is implemented to prevent malicious file inclusions and use whitelists for allowed file paths.
Devika v1 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1429839495"Description
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
Impact
Unauthenticated attackers can exploit path traversal to access sensitive files on the server.
Remediation
Update Devika to a version later than v1 that patches the path traversal vulnerability.
Devtron Panel Login Panel - Detect
Author: johnk3rAdded: Apr 10, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Devtron"})Description
Devtron Panel login panel was detected.
Dex Authentication - Panel
runzero-match
service["http.body"] matches "(?i)Log in to dex"Dialogic XMS Admin Console - Default Login
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Dialogic XMS Admin Console"})Description
Dialogic XMS Admin Console was using default credentials and it was discovered.
Dialogic XMS Admin Console - Detect
Author: ritikchaddhaAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dialogic XMS Admin Console"})Diced Zipline - Detect
Author: icarotAdded: Aug 10, 2025
runzero-match
service["http.body"] matches "(?i)Zipline"Description
Zipline panel was detected.
Dify - User Enumeration via "Account not found" Message
runzero-match
service["favicon.ico.image.mmh3"] == "97378986"Description
A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "account_not_found" or "Account not found.", allowing attackers to identify valid accounts.
Impact
Attackers can enumerate valid user accounts through distinct error messages returned by the login API, facilitating targeted credential stuffing and phishing attacks against Dify installations.
Remediation
Upgrade to the patched version of Dify that implements generic error messages for authentication failures.
Dify v1.9.1 - Broken Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-1483370344" || service["favicon.ico.image.mmh3"] == "-791570210"Description
Dify v1.9.1 contains an insecure permissions vulnerability caused by lack of authorization checks in /console/api/system-features endpoint, letting unauthenticated attackers access sensitive system configuration data.
Impact
Unauthenticated attackers can access sensitive system configuration data, potentially leading to information disclosure.
Remediation
Update to the latest version of Dify.
Digi International Router - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Digi Router"})Description
Digi International cellular routers expose a web management interface used in industrial IoT and remote connectivity applications.
Digital Watchdog - Default Login
Author: omranisecurityAdded: May 27, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog default login credentials were discovered.
Digital Watchdog - Detect
Author: ritikchaddhaAdded: May 28, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog panel was detected.
Digital Watchdog DW Spectrum Server 4.2.0.32842 - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "868509217"Description
Digital Watchdog DW Spectrum Server 4.2.0.32842 allows attackers to access sensitive infromation via a crafted API call.
Impact
Unauthenticated attackers can access sensitive system information including network configuration, remote addresses, and cloud host details through the moduleInformation API endpoint, potentially facilitating further attacks.
Remediation
Update Digital Watchdog DW Spectrum Server to a version newer than 4.2.0.32842 that requires authentication for the moduleInformation API endpoint.
DirectAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)directadmin login"})Description
DirectAdmin login panel was detected.
Directum Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Directum"})Description
Directum login panel was detected.
Discuz Panel - Detection
Author: ritikchaddhaAdded: Aug 7, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Discuz!"})Django QuerySet.order_by - SQL Injection
runzero-match
service["product"] contains 'Django'Description
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by. Attackers can execute arbitrary SQL commands if they control order_by input parameters.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to Django 3.1.13 or 3.2.5 or later versions.
Django RasterField - SQL Injection
runzero-match
service["product"] contains "Django Project:Django"Description
Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
Remediation
Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
Django SQL Injection
runzero-match
service["product"] contains "Django Project:Django"Description
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version.
Docassemble - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)docassemble"})Description
Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
Impact
Unauthenticated attackers can read arbitrary files on the server through URL manipulation in the Docassemble interview endpoint.
Remediation
Update Docassemble to version 1.4.97 or later.
Doccano - Default Login
Author: 0x_AkokoAdded: Mar 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)doccano"})Description
Detected the Doccano data labeling platform was using default administrator credentials (admin:password). An attacker could have gained full administrative access.
Docebo eLearning Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Docebo E-learning"})Description
Docebo eLearning login panel was detected.
Dockge Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dockge"})Description
A fancy, easy-to-use and reactive self-hosted docker compose.yaml stack-oriented manager
DocuWare - Detect
Author: righettodAdded: Sep 26, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Docuware"})Description
DocuWare panel was detected.
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
runzero-match
service["http.body"] matches "(?i)Docusaurus"Description
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
Impact
A GitHub personal access token exposure vulnerability can grant an attacker unauthorized access to your repositories and organization resources, potentially leading to data exfiltration, code injection, and supply chain attacks.
Remediation
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.
Dokploy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dokploy"})Description
Dokploy login panel was detected.
Dokuwiki Login Panel - Detect
Author: righettodAdded: Feb 14, 2024
runzero-match
service["http.body"] matches "(?i)/dokuwiki/"Description
Dokuwiki login panel was detected.
Dolibarr Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dolibarr"})Description
Dolibarr login panel was detected.
Dolibarr Unauthenticated Contacts Database Theft
runzero-match
service["favicon.ico.image.mmh3"] == "440258421"Description
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
Impact
The attacker can access and steal sensitive information from the contacts database, potentially leading to data breaches and privacy violations.
Remediation
Apply the latest security patch or upgrade to a patched version of Dolibarr to mitigate the vulnerability.
Doris Panel - Detect
Author: ritikchaddhaAdded: Jan 22, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "24048806"Description
Doris panel detection template.
Dotclear Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dotclear"})Description
Dotclear admin login panel was detected.
Download Monitor <= 4.7.60 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/download-monitor/"Description
The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks or unauthorized access.
Remediation
Update to the latest version of the Download Monitor plugin (4.7.60) or apply the provided patch to fix the vulnerability.
Dradis Professional Edition Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Dradis Professional Edition"})Description
Dradis Professional Edition login panel was detected.
DragonFly Login - Panel
Author: DhiyaneshDKAdded: Sep 24, 2024
runzero-match
service["http.body"] matches "(?i)logo-dragonfly\\.png"Description
Dragonfly Login Panel was discovered
Dragonfly - Default Login
Author: DhiyaneshDKAdded: Sep 24, 2024
runzero-match
service["http.body"] matches "(?i)logo-dragonfly\\.png"Description
Dragonfly was using the default username, and the password was discovered.
DrayTek - Remote Code Execution
runzero-match
asset["hw_vendor"] == "DrayTek"Description
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network.
Remediation
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
DrayTek Vigor - Command Injection
runzero-match
service["http.body"] contains `"excanvas.js" && "lang == \"zh-cn\"" && "detectLang" && server=="DWS"`Description
DrayTek Vigor devices contain a command injection vulnerability in the cvmcfgupload functionality. The vulnerability allows remote attackers to execute arbitrary commands through specially crafted requests to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint.
Impact
Unauthenticated attackers can execute arbitrary system commands on DrayTek Vigor devices via the cvmcfgupload endpoint, leading to complete device compromise and potential network infiltration.
Remediation
Update the firmware to the latest version provided by DrayTek. If no update is available, consider implementing network segmentation to restrict access to the device's management interface.
Draytek VigorConnect 1.6.0-B - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)vigorconnect"Description
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Draytek VigorConnect 1.6.0-B.
Draytek VigorConnect 6.0-B3 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)vigorconnect"Description
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, potential data leakage, and further compromise of the affected system.
Remediation
Apply the latest security patches or updates provided by Draytek to fix the LFI vulnerability in VigorConnect 6.0-B3.
Drone CI Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1354079303"Description
Drone CI login panel was detected.
Drupal - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)drupal"}) || service["favicon.ico.image.md5"] matches `(?i)^(b6341dfc213100c61db4fb8775878cec|cf2445dcb53a031c02f9b57e2199bc03)`Description
Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Drupal site.
Remediation
Apply the official security patch provided by Drupal to fix the deserialization vulnerability.
Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
runzero-match
service["http.body"] matches `Drupal\s+(\d{1,2})(?:\s+\(https?:\/\/(?:www\.)?drupal\.org\))?`Description
Drupal core from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10 contains an SQL injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or full database compromise.
Remediation
Upgrade to versions 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10 or later.
Duomi CMS - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DuomiCMS"})Description
Duomi CMS contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Dynatrace Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1828614783"Description
Dynatrace login panel was detected.
DzzOffice Installation Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1961736892"Description
DzzOffice installation panel was detected.
DzzOffice Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1961736892"Description
DzzOffice login panel was detected.
E-mobile Panel - Detect
runzero-match
service["http.body"] matches "(?i)E-Mobile "Description
E-mobile panel was detected.
ECTouch v2 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "127711143"Description
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
Impact
Unauthenticated attackers can exploit SQL injection through the $arr['id'] parameter to extract database contents, potentially stealing customer data, order information, and payment details from the ECTouch e-commerce system.
Remediation
Update ECTouch to a version newer than 2.0 that uses parameterized queries or prepared statements for the id parameter in default/helpers/insert.php.
EMQX Login Panel - Detect
Author: righettodAdded: Mar 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EMQX Dashboard"})Description
EMQX login panel was detected.
EOS HTTP Browser
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EOS HTTP Browser"})ERPNext - Default Login
Author: 0x_AkokoAdded: Nov 14, 2025
runzero-match
service["http.body"] matches "(?i)Login to Frappe"Description
Detects ERPNext installations that use the default Administrator/admin login credentials. This misconfiguration grants attackers full administrative access to the system.
ESPHome - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ESPHome"})Description
ESPHome 2025.8.0 contains an authentication bypass caused by improper validation of base64-encoded Authorization values in the web_server component, letting attackers access functionality without valid credentials, exploit requires crafted Authorization header.
Impact
Attackers can bypass authentication to access web server functions, including OTA updates, potentially compromising device control.
Remediation
Upgrade to version 2025.8.1 or later.
ESPHome Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - esphome"})Description
ESPHome login panel was detected.
ESXi System Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)esxuiapp"Description
ESXi System login panel was detected.
ETQ Reliance - Authentication Bypass via Trailing Space
runzero-match
service["http.body"] matches "(?i)ETQ Reliance"Description
An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583.
Impact
Successful exploitation allows unauthenticated attackers to bypass authentication and gain elevated SYSTEM access, potentially leading to remote code execution.
Remediation
Apply the vendor patch to version MP-4583 or later, which includes stricter validation logic to exclude internal accounts from public authentication workflows.
ETQ Reliance - Reflected XSS via SQLConverterServlet
runzero-match
service["http.body"] matches "(?i)ETQ Reliance"Description
A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated user's browser session, potentially leading to session hijacking or unauthorized actions.
Remediation
Upgrade to ETQ Reliance version SE.2025.1 or later where the SQLConverterServlet has been disabled.
EVSE Web Interface Panel - Detection
Author: ritikchaddhaAdded: Aug 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)evse web interface"})EVlink City < R8 V3.4.0.1 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)evse web interface"})Description
A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.
Impact
Unauthenticated attackers can bypass authentication via hardcoded credentials and issue unauthorized administrative commands to the charging station web server, potentially disrupting charging operations or stealing sensitive data.
Remediation
Upgrade to EVlink City R8 V3.4.0.1 or later to fix the authentication bypass vulnerability.
EVlink Local Controller - Detection
Author: ritikchaddhaAdded: Aug 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EVlink Local Controller"})EWM Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EWM Manager"})Description
EWM Manager login panel was detected.
EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure
Author: Shivam KambojAdded: Feb 17, 2026
runzero-match
service["http.body"] contains "ewww_image_optimizer" && service["http.body"] contains "__construct()"Description
The EWWW Image Optimizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.0 via the debug_log function. This makes it possible for unauthenticated attackers to extract sensitive debug data when debug logging is enabled.
Impact
Attackers can access sensitive embedded data, potentially leading to information disclosure and further exploitation.
Remediation
Remove debug information and update to the latest version of EWWW Image Optimizer.
Eagle For Apache Kakfa Login - Detect
Author: irshad ahamedAdded: Jul 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1693580324"Description
EFAK is a visualization and management software that allows one to query, visualize, alert on, and explore their metrics wherever they were stored.
Easy Diffusion Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Easy Diffusion"})Description
Easy Diffusion (formerly Stable Diffusion UI) was detected. Easy Diffusion is a one-click, self-hosted Stable Diffusion web application focused on accessibility and ease of use for AI image generation. Exposed instances allow unauthenticated access to image generation capabilities and stored outputs.
EasyCVR video management - Users Information Exposure
Author: pussycat0xAdded: Jun 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EasyCVR"})Description
EasyCVR video management platform has leaked user information
EasyJOB Login Panel - Detect
Author: righettodAdded: Feb 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Log in - easyJOB"})Description
EasyJOB login panel was detected.
EasyReport - Default Login
runzero-match
service["http.body"] matches "(?i)EasyReport-A Sample and Easy to Use Web Reporting System"EasyVista Login Panel - Detect
Author: righettodAdded: May 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Easyvista"})Description
EasyVista login panel was detected.
Echelon i.LON SmartServer - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "i\\.LON SmartServer"})Description
Echelon (now Adesto/Dialog Semiconductor) i.LON SmartServer is a LonWorks/IP-852
building automation controller used in HVAC, lighting, and energy management systems.
The embedded web interface is frequently exposed on standard and non-standard ports.
Eclipse BIRT Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Eclipse BIRT Home"})Description
Eclipse BIRT (Business Intelligence Reporting Tool) detected
Eclipse Jetty - Directory Listing Enabled
Author: ritikchaddhaAdded: Dec 19, 2025
runzero-match
service["http.head.server"] matches "Jetty"Description
Eclipse Jetty server has directory listing enabled, which exposes the directory structure and file names to unauthenticated users. This can reveal sensitive files, backup files, configuration files, and aid attackers in reconnaissance.
Impact
Attackers can enumerate files and directories, discover hidden resources, backup files, configuration files, and potentially sensitive data that should not be publicly accessible.
Remediation
Disable directory listing by setting dirAllowed to false in the DefaultServlet configuration or by setting allowDirectoryListing to false in WebAppContext. Add index files (index.html) to directories that should not list contents.
Eclipse Theia IDE Panel - Detect
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Theia IDE"})Description
Detected Eclipse Theia IDE panel was exposed. Theia is an extensible platform for multi-language Cloud and Desktop IDEs. Exposed panels may have allowed unauthenticated access to development environments and terminal.
Edito CMS - Sensitive Data Leak
runzero-match
service["favicon.ico.image.mmh3"] == "1491301339"Description
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthorized user.
Impact
Unauthenticated attackers can download configuration files containing sensitive credentials from Edito CMS installations.
Remediation
Update Edito CMS to a version later than 3.25 that secures configuration file access.
EfroTech Timetrax v8.3 - Sql Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-661694518"Description
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
Impact
Unauthenticated attackers can execute SQL injection attacks to extract or modify sensitive timetrax database information.
Remediation
Update EfroTech Timetrax to a version later than v8.3 that patches the SQL injection vulnerability.
Eko Charger Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Charger Management Console"})Description
Eko Charger Management Console login panel was detected.
Eko Software Update Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ekoenergetyka-Polska Sp\\. z o\\.o - CCU3 Software Update for Embedded Systems"})Description
Eko software update panel for embedded systems was detected. An attacker can possibly upload a software image or restart the system.
EkoAPI Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EkoAPI Admin"})Description
EkoAPI Admin panel was detected.
Ektron CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ektron"Description
Ektron CMS login panel was detected.
ElasticSearch - Default Login
Author: Mohammad Reza Omrani | @omranisecurityAdded: Jul 24, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Elastic"})Description
Elasticsearch default credentials were discovered.
Elber ESE DVB-S/S2 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Elber Satellite Equipment"})Description
Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system.
Impact
This grants them unauthorized administrative access to protected areas of the application, compromising the device's system security.
Remediation
Apply security patches from Elber or restrict access to the password management endpoints to authorized networks only.
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Electrolink"})Description
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext.
Impact
Unauthenticated attackers can access plaintext credentials through the controlloLogin.js file, potentially gaining unauthorized access to Electrolink transmitter management interfaces.
Remediation
Change default credentials and restrict access to the controlloLogin.js file.
Elemiz Network Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Elemiz Network Manager"})Description
Elemiz Network Manager login panel was detected.
Elestio Memos <= v0.24.0 - Server-Side Request Forgery
runzero-match
service["favicon.ico.image.mmh3"] == "-1924700661"Description
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
Impact
Unauthenticated attackers can exploit SSRF vulnerabilities to access internal services, bypass network security controls, and potentially retrieve sensitive information from internal systems.
Remediation
Upgrade to Memos version 0.24.1 or later that properly validates and restricts URL access.
Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/email-subscribers/"Description
Email Subscribers by Icegram Express <= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.
Impact
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Remediation
Fixed in 5.7.21
Emby Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emby"})Description
Emby login panel was detected.
Emby Server - Authentication Bypass
runzero-match
service["product"] contains "Emby:Emby"Description
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.
Impact
Attackers can gain unauthorized administrative access or view user accounts without passwords, risking full control over the server.
Remediation
Update to Emby Server version 4.8.31 or 4.7.12.
Emerson Network Power IntelliSlot Web Card Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Emerson Network Power IntelliSlot Web Card"})Description
Emerson Network Power IntelliSlot Web Card panel was detected.
Emqx Default Admin Login
runzero-match
service["favicon.ico.image.mmh3"] == "-670975485"Description
Emqx default admin credentials were discovered.
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/web/cgi-bin/usbinfo\\.cgi"Description
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected commands are executed with root privileges, leading to full system compromise.
Impact
Unauthenticated attackers can inject and execute arbitrary shell commands with root privileges through the path parameter in usbinteract.cgi, achieving complete system compromise.
Remediation
Upgrade EnGenius EnShare Cloud Service to version 1.4.12 or later that properly sanitizes user input in CGI scripts.
Enablix Panel - Detect
Author: DhiyaneshDkAdded: Oct 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Enablix"})Description
Enablix panel was detected.
Endpoint Protector Login Panel - Detect
Author: pussycat0xAdded: Jul 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Endpoint Protector"})Description
Endpoint Protector - Reporting and Administration Tool login panel was detected.
EnjoyRMIS - SQL Injection
runzero-match
service["http.body"] matches "(?i)CheckSilverlightInstalled"Description
EnjoyRMIS GetOAById has a SQL injection vulnerability, through which an attacker can obtain sensitive database information and even control the server.
Envoy Proxy - Metadata Disclosure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
service["http.head.xEnvoyPeerMetadata"] != ""Description
Detected misconfigured Envoy proxy instances that disclose sensitive information about the target infrastructure via the "x-envoy-peer-metadata" response header.
Episerver Login Panel
runzero-match
service["http.body"] matches "(?i)epihash"Description
Episerver login panel was detected.
Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/error-log-viewer-wp"Description
The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Impact
Unauthenticated attackers can read arbitrary files on the server including sensitive configuration files with database credentials and other sensitive data.
Remediation
Update Error Log Viewer By WP Guru plugin to a version newer than 1.0.1.3.
Erxes <0.23.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)erxes"})Description
Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to Erxes version 0.23.0 or later to mitigate the vulnerability.
Esafenet CDG NetSecConfigAjax - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)电子文档安全管理系统"})Description
The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
Esafenet CDG NoticeAjax - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)电子文档安全管理系统"})Description
CDGServer3 NoticeAjax Interface Sql Injection.
Eset Protect Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "751911084"Description
Login page for Eset Protect
Eslint Ignore File Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
service["http.body"] matches "(?i)eslintignore"Description
Eslint Ignore File was exposed.
Espec Web Controller - Panel
Author: darsesAdded: Aug 14, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "529766441" || any(each(service["html.titles"]), {# matches "(?i)Espec Web Controller"})Description
Espec Web Controller panel was discovered.
EspoCRM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-197006674" || service["http.body"] matches "(?i)Powered by EspoCRM"Description
EspoCRM panel was detected.
Essential Blocks < 4.4.3 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/essential-blocks/"Description
Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Upgrade to the latest version of Essential Blocks 4.4.3 to fix this issue.
EuroTel ETL3100 - Default Login
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] matches "ETL3100"Description
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
EventON (Free < 2.2.8, Premium < 4.5.5) - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon/"Description
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorization in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog.
Impact
An attacker could potentially access sensitive email information.
Remediation
Update to the latest version of the EventON WordPress Plugin to mitigate CVE-2024-0235.
EventON <= 2.1 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/"Description
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
Impact
Unauthenticated users can perform privileged actions, potentially leading to unauthorized access or modification of events.
Remediation
Fixed in version 2.1.2
EventON Lite < 2.1.2 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/eventon/" || service["http.body"] matches "(?i)/wp-content/plugins/eventon-lite/"Description
The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors
to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
Impact
Unauthenticated attackers can exploit missing validation in the eventon_ics_download AJAX action to access any post content including unpublished or protected posts through ICS export functionality.
Remediation
Fixed in version 2.1.2
Eventum Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "305412257"Description
Eventum login panel was detected.
Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection
runzero-match
service["http.body"] matches "(?i)evertz\\.min\\.css"Description
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass.Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
Impact
Unauthenticated attackers can bypass authentication and execute arbitrary commands with root privileges, potentially disrupting media streaming or manipulating content.
Remediation
Apply the security patch from Evertz or restrict network access to the web management interface to trusted administrators only.
Evidently AI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Evidently"})Description
Evidently AI is an ML/LLM observability platform for monitoring data drift and model performance.
ExaGrid Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)exagrid manager"})Description
ExaGrid Manager login panel was detected.
Exchange Server - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119" || any(each(service["html.titles"]), {# matches "(?i)outlook"}) || any(each(service["html.titles"]), {# matches "(?i)outlook exchange"})Description
Microsoft Exchange Server is vulnerable to a remote code execution vulnerability. This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Exchange Server, potentially leading to a complete compromise of the system.
Remediation
Apply Microsoft Exchange Server 2019 Cumulative Update 9 or upgrade to the latest version.
Exolis Engage Panel - Detect
runzero-match
service["http.body"] matches "(?i)engage - Portail soignant"Description
Exolis Engage panel was detected.
Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/export-wp-page-to-static-html/"Description
Export WP Page to Static HTML & PDF WordPress plugin <= 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit requires site administrator to trigger backup with specific user role.
Impact
Unauthenticated attackers can access authentication cookies, potentially leading to account compromise or unauthorized access.
Remediation
Update to the latest version beyond 4.3.4.
Exposed MCP JSON-RPC 2.0 API Detection
Author: ivan_wallarmAdded: May 10, 2025
runzero-match
any(each(service["html.bodies"]), {# matches "(?i)get requires an active session"})Description
Detects exposed Machine Control Protocol (MCP) servers through JSON-RPC 2.0 API endpoints.
MCP servers often provide administrative access to AI tools, LLM systems, or other automation infrastructure.
Exposed MCP interfaces can lead to unauthorized access, information disclosure, and potential system compromise.
This template tests multiple detection methods including tools/list, rpc.discover, resources/list, and prompts/list.
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/extensive-vc-addon/"Description
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Impact
Unauthenticated attackers can exploit parameter validation flaws in the template loading mechanism to read arbitrary files including wp-config.php and escalate to remote code execution using PHP filter chains.
Remediation
Fixed in 1.9.1
Extreme NetConfig UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Extreme NetConfig UI"})Description
Extreme NetConfig UI panel was detected.
EyesOfNetwork - Hardcoded API Key
runzero-match
service["http.body"] matches "(?i)EyesOfNetwork"Description
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
Impact
Successful exploitation allows an attacker to create administrative users and gain unauthorized access to the EyesOfNetwork management system.
Remediation
Upgrade to a newer version of EyesOfNetwork or change the default hardcoded API key in the configuration.
EyesOfNetwork - Hardcoded API Key & SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)EyesOfNetwork"})Description
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Impact
Unauthenticated attackers can bypass authentication via SQL injection and gain access to the EyesOfNetwork monitoring system and all monitored infrastructure data.
Remediation
Apply security patches or update to the latest version of EyesOfNetwork.
EyouCms v1.6.3 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)eyoucms"})Description
EyouCms v1.6.3 was discovered to contain an information disclosure vulnerability via the component /custom_model_path/recruit.filelist.txt.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Upgrade eYouCMS to a patched version to mitigate CVE-2023-37645.
F-Secure Policy Manager Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)f-secure policy manager server"})Description
F-Secure Policy Manager Server login panel was detected.
F-logic DataCube3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DataCube3"})Description
SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter.
Impact
Attackers can execute arbitrary SQL queries, potentially extracting or modifying sensitive database information.
Remediation
Update F-logic DataCube3 to a version that patches the SQL injection vulnerability.
F5 Admin Interface - Detect
Author: drewvravick,righettodAdded: Jun 3, 2024
runzero-match
service["http.body"] matches "(?i)BIG-IP Configuration Utility"Description
Detects F5 Admin Interfaces.
F5 BIG-IP TMUI - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the necessary security patches or upgrade to a non-vulnerable version of F5 BIG-IP TMUI.
F5 BIG-IP iControl - REST Auth Bypass RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary code on the affected system.
Remediation
Apply the necessary security patches or updates provided by F5 Networks to mitigate this vulnerability.
F5 BIG-IP iControl REST Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect"})Description
F5 BIG-IP iControl REST API discovered and may be vulnerable to an authentication bypass (not tested).
F5 iControl REST - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)big-ip®-\\+redirect\" \\+\"server"}) || service["http.body"] matches "(?i)big-ip apm"Description
F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the necessary security patches or updates provided by F5 Networks to mitigate the vulnerability.
FASTPANEL Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FASTPANEL HOSTING CONTROL"})Description
FASTPANEL login panel was detected.
FOG Project < 1.5.10.34 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1952619005"Description
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.
Impact
Unauthenticated attackers can exploit command injection to achieve remote code execution on the FOG server.
Remediation
Update FOG Project to version 1.5.10.34 or later.
FOSSBilling Panel - Detect
Author: ritikchaddhaAdded: Aug 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FOSSBilling"})Description
FOSSBilling panel has been detected.
FREEDOM Administration - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FREEDOM Administration"})Description
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE- the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
Impact
Attackers can gain unauthorized access to building management systems using default credentials, potentially exposing residents' personally identifiable information and controlling access to apartment buildings.
Remediation
Change default credentials immediately to strong, unique passwords as recommended in the manufacturer's security guidelines.
FUEL CMS 1.4.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system, leading to complete compromise of the application and potentially the underlying server.
Remediation
Upgrade to FUEL CMS version 1.4.2 or later, which includes a patch for this vulnerability.
FUXA - SCADA/HMI Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)powered by (?:frangoteam|<span><b>frango</b>team</span>)`Description
FUXA is an open-source web-based SCADA/HMI platform built on Node.js.
It supports Modbus, OPC-UA, BACnet, MQTT, and Siemens S7 protocols and
is widely self-hosted for small industrial deployments. Instances are
frequently exposed to the internet without authentication.
FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FUXA"})Description
FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions.
Impact
Remote attackers can bypass authentication and gain full administrative access.
Remediation
Update to the latest version that removes hard-coded credentials.
FaceFusion Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "FaceFusion"})Description
FaceFusion panel was detected. FaceFusion is a next-generation face swapper and enhancer.
Falcosidekick UI Login Panel - Detect
Author: righettodAdded: Jul 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Falcosidekick"})Description
Falcosidekick UI login panel was detected.
Faraday Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)faradayApp"Description
Faraday login panel was detected.
FastAdmin < V1.3.4.20220530 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1036943727"Description
A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
Impact
Authenticated attackers can exploit path traversal to read sensitive files including database configuration files containing credentials, usernames, passwords, and other critical system information.
Remediation
Update FastAdmin to version 1.3.4.20220530 or later to address the path traversal vulnerability in the lang parameter.
FastGPT Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)FastGPT 是一个"Description
FastGPT is a knowledge-based platform built on the LLM, offering out-of-the-box
data processing and model invocation capabilities.
FastMile 5G Gateway Panel - Detect
runzero-match
service["http.body"] matches "(?i)FastMile 5G Gateway"Description
FastMile 5G Gateway web interface was discovered.
Fastify Swagger-UI - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "-1180440057"Description
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.
Impact
Unauthenticated attackers can access sensitive files in the Fastify Swagger-UI module directory, potentially exposing source code or configuration files.
Remediation
Update @fastify/swagger-ui to version 2.1.0 or later, or configure the baseDir option.
Fastly Backend Server Information Disclosure
runzero-match
service["http.head.xBackendServer"] != ""Description
Detected Fastly CDN misconfigured and exposing backend/origin server IP addresses or hostnames in HTTP response headers.
Feiyuxing Enterprise-Level Management System - Default Login
Author: SleepingBag945Added: Aug 21, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)飞鱼星企业级智能上网行为管理系统"})Description
Attackers can log in through admin:admin, check the system status, and configure the device.
Femtocell Access Point Panel - Detect
Author: DhiyaneshDkAdded: Apr 23, 2024
runzero-match
service["http.body"] matches "(?i)Femtocell Access Point"Description
Femtocell Access Point panel was discovered.
Fides Privacy Center ≤ 2.39.1 - Server-Side URL Disclosure
runzero-match
service["http.body"] matches "(?i)SERVER_SIDE_FIDES_API_URL"Description
Fides versions 2.19.0 to before 2.39.2rc0 contain an information disclosure caused by unauthenticated HTTP GET request to the Privacy Center, letting attackers access the SERVER_SIDE_FIDES_API_URL, which may reveal server configuration details, exploit requires no authentication.
Impact
Attackers can obtain server-side URLs, revealing private IPs, ports, and domain names, potentially aiding further targeted attacks.
Remediation
Update to version 2.39.2rc0 or later.
File Browser Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1052926265"FileCatalyst File Transfer Solution - Detect
Author: DhiyaneshDKAdded: Sep 18, 2024
runzero-match
service["http.body"] matches "(?i)FileCatalyst file transfer solution"Description
Detects the presence of FileCatalyst file transfer solution login panel
FileGator Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FileGator"})FileMage Gateway - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)filemage"})Description
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
Impact
An attacker can view, modify, or delete sensitive files on the system, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in FileMage Gateway.
Filegator - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "FileGator"})Financial Transaction Manager Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ftm manager" || any(each(service["html.titles"]), {# matches "(?i)ftm manager"})Description
Financial Transaction Manager login panel was detected.
Fireware XTM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fireware xtm user authentication"})Description
Fireware XTM login panel was detected.
Flahscookie Superadmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flahscookie Superadmin"})Description
Flahscookie Superadmin login panel was detected.
Flatpress < 1.3 - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-1189292869" || service["http.body"] matches "(?i)flatpress"Description
Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.
Impact
Unauthenticated attackers can exploit path traversal to access and list sensitive directories and files in the FlatPress blogging system, potentially exposing configuration files and user data.
Remediation
Update FlatPress to version 1.3 or later that properly validates directory paths and prevents unauthorized directory listing in fp-content.
FleetCart 4.1.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)FleetCart"Description
Issues with information disclosure in redirect responses. Accessing the majority of the website's pages exposes sensitive data, including the "Razorpay" "razorpayKeyId".
Impact
Unauthenticated attackers can access sensitive configuration data including Razorpay payment gateway API keys through information disclosure in redirect responses.
Remediation
Update FleetCart to a version later than 4.1.1 that addresses this information disclosure vulnerability.
FlexNet Operations Panel - Detect
Author: righettodAdded: Jan 26, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FlexNet Login"})Description
FlexNet Operations was detected — a software monetization platform.
Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/flexible-checkout-fields/"Description
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
Impact
Unauthenticated attackers can arbitrarily update plugin settings and inject stored XSS payloads, potentially taking over the WordPress site or stealing administrator credentials.
Remediation
Fixed in 2.3.2.
FlightPath - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1560589236" || service["http.body"] matches `(?i)FlightPath\.settings`Description
FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion.
Impact
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
FlightPath Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)flightpath"})Description
FlightPath login panel was detected.
Flock Safety Camera Admin Panel - Detect
Author: inokiiAdded: Dec 25, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flock Admin"})Description
Detected the Flock Safety camera admin panel.
Flowise 1.6.5 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2051052918"Description
The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability.
Impact
Attackers can bypass authentication and gain unauthorized access to the Flowise application and its data.
Remediation
Update Flowise to version 1.6.6 or later.
Flowise <= 1.8.2 Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2051052918"Description
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
Impact
Unauthenticated attackers can bypass authentication to access administrative API endpoints, gaining unauthorized access to restricted functionality, API keys, and administrative operations.
Remediation
Update Flowise to a version later than 1.8.2 to address the authentication bypass vulnerability.
Flowise <= 3.0.5 - Account Takeover
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flowise - Build AI Agents, Visually"})Description
Flowise versions 3.0.5 and earlier had a vulnerability in the forgot-password endpoint, which returned valid reset tokens without authentication—allowing attackers to reset passwords and take over accounts.
Impact
Unauthenticated attackers can obtain valid password reset tokens without authentication, enabling account takeover of any user including administrators through password reset attacks.
Remediation
Upgrade Flowise to version 3.0.6 or later that properly protects password reset token generation.
Flowise Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flowise - Build AI Agents, Visually"})Description
Flowise panel was detected. Flowise is an open-source drag-and-drop LLM flow builderand AI agent platform. Exposed instances may reveal AI workflow configurations, API keys, and connected data sources.
FlureeDB Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FlureeDB Admin Console"})Description
FlureeDB Admin Console login panel was detected.
FootPrints Service Core Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FootPrints Service Core Login"})Description
FootPrints Service Core login panel was detected.
Forcepoint Appliance
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Forcepoint Appliance"})ForgeRock OpenAM <7.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openam"})Description
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.
The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted
/ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)
found in versions of Java 8 or earlier.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade ForgeRock OpenAM to version 7.0 or later to mitigate this vulnerability.
Fork CMS - Installer
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)Install Fork CMS"Description
Fork CMS installer page was detected.
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/form-maker/"Description
The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE.
Impact
Unauthenticated attackers can exploit missing signature validation to upload arbitrary files and achieve remote code execution on WordPress installations running vulnerable Form-Maker plugins.
Remediation
Fixed in 1.15.20
FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/formlift/"Description
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to SQL Injection via the 'form_id' parameter in versions up to, and including, 7.5.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure or manipulation.
Remediation
Update to the latest version of FormLift for Infusionsoft Web Forms.
Formidable Forms < 2.05.02 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)formidable" && service["http.body"] matches "wp-content/plugins"Description
Formidable Form Builder for WordPress versions before 2.05.03 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in form parameters like 'after_html', letting unauthenticated attackers inject and execute arbitrary scripts in victims' browsers
Impact
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to version 2.05.03 or later.
FortiADC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiadc"})Description
FortiADC login panel was detected.
FortiAP Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiap"})Description
FortiAP login panel was detected.
FortiAuthenticator - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1653412201"Description
The FortiAuthenticator panel was detected.
FortiClient EMS - Authentication Bypass
runzero-match
service["product"] contains "Fortinet:FortiClient Endpoint Management Server"Description
Detects whether Fortinet hotfix FG-IR-26-099 for CVE-2026-35616 is missing by comparing behavioral responses from a certificate-authenticated endpoint. The template sends X-SSL-CLIENT-VERIFY: SUCCESS without certificate material and checks whether this spoofed header changes server behavior.
Impact
If spoofing X-SSL-CLIENT-VERIFY changes backend behavior, Apache is likely not stripping the header before Django, indicating the target is still vulnerable.
Remediation
Apply Fortinet hotfix FG-IR-26-099 or upgrade to FortiClient EMS 7.4.7+.
FortiClient Endpoint Management Server Panel - Detect
Author: h4sh5Added: Mar 18, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-800551065"FortiOS Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "945408572" || service["http.body"] matches "(?i)/remote/login"Description
FortiOS admin login panel was detected.
FortiRecorder Panel - Detect
Author: rxeriumAdded: Jun 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiRecorder"})Description
FortiRecorder Panel was discovered.
FortiWLM - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiWLM Login"})Description
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
Impact
Unauthenticated attackers can exploit path traversal through the imagename parameter in ezrf_lighttpd.cgi to read arbitrary files and potentially execute unauthorized code, compromising the entire Fortinet FortiWLM wireless LAN management system.
Remediation
Update Fortinet FortiWLM to version 8.6.6 or 8.5.5 or later that validates file paths in ezrf_lighttpd.cgi and prevents directory traversal attacks.
FortiWeb - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiweb - "})Description
FortiWeb 6.3.0 through 6.3.7 and versions before 6.2.4 contain an unauthenticated cross-site scripting vulnerability. Improper neutralization of input during web page generation can allow a remote attacker to inject malicious payload in vulnerable API end-points.
Impact
Successful exploitation of this vulnerability can result in the compromise of sensitive user information, session hijacking.
Remediation
Apply the latest security patches or updates provided by Fortinet to fix the XSS vulnerability in FortiWeb.
Fortinet FortiClientEMS 7.4.4 - SQL Injection
runzero-match
service["product"] contains "Fortinet:FortiClient Endpoint Management Server"Description
Fortinet FortiClientEMS version 7.4.4 and earlier contains an unauthenticated SQL injection vulnerability in the /api/v1/init_consts endpoint. The 'Site' HTTP header value is passed directly into the PostgreSQL search_path without sanitization, allowing remote unauthenticated attackers to inject arbitrary SQL commands. This can lead to information disclosure, database manipulation, or OS command execution when chained with PostgreSQL functions.
Impact
An unauthenticated remote attacker can execute arbitrary SQL queries against the backend PostgreSQL database, potentially extracting sensitive data, modifying database contents, or achieving remote code execution through PostgreSQL-specific functions (e.g., COPY, lo_import, pg_read_file).
Remediation
Upgrade FortiClientEMS to a patched version as recommended by Fortinet. As a workaround, restrict network access to the FortiClientEMS management interface and apply WAF rules to filter malicious Site header values.
Fortinet FortiDDoS Panel
Author: johnk3rAdded: May 26, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiddos"})Description
Fortinet FortiDDoS panel was detected.
Fortinet FortiMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortimail"})Description
Fortinet FortiMail login panel was detected.
Fortinet FortiNAC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortinac"})Description
Fortinet FortiNAC login panel was detected.
Fortinet FortiOS - Credentials Disclosure
runzero-match
service["http.body"] matches "(?i)/remote/login\" \"xxxxxxxx" || service["favicon.ico.image.mmh3"] == "945408572"Description
Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
Impact
An attacker can obtain sensitive information such as usernames and passwords.
Remediation
Apply the necessary patches or updates provided by Fortinet to fix the vulnerability.
Fortinet FortiOS Management Interface Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "945408572" || service["http.body"] matches "(?i)/remote/login"Description
Fortinet FortiOS Management interface panel was detected.
Fortinet FortiSIEM - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1341442175" and service["http.body"] matches "(?i)var hst = location\\.hostname" and service["protocol"] contains "http" and service["service.transport"] contains "tcp"Description
FortiSIEM versions 6.4.0 through 7.1.1 contain an OS command injection vulnerability in the Phoenix Monitor service. The vulnerability exists in the XML parsing of TEST_STORAGE elements where the mount_point field is not properly sanitized before being passed to shell commands, allowing unauthenticated remote code execution.
Impact
Unauthenticated attackers can execute arbitrary commands on the FortiSIEM system, potentially leading to full system compromise, data exfilteration, lateral movement, and complete bypass of security monitoring capabilities.
Remediation
Update FortiSIEM to versions newer than 7.1.1. Implement network segmentation to restrict access to Phoenix Monitor service (TCP/7900) and monitor for suspicious connections to this port.
Fortinet FortiSIEM - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1341442175" and service["http.body"] matches "(?i)var hst = location\\.hostname" and service["service.transport"] contains "tcp" and service["protocol"] contains "http"Description
Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.
Impact
Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 7.3.1.
Fortinet FortiSandbox Panel - Detect
Author: Umut ÖZEN,rxeriumAdded: Apr 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiSandbox"})Description
Fortinet FortiSandbox login panel was discovered.
Fortinet FortiTester Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortitester"})Description
Fortinet FortiTester login panel was detected.
Fortinet FortiWLM Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)fortiwlm" || any(each(service["html.titles"]), {# matches "(?i)fortiwlm"})Description
Fortinet FortiWLM login panel was detected.
Fortinet FortiWeb - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FortiWeb - "})Description
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
Impact
An attacker can exploit this vulnerability to execute unauthorized SQL commands, potentially leading to data exposure, data manipulation, or system compromise.
Remediation
Apply the latest security patches provided by Fortinet to fix the SQL injection vulnerability in FortiWeb.
Fortinet FortiWeb Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fortiweb - "})Description
Fortinet FortiWeb login panel was detected.
Fortinet Forticlient Endpoint Management Server - SQL Injection
runzero-match
service["service.transport"] == "tcp" and service["service.port"] == "8013" and asset["hw_vendor"] matches `(?i)Fortinet`Description
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
Impact
Unauthenticated attackers can execute arbitrary SQL commands through specially crafted network packets to the FortiClient Endpoint Management Server, potentially compromising the database, accessing sensitive endpoint data, and executing unauthorized code.
Remediation
Upgrade FortiClient EMS to version 7.2.3 or later for the 7.2.x series, or version 7.0.11 or later for the 7.0.x series.
Fortinet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FORTINET LOGIN"})Description
Fortinet login panel was detected.
Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)FileCatalyst file transfer solution, easily transfer large files"Description
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
Impact
Attackers can execute SQL injection to create administrative users, delete or modify application database content. Unauthenticated exploitation is possible if anonymous access is enabled.
Remediation
Update Fortra FileCatalyst Workflow to version 5.1.7 Build 136 or later to address the SQL injection vulnerability.
Fortra GoAnywhere MFT - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1484947000,1828756398,1170495932" || service["favicon.ico.image.mmh3"] == "1484947000" || service["http.body"] matches "(?i)goanywhere managed file transfer"Description
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Impact
Unauthenticated attackers can bypass authentication to create administrator accounts, leading to complete control over the GoAnywhere MFT system and access to all managed file transfers and sensitive data.
Remediation
Upgrade to Fortra GoAnywhere MFT version 7.4.1 or later.
Four-Faith F3x36 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Four-Faith"Description
Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests.
Impact
Attackers can gain unauthorized administrative access, potentially leading to full control over the device.
Remediation
Update to the latest firmware version provided by the vendor to fix hard-coded credential issues.
FoxCMS v.1.2.5 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)foxcms-(logo|container)"Description
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
Impact
Unauthenticated attackers can execute arbitrary code through the id parameter in the index.html component, leading to complete server compromise.
Remediation
Update to the latest version of FOXCMS if available. If no patch is available,implement WAF rules to block malicious requests to the /images/index.html endpoint with suspicious 'id' parameter values.
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Franklin Fueling Systems"Description
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.
Remediation
Apply the latest security patch or update provided by Franklin Fueling Systems to fix the LFI vulnerability.
Frappe Framework - Default Login Credentials
Author: DhiyaneshDkAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Login to Frappe|frappe(?:\.(?:csrf_token|boot)|-web\.bundle)`Description
Frappe Framework (and ERPNext) is accessible using the default credentials Administrator:admin. Successful login exposes full administrative access to the ERP/CRM system and underlying data.
Frappe Helpdesk Login Panel - Detect
Author: righettodAdded: Jan 19, 2025
runzero-match
service["http.body"] matches "(?i)window\\.frappe_version"Description
Frappe Helpdesk products was detected.
Frappe Panel - Detect
Author: Th3l0newolfAdded: May 3, 2025
runzero-match
service["http.body"] matches "(?i)Login to Frappe"Description
Frappe ERPNext Login Panel was discovered.
Free5gc 3.2.1 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)free5gc web console"})Description
Free5gc 3.2.1 is susceptible to information disclosure. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could result in unauthorized access to sensitive information.
Remediation
Apply the latest patch or upgrade to a patched version of Free5gc 3.2.1 to mitigate the vulnerability.
FreeIPA - XML Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Identity Management\" html:\"FreeIPA"})Description
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.
Remediation
Apply the latest security patches and updates provided by the vendor to fix the XML Entity Injection vulnerability in FreeIPA.
FreeIPA Identity Management Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)freeipa"Description
FreeIPA Identity Management login panel was detected.
FreePBX - CVE-2025-57819 Backdoor
Author: darsesAdded: Aug 28, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911" || service["favicon.ico.image.mmh3"] == "1574423538"Description
FreePBX backdoor cleanup script used in 0-day exploitation of CVE-2025-57819 was detected.
FreePBX - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1574423538" || any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911"Description
Detected FreePBX administration panel was using default admin credentials (admin:admin). An attacker could gain full administrative access to the PBX system, manage extensions, trunks, and call routing.
FreePBX Admin Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1574423538" || any(each(service["html.titles"]), {# matches "(?i)FreePBX"}) || service["favicon.ico.image.mmh3"] == "-1908328911"Description
FreePBX admin panel was detected.
FreshRSS Fever API - Exposure
Author: ritikchaddhaAdded: Jan 29, 2026
runzero-match
service["http.body"] matches "(?i)FreshRSS"Description
Detected an exposed FreshRSS instance with the Fever API enabled, which could allow unauthorized access to RSS feed data and user-related information via accessible Fever-compatible API endpoints.
FreshRSS Google Reader API Exposure
Author: DhiyaneshDkAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)FreshRSS"Description
Detected an exposed FreshRSS instance with the Google Reader API enabled, which could have allowed unauthorized access to RSS feeds and user-related data via accessible API endpoints.
Freshrss Panel - Detect
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Freshrss"})Description
Freshrss panel has been detected.
Friendica Panel - Detect
Author: righettodAdded: Jan 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)friendica"})Description
Friendica Login Panel was detected.
Fronius Datalogger Web - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Fronius Datalogger Web`Description
Fronius Datalogger Web is a web interface for Fronius solar inverter data loggers, providing real-time monitoring and configuration of photovoltaic systems.
Fronius Inverter - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Fronius Inverter"})Description
Fronius Inverter is the web interface for Fronius GEN24 and Symo series solar inverters, providing real-time monitoring, configuration, and energy management for photovoltaic systems.
Froxlor Server Management Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)froxlor server management panel"})Description
Froxlor Server Management login panel was detected.
Fuel CMS 1.4.7 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Fixed in version 115
Fuel CMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fuel cms"})Description
Fuel CMS login panel was detected.
Fuji Xerox Printer Panel - Detect
runzero-match
service["http.body"] matches "(?i)Fuji Xerox Co\\., Ltd"Description
Fuji Xerox printer panel was detected.
Fujian Kelixin Communication - Command Injection
runzero-match
service["http.body"] matches "(?i)app/structure/departments\\.php"Description
A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwd_update.php.
Impact
Authenticated attackers can extract sensitive database information via time-based SQL injection in the usr_number parameter.
Remediation
Update Fujian Kelixin Communication Command and Dispatch Platform to a version newer than 20240318.
Fujitsu IP Series - Hardcoded Credentials
runzero-match
service["http.head.server"] matches "thttpd/2.25b 29dec2003\" content-length:1133"Description
Fujitsu Real-time Video Transmission Gear “IP series” use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. The credentials cannot be changed by the end-user and provide administrative access to the devices.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to the device, potentially resulting in further compromise of the network.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Fumasoft Cloud - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Fumeng Cloud"})Description
There is a SQL injection vulnerability in the AjaxMethod.ashx file of Fumasoft Cloud. Attackers can obtain server permissions through the vulnerability
Fumeng - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)孚盟云 "})Description
The Fumeng AjaxMethod.ashx file has an SQL injection vulnerability. Attackers can use this vulnerability to obtain server data.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement input validation and use parameterized queries to prevent SQL Injection attacks.
FusionAuth Admin Panel - Detect
Author: ritikchaddhaAdded: Nov 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)fusionauth"})GE Proficy WebSpace - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Proficy WebSpace"Description
GE Proficy WebSpace is a thin-client delivery platform for GE Proficy
HMI/SCADA (iFIX, CIMPLICITY) applications over the web. It exposes
industrial HMI screens via browser on TCP/491 by default. The Server
header "WebSocket++/0.7.0" is a unique indicator.
GL.iNET SSID Key Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GL\\.iNet Admin Panel"})Description
An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key.
Impact
Unauthenticated attackers can retrieve Wi-Fi SSID and password information through the mesh status API endpoint, potentially allowing unauthorized access to the wireless network and intercepting network traffic.
Remediation
Update GL.iNET firmware to version 3.216 or later that requires authentication for the /api/router/mesh/status endpoint and protects Wi-Fi credentials.
GLPI 9.2/<9.5.6 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)setup glpi" || any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["favicon.ico.image.mmh3"] == "-1474875778"Description
GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Information disclosure vulnerability in GLPI versions 9.2 to <9.5.6 allows an attacker to access sensitive information.
Remediation
This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual GLPI functions.
GLPI < 10.0.17 - Pre-Auth SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GLPI"})Description
A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the dbEscapeRecursive function, allowing an attacker to inject SQL queries. This can lead to unauthorized access to sensitive information in the database, including user credentials and potential authentication bypass.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through XML requests to the Inventory feature, potentially extracting user credentials, bypassing authentication, and accessing sensitive database information.
Remediation
Upgrade to GLPI version 10.0.18 or later. If upgrading is not immediately possible, consider disabling the Inventory feature or restricting access to it.
GLPI <=10.0.2 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1474875778" || any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["http.body"] matches "(?i)setup glpi"Description
GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade GLPI to a version higher than 10.0.2 to mitigate this vulnerability.
GLPI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)glpi"}) || service["favicon.ico.image.mmh3"] == "-1474875778"Description
GLPI panel was detected.
GNU Mailman Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mailing lists"})Description
GNU Mailman panel was detected. Panel exposes all public mailing lists on server.
GUDE - Default Login
runzero-match
service["http.body"] matches "(?i)Expert Net Control"Description
GUDE 2301 and 2302 default administrator login credentials (admin:admin) were detected.
GXD5 Pacs Connexion Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GXD5 Pacs Connexion utilisateur"})Description
GXD5 Pacs Connexion panel was detected.
GYRA Master Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| GYRA Master Admin"})Description
GYRA Master Admin login panel was detected.
Ganglia Web Interface (v3.7.3 - v3.7.5) - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)ganglia_form\\.submit\\(\\)"Description
A cross-site scripting (XSS) vulnerability in the component /graph_all_periods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter.
Impact
Authenticated attackers can execute arbitrary JavaScript or HTML in victim browsers by injecting malicious payloads into the g parameter.
Remediation
Update Ganglia-web to version 3.7.6 or later to address the XSS vulnerability in the graph parameter.
Gargoyle Router Management Utility Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gargoyle Router Management Utility"})Description
Gargoyle Router Management Utility admin login panel was detected.
GenieACS => 1.2.8 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)genieacs" || service["favicon.ico.image.mmh3"] == "-2098066288"Description
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade to a patched version of GenieACS or apply the necessary security patches to mitigate the vulnerability.
GeoServer - Missing Authorization on REST API Index
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
GeoServer contains a missing authorization vulnerability that allows unauthorized access to the REST API Index page, potentially exposing sensitive configuration information.
Impact
Unauthenticated users can access the GeoServer REST API Index page, potentially exposing sensitive configuration information and available API endpoints.
Remediation
Upgrade to the latest GeoServer version that implements proper authorization checks for the REST API Index page.
GeoServer - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["http.body.mmh3"] == "1093634893" || service["favicon.ico.image.mmh3"] == "97540678" || service["http.body"] matches "(?i)/geoserver/"Description
GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.
Impact
Attackers can disclose sensitive files or cause denial of service by exploiting XML external entity processing.
Remediation
Update to GeoServer 2.25.6, 2.26.3, 2.27.0 or later.
GeoServer <1.2.2 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
GeoServer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)geoserver"}) || service["favicon.ico.image.mmh3"] == "97540678"Description
GeoServer login panel was detected.
Geoserver Admin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GeoServer: Welcome"})Description
Geoserver default admin credentials were discovered.
Ghost CMS Content API - SQL Injection
runzero-match
service["product"] contains "Ghost:Ghost"Description
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
Impact
An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
Remediation
Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
Ghost CMS Installation Setup - Exposure
Author: 0x_AkokoAdded: Mar 20, 2026
runzero-match
service["product"] contains "Ghost:Ghost"Description
Detected Ghost CMS installation setup wizard accessible without authentication. An unauthenticated remote attacker can navigate to
/ghost/#/setup and complete the installation to gain full owner-level administrative control of the site.
Gibbon v25.0.0 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-165631681"Description
Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Upgrade to a patched version of Gibbon or apply the necessary security patches to mitigate the LFI vulnerability.
Gira HomeServer 4 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gira HomeServer 4"})Description
Gira HomeServer 4 login panel was detected.
GitHub Enterprise - Encrypted SAML
Author: rootxharsh,iamnoooob,pdresearchAdded: Nov 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitHub Enterprise"})Description
This template checks if Encrypted SAML (Security Assertion Markup Language) is enabled on a GitHub Enterprise instance.
GitLab CE/EE - Hard-Coded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
GitLab CE/EE contains a hard-coded credentials vulnerability. A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML), allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Affected versions are 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized actions within the GitLab application.
Remediation
Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the reference section below.
GitLab CE/EE - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
GitLab CE/EE is susceptible to information disclosure. An attacker can access runner registration tokens using quick actions commands, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are from 12.10 before 14.6.5, from 14.7 before 14.7.4, and from 14.8 before 14.8.2.
Impact
An attacker can gain access to sensitive information stored in GitLab.
Remediation
Apply the necessary patches or updates provided by GitLab to fix the vulnerability.
GitLab CE/EE - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)gitlab-ci\\.yml" || any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition"Description
GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected GitLab instance.
Remediation
Upgrade to GitLab CE/EE version 13.10.3 or 13.11.1 to mitigate this vulnerability.
GitLab GraphQL API User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition" || service["http.body"] matches "(?i)gitlab-ci\\.yml"Description
An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
Impact
An attacker can enumerate valid usernames, which can be used for further attacks such as brute-forcing passwords or launching targeted phishing campaigns.
Remediation
Implement rate limiting or CAPTCHA on the GraphQL API to prevent user enumeration.
GitLab Instance Explore - Detect
Author: Sujal TuladharAdded: Oct 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
This template checks for GitLab instances by verifying if /explore and /api/v4/projects endpoints are accessible with a 200 response.
Gitblit - Default Login
Author: ritikchaddhaAdded: Jul 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Gitblit"})Description
Gitblit Default login credentials were discovered.
Gitblit Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitblit"}) || service["http.body"] matches "(?i)gitblit"Description
Gitblit login panel was detected — a pure Java stack for managing, viewing, and serving Git repositories.
Gitea 1.4.0 - Remote Code Execution
Author: theamanrawatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Installation - Gitea: Git with a cup of tea"})Description
Gitea 1.4.0 is vulnerable to remote code execution.
Gitea Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)powered by gitea version" || any(each(service["html.titles"]), {# matches "(?i)gitea"})Description
Gitea login panel was detected.
Gitea Public Repository - Exposure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
service["product"] contains "Gitea:Gitea"Description
Detected publicly accessible Gitea instances exposing repository listings and user information without authentication.
Github Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Setup GitHub Enterprise"})Description
Github Enterprise login panel was detected.
Gitlab CE/EE 10.5 - Server-Side Request Forgery
runzero-match
service["product"] contains "GitLab:GitLab"Description
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the system.
Remediation
Upgrade Gitlab CE/EE to a version that is not affected by the vulnerability (10.6 or higher).
Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"})Description
GitLab CE and EE 13.4 through 13.6.2 is susceptible to Information disclosure via GraphQL. User email is visible. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can gain unauthorized access to sensitive information.
Remediation
Upgrade Gitlab CE/EE to version 13.6.3 or later.
Gitlab Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GitLab"})Description
Gitlab default login credentials were discovered.
Gitlab Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"})Description
Gitlab login panel was detected.
Gitlab SAML - Detection
Author: rootxharsh,iamnoooob,pdresearchAdded: Oct 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gitlab"}) || service["http.body"] matches "(?i)gitlab enterprise edition"Description
The presence of SAML-based authentication on GitLab instances. SAML is commonly used for Single Sign-On (SSO) integrations, which allows users to authenticate with GitLab using an external Identity Provider (IdP).
Gitness - Default Login
Author: 0x_AkokoAdded: Feb 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gitness"})Description
Detected Gitness instance was found using default admin credentials (admin/changeit).
Gladinet CentreStack & TrioFox - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack"})Description
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Impact
Unauthenticated attackers can disclose sensitive system files, potentially leading to information leakage.
Remediation
Update to a version later than 16.7.10368.56560 or the latest available version.
Gladinet CentreStack & Triofox - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)CentreStack|Triofox"})Description
Gladinet CentreStack and Triofox < 16.12.10420.56791 contain a hardcoded credentials vulnerability caused by use of hardcoded AES cryptoscheme values, letting attackers perform arbitrary local file inclusion without authentication, potentially leading to full system compromise.
Impact
Attackers can exploit hardcoded AES keys to perform arbitrary local file inclusion, potentially leading to full system compromise.
Remediation
Update to version 16.12.10420.56791 or later.
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
runzero-match
service["favicon.ico.image.mmh3"] == "1163764264"Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution.
Impact
Unauthenticated attackers can exploit hard-coded machineKey values to deserialize malicious payloads, achieving remote code execution and complete server compromise.
Remediation
Upgrade to Gladinet CentreStack version 16.4.10315.56368 or later that uses secure, randomly generated machineKeys.
Glances - Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "840398323" || any(each(service["html.titles"]), {# matches "(?i)Glances"})Description
Glances < 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges.
Impact
Remote attackers can access sensitive system information including credentials, risking data exposure and system compromise.
Remediation
Update to version 4.5.2 or later.
Glimpse Diagnostics - Sensitive Data Exposure
runzero-match
service["http.body"] matches "(?i)Glimpse\\.axd"Description
Detected Glimpse diagnostics endpoint. Glimpse is a .NET diagnostics tool that reveals detailed request information, server configuration, SQL queries, connection strings, and session data.
Glowroot - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Glowroot"})GnuBoard5 5.5.16 - Open Redirect
runzero-match
service["http.body"] matches "(?i)GnuBoard5"Description
Gnuboard5 5.5.16 contains an open redirect vulnerability caused by insufficient URL parameter verification in bbs/logout.php, letting remote attackers redirect users to arbitrary URLs, exploit requires crafted URL parameter.
Impact
Remote attackers can redirect users to malicious sites, potentially leading to phishing or information theft.
Remediation
Update to the latest version of Gnuboard5.
Go.Control Event Administration Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Go\\.Control"})Description
Detects the presence of the Go.Control Event Administration login panel.
GoAnywhere - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GoAnywhere"})Description
Fortra GoAnywhere MFT contains an insecure deserialization vulnerability in the License Servlet caused by deserializing attacker-controlled objects with a valid forged license response signature, letting attackers perform command injection, exploit requires valid forged license signature.
Impact
Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.
Remediation
Update to the latest version with the deserialization fix.
GoAnywhere Managed File Transfer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)GoAnywhere Managed File Transfer"Description
GoAnywhere Managed File Transfer login panel was detected.
GoCD Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)create a pipeline - go"}) || service["http.body"] matches "(?i)gocd version"Description
GoCD login panel was detected.
Gogs (Go Git Service) - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"})Description
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Apply the latest security patches and updates provided by the Gogs project to mitigate the SQL Injection vulnerability.
Gogs (Go Git Service) 0.11.66 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"})Description
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
This issue will be fixed by updating to the latest version of Gogs.
Gogs <= 0.13.3 - Remote Code Execution
runzero-match
service["product"] contains "Gogs:Gogs"Description
Gogs self-hosted Git service versions 0.13.3 and earlier contain a critical symlink bypass vulnerability that circumvents the fix for CVE-2024-55947. Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution. As of December 2025, this remains an unpatched zero-day with active exploitation ongoing. Approximately 1,400 exposed Gogs instances exist, with over 700 showing signs of compromise. The vulnerability stems from the API writing to file paths without checking if targets are symlinks pointing outside the repository. Gogs maintainers are working on a fix.
Impact
Local attackers can execute arbitrary code, potentially leading to full system compromise.
Remediation
Update to the latest version of Gogs.
Gogs Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "917966895" || service["favicon.ico.image.mmh3"] == "1935513730" || any(each(service["html.titles"]), {# matches "(?i)sign in - gogs"}) || service["favicon.ico.image.mmh3"] == "-449283196"Description
Gogs login panel was detected.
Google Earth Enterprise Default Login
runzero-match
any(each(service["html.titles"]), {# matches "GEE Server"})Description
Google Earth Enterprise default login credentials were discovered.
Remediation
To reset the username and password:
sudo /opt/google/gehttpd/bin/htpasswd -c
/opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
Gophish Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gophish - Login"})Description
Gophish login panel was detected.
Gotify Login Panel - Detect
Author: righettodAdded: Feb 15, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)gotify"})Description
Gotify login panel was detected.
Gradio - Absolute Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "Gradio"})Description
Gradio < 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server.
Impact
Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Upgrade to version 6.7 or later.
Gradio - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)__gradio_mode__" || any(each(service["html.titles"]), {# matches "(?i)gradio"})Description
Gradio's Dropdown component is vulnerable to Local File Inclusion (LFI) when the value is a dictionary controlled by an attacker. In the postprocess of components, if the value type is a dict, it flows to the async_move_files_to_cache function. When the dictionary is crafted with a "path" key, it causes local file inclusion allowing attackers to read arbitrary files.
Gradle Develocity Build Cache Node Login Panel - Detect
Author: righettodAdded: Jul 11, 2024
runzero-match
service["http.body"] matches "(?i)Develocity Build Cache Node"Description
Gradle Develocity Build Cache Node login panel was detected.
Gradle Enterprise Build Cache Node Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Gradle Enterprise Build Cache Node"Description
Gradle Enterprise Build Cache Node login panel was detected.
Grafana & Zabbix Integration - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Impact
An attacker can obtain sensitive credentials, leading to unauthorized access and potential data breaches.
Remediation
Update to the latest version of the Grafana & Zabbix Integration plugin to fix the vulnerability.
Grafana - Exposes DingDing API Keys
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1.
Impact
Viewers can access DingDing alerting integration URLs containing access tokens through the alertmanager API, potentially enabling unauthorized message delivery and notification manipulation.
Remediation
Upgrade to Grafana version 12.0.2 or later that properly restricts access to DingDing integration settings.
Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.
Remediation
Upgrade to 6.3.4 or higher.
Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the Grafana application.
Remediation
Upgrade to 8.2.3 or higher.
Grafana Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Grafana"})Description
Grafana default admin login credentials were detected.
Grafana Login Check
Author: parthmalhotra,pdresearchAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Grafana"})Description
Checks for a valid login on self hosted Grafana instance.
Grafana Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana login panel was detected.
Grafana Snapshot - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default).
Impact
An attacker can bypass authentication and gain unauthorized access to Grafana Snapshot feature.
Remediation
This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Grafana v8.x - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grafana"})Description
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
Remediation
Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
Grandstream GRP - Default Login
Author: DhiyaneshDKAdded: May 21, 2026
runzero-match
service["http.body"] matches "(?i)tl\\.account\\.ucm\\.js"Description
Grandstream GRP series devices use default credentials (admin/admin). The web UI login sends a SHA-256 hash of the password to /cgi-bin/access. Successful authentication returns a JSON response with a session token, indicating full admin access to the device management interface.
Remediation
Change the default administrator password immediately. Update firmware to the latest version which generates random passwords on factory reset.
Grandstream GRP Panel - Detect
Author: DhiyaneshDkAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)tl\\.account\\.ucm\\.js"Description
Detected the presence of a Grandstream GRP web management login panel. The React-based SPA loads characteristic JavaScript modules including tl.account.ucm.js and webpack chunks for UCM modules.
GraphiQL - Exposure
Author: Vincent OlagbemideAdded: Mar 17, 2026
runzero-match
service["http.body"] matches "(?i)GraphiQL"Description
Detected publicly exposed GraphiQL consoles.
Graphite Browser Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Graphite Browser"})Description
Graphite Browser login panel was detected.
Gravity SMTP WordPress Plugin - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gravity(?:smtp|forms)"Description
Gravity SMTP WordPress plugin <= 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication.
Impact
Unauthenticated attackers can access detailed system and configuration data, potentially aiding further attacks or information leakage.
Remediation
Update to the latest version beyond 2.1.4.
Graylog - Default Login
runzero-match
service["product"] contains "Graylog:Graylog"Description
Graylog instance is accessible with default admin credentials (admin/admin). This provides full administrative access to the log management platform, including the ability to read all ingested logs, create inputs, configure pipelines, and manage users.
Impact
An attacker with admin access to Graylog can read all collected log data which may contain credentials, API keys, internal IPs, and sensitive business information. They can also create new inputs to intercept future log data or modify pipelines to redirect/suppress logs.
Remediation
Change the default root_password_sha2 in the Graylog server.conf configuration file. Use a strong, unique password for the admin account.
Graylog Login Panel - Detect
Author: righettodAdded: Mar 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Graylog Web Interface"})Description
Graylog login panel was detected.
Greenbone Security Assistant Panel - Detect
Author: pbuff07Added: Aug 24, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)greenbone security assistant"})Description
Greenbone Security Assistant Web Panel is detected
Grocy - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)grocy"}) && service["http.body"] contains "grocy-version"Description
Detected Grocy was found using default credentials admin:admin.Successful authentication grants full access to the household management platform including all stock data, chores, recipes, and user settings.
Group-IB Managed XDR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Group-IB Managed XDR"})Description
Group-IB Managed XDR login panel was detected.
Growatt Shinelink - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Growatt Shinelink"})Description
Growatt Shinelink is a web-based data logger and monitoring interface for Growatt solar inverters, providing real-time solar energy production data and system configuration.
Gryphon Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Gryphon"})Description
Gryphon router panel was detected.
Gurock TestRail Application files.md5 Exposure
runzero-match
service["http.body"] matches "(?i)testrail"Description
Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Impact
An attacker could use the exposed files.md5 to gain insight into the application's file structure and potentially identify vulnerabilities or sensitive information.
Remediation
Securely restrict access to the files.md5 file and ensure that it is not accessible to unauthorized users.
Güralp Systems FMUS Series - Unauthenticated Access
runzero-match
service["service.port"] == "4244" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)\s*Welcome\s+to\s+(FMUS|MINP?)-[A-Fa-f0-9]{4}[^,]+,\s*type\s+"help"\s+for\s+a\s+list\s+of\s+available\s+commands`Description
Güralp Systems FMUS Series Seismic Monitoring Devices expose an unauthenticated Telnet-based command line interface that allows attackers to modify hardware configurations, manipulate data, or factory reset the device.
Impact
Successful exploitation of this vulnerability could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
Remediation
Update to the latest firmware version or apply vendor recommended patches to secure Telnet access.
H2 Console Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h2 console"})Description
H2 Console Web login panel was detected.
H2O ImportFiles - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h2o flow"})Description
An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.
Impact
Unauthenticated attackers can read any file on the server via the ImportFiles endpoint, potentially exposing sensitive data including database contents and application code.
Remediation
Update H2O to a version that implements proper authentication and authorization controls for the ImportFiles endpoint.
H2O Wave ML Application Server - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)H2O Wave"})Description
H2O Wave was detected. H2O Wave was an open-source Python development framework for building real-time interactive AI and ML web applications. The Wave server hosted applications built on the platform.
H3C ER8300G2-X - Password Disclosure
runzero-match
service["http.body"] matches "(?i)icg_helpScript\\.js"Description
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
Impact
Unauthenticated attackers can access the router's administrative password via the management system interface.
Remediation
Update H3C ER8300G2-X router firmware to a version that addresses the password disclosure vulnerability.
H3c IMC - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/imc/javax\\.faces\\.resource/images/login_help\\.png\\.jsf\\?ln=primefaces-imc-new-webui"Description
H3c IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint.
HAL Management Console Panel
Author: DhiyaneshDKAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "(?i)HAL Management Console"Description
HAL Management Console login panel was discovered.
HCL BigFix Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)BigFix"})Description
HCL BigFix login panel was detected.
HOOBS Panel - Detect
Author: rxeriumAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HOOBS"})Description
HOOBS is a home automation platform that bridges HomeKit and non-HomeKit devices.
HP 1820-8G Switch J9979A Default Login
runzero-match
any(each(service["html.titles"]), {# matches "J9979A"})Description
HP 1820-8G Switch J9979A default admin login credentials were discovered.
HP Service Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hp service manager"})Description
HP Service Manager login panel was detected.
HP Virtual Connect Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HP Virtual Connect Manager"})Description
HP Virtual Connect Manager login panel was detected.
HPE OfficeConnect Switch - Panel Detect
Author: pussycat0xAdded: Sep 18, 2025
runzero-match
service["http.body"] matches "(?i)HPE OfficeConnect"Description
The HPE OfficeConnect Switch was a network switch series built for small and medium businesses.It provided reliable connectivity, simple management, and PoE options to support growing networks.
HPE OneView - Panel Detect
Author: rxeriumAdded: Dec 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-1569311459"Description
HPE OneView is an infrastructure management platform that provides automated management, monitoring, and updates for HPE servers, storage, and networking resources through a unified interface.
HTTP File Server <2.3c - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "2124459909"Description
HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability.
HTTPBin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)httpbin\\.org"})Description
HTTPBin login panel was detected.
HYPERPLANNING Login Panel - Detect
Author: righettodAdded: Nov 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HYPERPLANNING"})Description
HYPERPLANNING products was detected.
Haivision Gateway Login Panel - Detect
Author: righettodAdded: Feb 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Haivision Gateway"})Description
Haivision Gateway login panel was detected.
Haivision Media Platform Login Panel - Detect
Author: righettodAdded: Feb 15, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Haivision Media Platform"})Description
Haivision Media Platform login panel was detected.
Halo ITSM - Pre-Authentication SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "489905671"Description
A Time-Based SQL Injection vulnerability in Halo ITSM allows unauthenticated attackers to execute malicious SQL queries by leveraging time delays, potentially leading to data exfiltration, privilege escalation, or full system compromise.
Hangfire Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)overview – hangfire dashboard"})Description
Hangfire Dashboard panel was detected.
Harbor Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "657337228"Description
Harbor login panel was detected.
Harbor Registry - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 24, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Harbor"})Description
Detected: The Harbor container registry was found to be using default administrator credentials (admin:Harbor12345). An attacker could have gained full administrative access to manage registries, projects, users, and stored container images.
HashiCorp Consul Web UI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)consul by hashicorp"})Description
HashiCorp Consul Web UI login panel was detected,
Hashicorp Consul Agent - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)consul by hashicorp"})Description
Hashicorp Consul Agent was detected.
Headlamp Kubernetes UI Panel - Detect
runzero-match
service["http.body"] matches "(?i)headlampBaseUrl"Description
Detected Headlamp Kubernetes Web UI panel exposed, which could lead to unauthorized access to Kubernetes cluster management if not properly secured.
Hestia Control Panel Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hestia control panel"}) || service["favicon.ico.image.mmh3"] == "-476299640"Description
Hestia Control Panel login was detected.
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hide-my-wp"Description
The Hide My WP Ghost plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
Impact
Unauthenticated attackers can discover and access the hidden WordPress login page through auth_redirect exploitation, bypassing the plugin's security obfuscation.
Remediation
Update Hide My WP Ghost plugin to version 5.2.02 or later to address the login page disclosure vulnerability.
HighMail Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)highmail"})Description
HighMail admin login panel was detected.
Hikvision IP ping.php - Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-1830859634"Description
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
Impact
Unauthenticated attackers can execute arbitrary operating system commands via the jsondata[ip] parameter, potentially gaining complete control over the Hikvision Intercom Broadcasting System.
Remediation
Upgrade to Hikvision Intercom Broadcasting System version 4.1.0 or later.
Hitachi Pentaho Business Analytics Server - Bypass Authorization
runzero-match
service["favicon.ico.image.mmh3"] == "1749354953"Description
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Impact
Unauthenticated attackers can bypass authorization restrictions using non-canonical URL paths to access protected administrative endpoints in Hitachi Pentaho Business Analytics Server, potentially gaining unauthorized access to sensitive analytics data and configurations.
Remediation
Upgrade to Hitachi Vantara Pentaho Business Analytics Server version 9.4.0.1, 9.3.0.2 or later that properly validates canonical URL paths.
HiveManager Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1604363273"Description
HiveManager login panel was detected.
Home Assistant Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Home Assistant"})Home Assistant Supervisor - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)home assistant"})Description
Home Assistant Supervisor is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered.This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected.
Impact
An attacker can bypass authentication and gain unauthorized access to the Home Assistant Supervisor, potentially leading to further compromise of the system.
Remediation
The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.
Homebridge - Default Admin Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Detected Homebridge UI was found using default administrator credentials (admin:admin). An attacker could have gained full access to manage HomeKit accessories, plugins, and server configuration.
Homebridge - Unfinished Installation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Homebridge instance with incomplete installation detected. The setup wizard is exposed, allowing anyone to create the first admin account and gain full control over the Homebridge instance. This can lead to unauthorized access to smart home devices and potential network compromise.
Homebridge Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Homebridge"})Description
Homebridge allows you to integrate with smart home devices that do not natively support HomeKit.
Homematic Panel - Detect
runzero-match
service["http.body"] matches "(?i)homematic"Description
Homematic panel was deetcted.
Homer Panel - Detect
Author: rxeriumAdded: Nov 4, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-417785140"Description
A simple static homepage was discovered
Honeywell Excel Web Control Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Honeywell XL Web Controller"})Description
Honeywell Excel Web Control login panel was detected.
Honeywell PM43 Printers - Command Injection
runzero-match
service["http.body"] matches "(?i)/main/login\\.lua\\?pageid="Description
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the username parameter in loadfile.lp, potentially gaining full control of Honeywell PM43 printers and intercepting print jobs containing sensitive documents.
Remediation
Update Honeywell PM43 printer firmware to version P10.19.050004 (MR19.5) or later that properly sanitizes input in loadfile.lp and prevents command injection attacks.
Hongjing e-HR 2020 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)人力资源信息管理系统"})Description
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the parentid parameter, potentially extracting sensitive database information including user credentials.
Remediation
Update Hongjing e-HR to a version newer than 2020 that addresses this SQL injection vulnerability.
Hookbot Rat Panel - Detect
Author: pussycat0xAdded: Jul 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hookbot"})Description
Hookbot panel were detected.
Horde Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-741491222"Description
Horde login panel was detected.
Horde Webmail Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "2104916232"Description
Horde Webmail login panel was detected.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System 1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Hospital Management System Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)hospital management system"Description
Hospital Management System login panel was detected.
Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/motopress-hotel-booking"Description
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
Impact
Unauthenticated attackers can exploit missing validation and authorization checks to download and delete arbitrary files on WordPress servers running Hotel Booking Lite.
Remediation
Fixed in 4.8.5
Hoteldruid v3.0.5 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hoteldruid"}) || service["favicon.ico.image.mmh3"] == "-1521640213"Description
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.
Impact
Successful exploitation could lead to unauthorized access to sensitive data or complete takeover of the affected system.
Remediation
Upgrade Hoteldruid to a patched version that addresses the SQL Injection vulnerability.
Hoteldruid v3.0.5 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hoteldruid"})Description
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.
Impact
Allows attackers to execute arbitrary SQL queries and potentially gain unauthorized access to the database.
Remediation
Update Hoteldruid to a patched version or apply vendor-supplied fixes to mitigate the SQL Injection vulnerability.
HuangDou UTCMS V9 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)usualtool"Description
A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection.The attack may be launched remotely. The exploit has been disclosed to the public and may be used.The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Unauthenticated attackers can execute arbitrary OS commands on the server through command injection in the cli.php file, achieving complete system compromise and potential access to sensitive data.
Remediation
Apply security patches from HuangDou for UTCMS V9 to address the OS command injection vulnerability in app/modules/ut-cac/admin/cli.php.
Huawei HG532e Default Credential
runzero-match
service["http.body"] matches "HG532e"Description
Huawei HG532e default admin credentials were discovered.
Huawei HG532e Router Panel - Detect
runzero-match
service["http.body"] matches "(?i)HG532e"Description
Huawei HG532e router login panel was detected. After installation, both the default username and default password are user.
Huawei HoloSens SDC - Panel
Author: darsesAdded: Jul 14, 2025
runzero-match
service["http.head.server"] matches "SDC Server" || service["http.body.mmh3"] == "-968212412"Description
Huawei HoloSens SDC Panel was discovered.
Hue Magic 3.0.0 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NODE-RED"})Description
Hue Magic 3.0.0 is susceptible to local file inclusion via the res.sendFile API.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Apply the latest security patch or update to a non-vulnerable version of Hue Magic.
Huginn Login Panel - Detect
Author: righettodAdded: Dec 10, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1951475503"Description
Huginn products was detected.
Huly Login Panel - Detect
Author: righettodAdded: Jan 14, 2025
runzero-match
service["http.body"] matches "(?i)Huly"Description
Huly products was detected.
Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hunk-companion/"Description
The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
Impact
Unauthenticated attackers can install and activate arbitrary WordPress plugins including vulnerable or malicious ones, leading to potential site compromise.
Remediation
Update Hunk Companion plugin to version 1.9.0 or later.
Hybris - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Hybris"})Description
Hybris contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Hybris Administration Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hybris"})Description
Hybris Administration Console login panel was detected.
Hybris Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hybris"})Description
Hybris Management Console login panel was detected.
Hydra Router Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)hydra router dashboard"})Description
Hydra router dashboard was detected.
HyperDX Panel - Detect
Author: righettodAdded: Aug 8, 2025
runzero-match
service["http.body"] matches "(?i)hyperdx"Description
HyperDX panel was discovered.
HyperTest Common Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)HyperTest"})Description
HyperTest Common Dashboard was detected.
Hytec Inter HWL-2511-SS - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)index"}) && service["http.head.server"] contains "lighttpd/1.4.30"Description
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
Impact
Unauthenticated attackers can execute arbitrary commands on the Hytec Inter HWL-2511-SS cellular router through command injection in the popen.cgi endpoint, potentially gaining complete control over the device and connected network infrastructure.
Remediation
Update Hytec Inter HWL-2511-SS firmware to a version later than 1.05 that properly sanitizes command parameters in popen.cgi.
IBM Advanced System Management Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced System Management"})Description
IBM Advanced System Management panel was detected.
IBM BigFix Platform - Information Disclosure
runzero-match
service["http.head.server"] matches "^BigFixHTTPServer"Description
IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication.
Impact
Attackers can remotely gather sensitive update and fixlet deployment information, potentially aiding targeted attacks.
Remediation
Enable authenticated access for relay to prevent unauthorized information queries.
IBM Data Risk Manager - Authentication Bypass via SAML
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Data Risk Manager"})Description
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
Impact
Unauthenticated attackers can bypass authentication via SAML endpoint and gain full administrative access to IBM Data Risk Manager, compromising all managed data risk information.
Remediation
Apply the latest security updates and patches provided by Cisco for HyperFlex HX.
IBM Decision Center Business Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Decision Center \\| Business Console"})IBM Decision Center Enterprise Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
service["http.body"] matches "Decision Center Enterprise console"IBM Decision Center Enterprise Console - Panel Detection
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
service["http.body"] matches "(?i)Decision Center Enterprise console"Description
IBM Decision Center Enterprise Console panel was detected.
IBM Decision Server Console - Default Login
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Rule Execution Server"})IBM Decision Server Console Panel - Detect
Author: DhiyaneshDKAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rule Execution Server"})Description
IBM Decision Server Console panel was detected.
IBM Maximo Asset Management Information Disclosure - XML External Entity Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-399298961"Description
IBM Maximo Asset Management is vulnerable to an
XML external entity injection (XXE) attack when processing XML data.
A remote attacker could exploit this vulnerability to expose
sensitive information or consume memory resources.
Impact
The vulnerability can lead to unauthorized access to sensitive information or a denial of service.
Remediation
Apply the latest security patches or updates provided by IBM to mitigate the vulnerability.
IBM Maximo Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-399298961"Description
IBM Maximo login panel was detected.
IBM MobileFirst Foundation - Default Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MobileFirst Operations Console"})Description
Detected IBM MobileFirst Foundation Operations Console was found using default credentials. The administration REST API exposes full control over mobile application backends including adapter management, push notification infrastructure, OAuth security configuration, and application authenticity enforcement.
IBM OpenAdmin Tool - Panel
Author: DhiyaneshDKAdded: Aug 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "965982073"IBM Operational Decision Manager Panel - Detect
Author: DhiyaneshDK,righettodAdded: Feb 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Decision Center \\| Business Console"})Description
IBM Operational Decision Manager panel was detected.
IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Arc for TM1"})Description
IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
Impact
Attackers can gain admin access and execute arbitrary code with SYSTEM privileges, leading to full system compromise.
Remediation
Update to the latest version or 2.0.9 or apply the security patches provided by IBM.
IBM Power HMC - Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "262502857"Description
IBM HMC default admin login credentials were discovered.
IBM Security Access Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Security Access Manager"})Description
IBM Security Access Manager login panel was detected.
IBM Security Verify Access Login - Panel
Author: johnk3rAdded: Jun 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM Security Verify Access"})Description
IBM Security Verify Access login panel was detected.
IBM Service Assistant Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Service Assistant"})Description
IBM Service Assistant login panel was detected.
IBM WebSphere Application Server Community Edition Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1337147129"Description
IBM WebSphere Application Server Community Edition admin login panel was detected.
IBM WebSphere Portal Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ibm websphere portal"Description
IBM WebSphere Portal login panel was detected.
IBM iNotes Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)IBM iNotes Login"})Description
IBM iNotes login panel was detected.
ICC PRO Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to ICC PRO system"})Description
ICC PRO login panel was detected.
ICE HRM Login - Detect
Author: Th3l0newolfAdded: Apr 18, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ice Hrm Login"})Description
The ICE HRM login panel was discovered.
ICT Protege WX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ict protege wx®"})ICTBroadcast Login Panel - Detect
Author: rxeriumAdded: Oct 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-60395993"Description
ICTBroadcast login panel was detected.
IDEMIA BIOMetrics - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "IDEMIA"})Description
IDEMIA BIOMetrics application default login credentials were discovered.
ILIAS LMS - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 25, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to ILIAS"})Description
The ILIAS learning management system was found to be using default administrator credentials (root:homer). An attacker was able to gain full administrative access to manage courses, users, and system configuration.
ILIAS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ilias"Description
ILIAS login panel was detected.
INTELBRAS TELEFONE IP TIP200 60.61.75.22 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/cgi-bin/cgiServer\\.exx"Description
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 is vulnerable to information disclosure, allowing unauthenticated attackers to access sensitive device information and configuration data via a direct request to the /cgi-bin/export_settings.sh endpoint.
Impact
Authenticated attackers can read arbitrary files from the device including configuration files and credentials, potentially leading to complete device compromise.
Remediation
Update the device firmware to the latest version provided by INTELBRAS.
IPS Community Suite - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)invision community"Description
IPS Community Suite is vulnerable to unauthenticated SQL injection via the filter[] parameter in the /index.php?/store/ endpoint, allowing attackers to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting or modifying sensitive database information.
Remediation
Update IPS Community Suite to a version that patches CVE-2024-30163.
IPdiva Mediation Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)IPdiva"Description
IPdiva Mediation login panel was detected.
IPeakCMS 3.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ipeak"Description
ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, data tampering, or full database compromise.
Remediation
Apply the latest security patches or update to a version that fixes this vulnerability.
IRISNext Login Panel - Detect
Author: righettodAdded: Feb 26, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)irisnext"})Description
IRISNext products was detected.
ISPConfig Admin - Default Password
Author: pussycat0xAdded: Aug 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ispconfig"})Description
ISPConfig Admin Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
ISPConfig Hosting Control Panel - Default Login
Author: ritikchaddhaAdded: Aug 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "ISPConfig"})Description
ISPConfig Hosting Control Panel Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
ITFlow Unfinished Installation
Author: 0x_AkokoAdded: Jan 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ITFlow"})Description
Detected ITFlow setup wizard was exposed with an unfinished installation, allowing attackers to configure the database and create an admin account.
IceWarp Email Client - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
IceWarp Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp login panel was detected.
IceWarp Mail Server <=10.4.4 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
Remediation
Upgrade IceWarp Mail Server to a version higher than 10.4.4 or apply the vendor-provided patch to fix the LFI vulnerability.
IceWarp WebClient - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp WebClient is susceptible to remote code execution.
IceWarp WebMail 11.4.5.0 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of IceWarp WebMail.
IceWarp Webmail Server v10.2.1 - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "2144485375" || any(each(service["html.titles"]), {# matches "(?i)icewarp"})Description
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
Impact
Unauthenticated attackers can inject malicious JavaScript through the color parameter to steal webmail user session cookies and access email communications.
Remediation
Update IceWarp to a version newer than 10.2.1 that properly sanitizes the color parameter and encodes output in the webmail interface.
Icinga Exposed Dashboard
Author: DhiyaneshDkAdded: Jan 9, 2026
runzero-match
service["http.body"] matches "(?i)icinga\" html:\"Statistics"Description
Icinga Dashboard was exposed.
Icinga Web 2 - Arbitrary File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Icinga"})Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing credentials, configuration files, and other sensitive data.
Remediation
This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Icinga Web 2 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)icinga web 2 login"}) || any(each(service["html.titles"]), {# matches "(?i)icinga"})Description
Icinga Web 2 login panel was detected.
IdeaCMS <= 1.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1033616879"Description
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
Impact
Unauthenticated attackers can extract sensitive data from the database through SQL injection in the field parameter, potentially compromising user information and system credentials.
Remediation
Upgrade IdeaCMS to a version later than 1.7 that properly sanitizes SQL parameters in article and product query interfaces.
Ignite Realtime Openfire <4.42 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire admin console"})Description
Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.
Remediation
Upgrade Ignite Realtime Openfire to version 4.42 or later to mitigate this vulnerability.
Ilch CMS Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ilch"})Description
Ilch CMS admin login panel was detected.
ImageResizer Debug - Information Exposure
Author: ritikchaddhaAdded: Dec 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ImageResizer"})Description
The ImageResizer debug endpoint exposes sensitive server configuration and path information.
Immich Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-43504595"Description
Immich is a self-hosted photo and video backup solution
ImpressCMS < 1.4.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)ImpressCMS"Description
ImpressCMS before 1.4.3 is vulnerable to SQL injection via the groups parameter in include/findusers.php, allowing unauthenticated attackers to execute arbitrary SQL queries.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via SQL injection, potentially extracting sensitive database contents or modifying data.
Remediation
Update ImpressCMS to version 1.4.3 or later.
ImpressCMS <1.4.3 - Incorrect Authorization
runzero-match
service["http.body"] matches "(?i)impresscms"Description
ImpressCMS before 1.4.3 is susceptible to incorrect authorization via include/findusers.php. An attacker can provide a security token and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can bypass authorization and gain unauthorized access to sensitive information or perform unauthorized actions.
Remediation
Upgrade to ImpressCMS version 1.4.3 or later to fix the vulnerability.
InduSoft Web Studio NTWebServer Directory Traversal Vulnerability
runzero-match
service["product"] contains "InduSoft:Web Studio"Description
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files.
Remediation
Apply updates per vendor instructions.
Inductive Automation Ignition - Gateway Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Ignition Gateway"})Description
Inductive Automation Ignition is a widely-deployed industrial SCADA/HMI
platform used in manufacturing, utilities, and process industries. The
Ignition Gateway web interface provides access to project management,
OPC-UA tag browsing, and system configuration. Exposed gateways may
allow unauthenticated access to project lists and system information.
Infinispan - Default Admin Login
Author: DhiyanesDkAdded: May 14, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "647951307"Description
The Infinispan REST API was found exposed with the default administrator credentials `admin:password`. An unauthenticated network attacker can authenticate via HTTP Digest and gain full read/write access to all cache managers, caches, and server administration endpoints.
InfluxDB <1.7.6 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)influxdb - admin interface"})Description
InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret (aka shared secret). An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
An attacker can bypass authentication and gain unauthorized access to the InfluxDB database.
Remediation
Update Influxdb to version 1.7.6~rc0-1 or higher.
InfluxDB Admin Interface Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)influxdb - admin interface"})Description
InfluxDB admin interface panel was detected.
Infoblox NIOS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Infoblox"})Description
Infoblox NIOS login panel was detected.
Inspur Clusterengine 4 - Default Admin Login
Author: ritikchaddhaAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TSCEV4\\.0"})Description
Inspur Clusterengine version 4 default admin login credentials were successful.
Inspur Clusterengine V4 SYSshell - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TSCEV4\\.0"})Description
Inspur Clusterengine V4 SYSshell was found and allows remote command execution by design.
InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/instawp-connect"Description
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can include and execute arbitrary PHP files through the instawp-database-manager parameter, allowing arbitrary code execution and potential complete server compromise.
Remediation
Update InstaWP Connect plugin to version 0.1.0.86 or later.
Integrate Google Drive <= 1.5.3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/integrate-google-drive"Description
File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress <= 1.5.3 contains sensitive information exposure caused by improper protection of the get_localize_data function, letting unauthenticated attackers extract Google OAuth credentials and account email addresses, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive Google OAuth credentials and email addresses, risking account compromise and data theft.
Remediation
Update to a version later than 1.5.3 or the latest available version.
Integrated Management Module - Default Login
runzero-match
service["http.body"] matches "(?i)ibmdojo"Description
Integrated Management Module default login credentials were discovered.
Intel Active Management - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)active management technology"})Description
Intel Active Management platforms are susceptible to authentication bypass. A non-privileged network attacker can gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability. A non-privileged local attacker can provision manageability features, gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology. The issue has been observed in versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for all three platforms. Versions before 6 and after 11.6 are not impacted.
Impact
An attacker can bypass authentication and gain unauthorized access to the Intel Active Management firmware, potentially leading to unauthorized control of the affected system.
Remediation
Update the Intel Active Management firmware to version 11.6.55, 11.7.55, 11.11.55, 11.0.25, 8.1.71, or 7.1.91 to mitigate the vulnerability.
Intelbras NPLUG 1.0.0.14 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)NPLUG"Description
Intelbras NPLUG 1.0.0.14 is vulnerable to authentication bypass through cookie manipulation. An attacker can bypass authentication by simply setting a cookie named "admin:".
Impact
Unauthenticated attackers can bypass authentication and download the router configuration file containing credentials, network settings, and sensitive information.
Remediation
Update the device firmware to the latest version.
Intelbras Router Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Intelbras"})Description
Intelbras router logjn panel was detected.
Intelbras Router Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intelbras"})Description
Intelbras router panel was detected.
Intelbras Switch - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intelbras"})Description
An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.
Impact
Unauthenticated attackers can exploit authentication bypass to download backup configuration files containing critical device information including credentials and network configuration from Intelbras Switch devices.
Remediation
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
Intelbras WRN 150 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)WRN150"Description
Intelbras WRN 150 router is vulnerable to authentication bypass through cookie manipulation. An attacker can bypass authentication and download the router configuration file by manipulating the admin:language cookie.
Impact
Attackers can bypass authentication and download the router configuration file containing credentials, network settings, and sensitive information, potentially leading to complete network compromise.
Remediation
Update the router firmware to the latest version.
Intellian Aptus Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intellian aptus web"})Description
Intelllian Aptus Web login panel was detected.
Internet Multi Server Control Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)i-MSCP - Multi Server Control Panel"})Description
Internet Multi Server Control Panel was detected.
Invision Community <=5.0.6 Unauthenticated RCE via Template Injection
runzero-match
service["http.body"] matches "(?i)Invision"Description
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (/applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method, which is evaluated by the template engine. Accordingly, unauthenticated attackers can inject and execute arbitrary PHP code by providing crafted template strings.
Impact
Unauthenticated attackers can inject and execute arbitrary PHP code through the content parameter in themeeditor.php, achieving complete server compromise.
Remediation
Upgrade Invision Community to version 5.0.7 or later that properly sanitizes template strings before evaluation.
Issabel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Issabel"})Description
Issabel login panel was detected.
Issabel PBX 4.0.0-6 - Directory Listing
runzero-match
any(each(service["html.titles"]), {# matches "(?i)issabel"})Description
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
Impact
Exploiting this vulnerability could lead to unauthorized access to sensitive directories and files, compromising the confidentiality of the system.
Remediation
It is recommended to update to a patched version of issabel-pbx or apply necessary configuration changes to prevent directory listing.
Ivanti Cloud Services Appliance - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cloud services appliance"}) || any(each(service["html.titles"]), {# matches "(?i)landesk\\(r\\) cloud services appliance"})Description
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Impact
Unauthenticated attackers can exploit path traversal to access restricted administrative functionality, potentially gaining unauthorized control of the Ivanti Cloud Services Appliance and accessing sensitive user management features.
Remediation
Update Ivanti Cloud Services Appliance to version 4.6 Patch 519 or later to address the path traversal vulnerability.
Ivanti Connect Secure - Stack-based Buffer Overflow
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code through IF-T TLS requests.
Impact
Unauthenticated attackers can exploit a stack-based buffer overflow to execute arbitrary code remotely on Ivanti Connect Secure devices, potentially compromising VPN infrastructure and accessing all connected networks.
Remediation
Upgrade to Ivanti Connect Secure version 22.7R2.5, Ivanti Policy Secure version 22.7R1.2, or Ivanti Neurons for ZTA version 22.7R2.3 or later.
Ivanti Connect Secure Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Ivanti Connect Secure provides a seamless, cost-effective SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources— anytime, anywhere.
Ivanti EPM Cloud Services Appliance Code Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)landesk\\(r\\) cloud services appliance"})Description
Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512 is susceptible to a code injection vulnerability because it allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
Impact
Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
Remediation
Apply the latest security patches provided by Ivanti to mitigate this vulnerability.
Ivanti Endpoint Manager - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
Impact
Remote attackers can leak stored credential data, potentially compromising sensitive information.
Remediation
Update to version 2024 SU5 or later.
Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.
Remediation
Apply the latest security patches or updates provided by Ivanti to fix the authentication bypass vulnerability in Endpoint Manager Mobile (EPMM).
Ivanti ICS - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Impact
Unauthenticated attackers can bypass authentication controls and access restricted administrative resources, potentially exposing sensitive configuration data.
Remediation
Upgrade Ivanti Connect Secure and Policy Secure to the latest patched versions as provided in the vendor advisory.
Ivanti Incapptic Connect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)incapptic"}) || service["favicon.ico.image.mmh3"] == "-1067582922"Description
Ivanti Incapptic Connect panel was detected.
Ivanti Traffic Manager Panel - Detect
Author: rxeriumAdded: Aug 25, 2024
runzero-match
service["http.body"] matches "(?i)Login \\(Virtual Traffic Manager"Description
An Ivanti Traffic Manager Login Panel was detected.
Ivanti(R) Cloud Services Appliance - Panel
Author: rxeriumAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Cloud Services Appliance"})Description
An Ivanti Cloud Services Appliance panel was detected.
JBoss SOA Platform Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)welcome to the jboss soa platform"})Description
JBoss SOA Platform login panel was detected.
JBoss WS JUDDI Console Panel - Detect
runzero-match
service["http.body"] matches "(?i)jboss ws"Description
The jUDDI (Java Universal Description, Discovery and Integration) Registry is a core component of the JBoss Enterprise SOA Platform. It is the product's default service registry and comes included as part of the product. In it are stored the addresses (end-point references) of all the services connected to the Enterprise Service Bus. It was implemented in JAXR and conforms to the UDDI specifications.
Remediation
Restrict access to the service if not needed.
JBoss jBPM Administration Console Default Login - Detect
runzero-match
service["http.body"] matches "JBossWS"Description
JBoss jBPM Administration Console default login information was detected.
JBoss jBPM Administration Console Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)jbossws"Description
JBoss jBPM Administration Console login panel was detected.
JEHC-BPM - Remote Code Execute
runzero-match
service["http.body"] matches "(?i)JEHC"Description
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
Impact
Unauthenticated attackers can execute arbitrary operating system commands through the /server/executeExec endpoint due to missing authorization checks, achieving complete server compromise.
Remediation
Upgrade JEHC-BPM to a version later than 2.0.1 that implements proper authorization checks on the executeExec endpoint.
JFinalCMS v5.0.0 - Directory Traversal
runzero-match
service["http.body"] matches `(?i)content="JreCms`Description
An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the filekey parameter, potentially exposing database credentials, application configuration, and sensitive CMS content.
Remediation
Update JFinalCMS to a version newer than 5.0.0 that validates and sanitizes file paths in DownController.java to prevent directory traversal attacks.
JFrog Artifactory Artifacts Exposure
Author: DhiyaneshDkAdded: Dec 10, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jfrog"})Description
JFrog Artifactory Artifact repository was exposed.
JFrog Artifactory Build - Exposure
Author: theamanrawatAdded: Dec 29, 2025
runzero-match
service["product"] contains "JFrog:Artifactory"Description
Detected exposure of build information in JFrog Artifactory via unauthenticated API endpoints. Access to these endpoints may disclose sensitive data such as build names, numbers, CI/CD pipeline details, artifact paths, and internal infrastructure information.
JFrog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JFrog"})Description
JFrog login panel was detected.
JHipster Platform - Default Login
Author: ritikchaddhaAdded: Jan 15, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JHipster"})Description
Detects the presence of JHipster application dashboard or API endpoints that allow authentication using default credentials. JHipster applications by default are often configured with the username "admin" and password "admin", potentially exposing application management interfaces or sensitive APIs if not changed after deployment.
JS Help Desk <= 2.8.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/js-support-ticket/"Description
The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of JS Help Desk, version 2.8.2 or later.
JS Help Desk <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/js-support-ticket/"Description
JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive database information, leading to data disclosure.
Remediation
Update to the latest version of JS Help Desk plugin.
Jaeger End-of-Life - Detect
Author: Shivam KambojAdded: Mar 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jaeger UI"})Description
Detected Jaeger versions that have reached End-of-Life (EOL) and no longer receive security updates.
Jalios JCMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)jalios jcms"Description
Jalios JCMS login panel was detected.
Jamf MDM Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1262005940"Description
Jamf Mobile Device Management login panel was detected.
Jamf Pro Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jamf Pro"})Description
Jamf Pro login panel was detected.
Jamf Pro Setup Assistant Panel - Detect
runzero-match
service["http.body"] matches "(?i)Jamf Pro Setup"Description
Jamf Pro Setup Assistant panel was detected.
Jan v0.4.12 'readFileSync' - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-165268926"Description
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
Impact
Unauthenticated attackers can read arbitrary files from the system via path traversal in the readFileSync interface.
Remediation
Update Jan to a version later than v0.4.12 that patches the path traversal vulnerability.
Janitza GridVis Energy Management - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^GridVis"})Description
Janitza GridVis is an energy monitoring and management software platform by Janitza Electronics GmbH.
It provides real-time power quality analysis, energy data logging, and grid visualisation for industrial facilities.
Janitza UMG Power Meter - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)Janitza UMG"Description
Janitza UMG series power meters and energy analyzers expose a web interface for energy monitoring and power quality analysis.
Javafaces LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"})Description
An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
Impact
Unauthenticated attackers can exploit local file inclusion through Java Server Faces resource handlers to read sensitive configuration files including WEB-INF/web.xml, exposing Oracle GlassFish, WebLogic, and JDeveloper application configurations.
Remediation
Apply the latest patches and updates for the affected software to fix the LFI vulnerability.
Jedox Web Login Panel - Detect
Author: Team Syslifters / Christoph MAHRL,Aron MOLNAR,Patrick PIRKER,Michael WEDLAdded: May 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jedox web - login"}) || any(each(service["html.titles"]), {# matches "(?i)jedox web login"})Description
Jedox is an Enterprise Performance Management software which is used for planning, analytics and reporting in finance and other areas such as sales, human resources and procurement.
JeePlus CMS - SQL Injection
runzero-match
service["http.body"] matches "(?i)jeeplus\\.js"Description
A SQL injection vulnerability exists in the JeePlus low-code development platform, allowing attackers to manipulate database queries.This can lead to unauthorized data access, modification, or potential compromise of the application.
Jeecg Boot <= 2.4.5 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeecg-boot"})Description
An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.
Impact
An attacker can exploit this vulnerability to gain sensitive information from the application.
Remediation
Upgrade Jeecg Boot to a version higher than 2.4.5 to mitigate the vulnerability.
Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeecg-boot"})Description
Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to unauthorized access or data leakage.
Remediation
Upgrade Jeecg Boot to version 2.4.6 or later to fix the vulnerability.
Jeecg P3 Biz Chat - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.
Remediation
Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in Jeecg P3 Biz Chat.
Jeecg-Boot v3.5.1 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData in jeecg-boot v3.5.1.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement input validation and use parameterized queries to prevent SQL Injection attacks.
Jeecg-boot 3.5.0 qurestSql - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade Jeecg-boot to a patched version or apply the necessary security patches provided by the vendor.
JeecgBoot 3.5.0 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726"Description
jeecg-boot 3.5.0 and 3.5.1 have a SQL injection vulnerability the id parameter of the /jeecg-boot/jmreport/show interface.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade JeecgBoot to a patched version or apply the necessary security patches provided by the vendor.
JeecgBoot v3.7.1 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1380908726" || service["favicon.ico.image.mmh3"] == "-250963920"Description
The JeecgBoot application is vulnerable to SQL Injection via the `getTotalData` endpoint. An attacker can exploit this vulnerability to extract sensitive information from the database by injecting SQL commands.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract sensitive information from the JeecgBoot database.
Remediation
Update JeecgBoot to a version that patches CVE-2024-48307.
Jeedom - Default Login
Author: ritikchaddhaAdded: Jun 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Jeedom"})Description
Jeedom default login has been detected.
Jeedom Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jeedom"})Description
Jeedom login panel was detected.
Jellyfin <10.7.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Jellyfin"Description
Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk.
Impact
Successful exploitation could allow an attacker to read sensitive files on the server.
Remediation
This is fixed in version 10.7.1.
Jellyfin Console - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Jellyfin"})Description
Weak Jellyfin credentials were discovered.
Jellyseerr Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-2017604252"Jenkins - Remote Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire Jenkins server.
Remediation
Apply the latest security patches and updates provided by Jenkins to mitigate this vulnerability.
Jenkins API Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins API panel was detected.
Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
runzero-match
service["product"] contains "Jenkins"Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces
an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers
to read arbitrary files on the Jenkins controller file system.
Remediation
Upgrade affected versions of Jenkins to the latest patched version. If unable to upgrade the affected system,
disabling CLI access can be implemented as a workaround.
Jenkins Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Jenkins"})Description
Jenkins credentials of admin:admin were discovered.
Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)GitLab"})Description
Jenkins Gitlab Hook 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected cross-site scripting vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.
Remediation
Upgrade to the latest version of Jenkins Gitlab Hook plugin (>=1.4.3) to mitigate this vulnerability.
Jenkins Login Detected
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Jenkins is an open source automation server.
Remediation
Ensure proper access.
Jenkins Users - Exposure
Author: theamanrawatAdded: Dec 4, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "81586312"Description
Detected an exposed Jenkins asynchPeople endpoint that discloses user information (e.g., users, full names, and profile URLs) allowing user enumeration.
JetBrains TeamCity > 2023.11.3 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Impact
Unauthenticated attackers can bypass authentication to gain administrative access and potentially execute code on the TeamCity server.
Remediation
Update JetBrains TeamCity to version 2023.11.3 or later.
Jinhe OA - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)金和协同管理平台"})Description
SQL injection vulnerability in the ljc6/servlet/clobfield interface of Jinhe OA jc6. An attacker can obtain sensitive information.
Jinher OA - SQL Injection
runzero-match
service["http.body"] matches "(?i)/jc6/platform/sys/login"Description
jinher jinher_oa is an office automation software that facilitates workflow management and collaboration within organizations. It sits in the enterprise layer of the tech stack, is typically deployed as self_hosted, and—within the information_technology industry—serves the business_apps domain.
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
Remediation
Update to the latest version.
Joget Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1343712810"Description
Joget panel was detected.
JoomSport <= 5.7.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1546880397"Description
The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause.
Impact
Unauthenticated attackers can extract any data from the WordPress database including admin credentials, user emails, and plugin-stored secrets via time-based blind SQL injection.
Remediation
Update to JoomSport version 5.7.8 or later, which implements column whitelist validation.
Joomla HTTP Header Unauthenticated - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015
Impact
Attackers can execute arbitrary PHP code on the server through PHP object injection, leading to complete server compromise and potential data breach.
Remediation
Update to Joomla 3.4.6 or later immediately.
Joomla! <3.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the entire Joomla! website.
Remediation
Upgrade Joomla! to version 3.7.1 or later to mitigate the SQL Injection vulnerability.
Joomla! Core SQL Injection
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
A SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Joomla! CMS.
Remediation
Apply the latest security patches and updates provided by Joomla! to mitigate the SQL Injection vulnerability.
Joomla! Panel
Author: its0x08Added: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Joomla! Webservice - Password Disclosure
runzero-match
service["http.body"] matches "(?i)joomla! - open source content management"Description
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Impact
The vulnerability can lead to unauthorized access to user passwords, compromising the confidentiality of user accounts.
Remediation
Upgrade to Joomla! version 4.2.8 or later.
JoomlaUX JUX Real Estate 3.4.0 - Reflected XSS
runzero-match
service["http.body"] matches "(?i)joomlaux"Description
A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. The manipulation of the argument Itemid/jp_yearbuilt leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Impact
Attackers can inject malicious JavaScript through the Itemid and jp_yearbuilt parameters, potentially stealing user session cookies, redirecting users to malicious sites, or performing unauthorized actions in the context of authenticated users.
Remediation
Upgrade to the latest patched version of JUX Real Estate that properly sanitizes user input.
Joplin Server Login - Panel
Author: pussycat0xAdded: Jun 15, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Joplin Server"})Description
Joplin Server login panel detected.
Jorani 1.0.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-2032163853"Description
Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade Jorani to a patched version or apply the necessary security patches.
Jorani Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Login - Jorani"Description
Jorani login panel was detected.
Journyx - XML External Entities Injection (XXE)
runzero-match
service["favicon.ico.image.mmh3"] == "-109972155"Description
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Impact
Unauthenticated attackers can exploit XXE to read local files, perform SSRF attacks, and cause denial of service by overwhelming server resources.
Remediation
Update Journyx to version 11.5.5 or later to address the XXE vulnerability.
Journyx 11.5.4 - Reflected Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)Journyx"Description
Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application.
Impact
Attackers can craft malicious URLs with XSS payloads in the error_description parameter to execute arbitrary JavaScript when victims click the link.
Remediation
Update Journyx to version 11.5.5 or later to address the reflected XSS vulnerability.
JshERP Boot Panel - Detect
Author: DhiyaneshDkAdded: Jun 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1298131932"JumpServer > 3.6.4 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jumpserver"})Description
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Impact
The vulnerability allows an attacker to gain sensitive information from the JumpServer application.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
JumpServer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)'JumpServer'"})Description
JumpServer Open Source Bastion Host login panel was detected.
Juniper J-Web - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)juniper web device manager"})Description
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Juniper J-Web Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Juniper Web Device Manager"})Description
Juniper J-Web panel was detected.
Juniper Web Device Manager - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Juniper Web Device Manager"})Description
Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Juniper Networks to mitigate this vulnerability.
Jupyter Notebook - Remote Command Execution
Author: HuTa0Added: Jul 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jupyter notebook"})Description
Jupyter Notebook is an interactive Notebook, computer application is a web based visualization, Jupyter Notebook API/terminals path there are loopholes in the remote command execution.
Jupyter Notebook Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)JupyterHub"Description
Jupyter Notebook login panel was detected.
JupyterHub Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "JupyterHub"})Description
JupyterHub is a multi-user server for Jupyter notebooks
Jupyterhub - Default Admin Discovery
runzero-match
any(each(service["html.titles"]), {# matches "JupyterHub"})Description
Jupyterhub default admin credentials were discovered.
JustBoil.me Images Plugin - Exposed Image Upload
Author: 0xr2rAdded: Sep 23, 2025
runzero-match
service["http.body"] matches "(?i)/plugins/generic/tinymce/plugins/justboil\\.me/"Description
JustBoil.me Images Plugin for TinyMCE contains an exposed dialog interface that could lead to potential security vulnerabilities. The plugin's dialog-v4.htm file is accessible without proper access controls, which may allow unauthorized access to image upload functionality.
KACO New Energy Solar Inverter - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-890342445" || any(each(service["html.titles"]), {# matches "KACO new energy"})Description
KACO new energy is a solar inverter manufacturer. Their inverters include a built-in web server
that serves compressed HTML over HTTP for monitoring inverter status and energy production data.
Devices are commonly deployed on residential and commercial solar installations.
KLog Server - Default Login
Author: s4e-ioAdded: Feb 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "KLog Server"})Description
KLog Server contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Kaeser Sigma Air Manager - Panel
Author: Th3l0newolfAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "SIGMA AIR MANAGER"})Description
Detected exposed Kaeser Sigma Air Manager login panel
Kanboard - Default Login
runzero-match
service["http.body.mmh3"] == "1605834045"Description
Kanboard contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Kanboard Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "2056442365"Description
Kanboard login panel was detected.
Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
runzero-match
service["favicon.ico.image.mmh3"] == "-1445519482"Description
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
Impact
Unauthenticated attackers can obtain Agent_Guid and AgentPassword credentials via the download page, gaining authenticated access to execute further attacks against Kaseya VSA.
Remediation
Update to version 9.5.7 or later to remediate this vulnerability.
Kasm Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-2144699833"Description
Kasm workspaces login panel was detected.
Kavita Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kavita"})Description
Kavita login panel was detected.
Kentico - Installer Privilege Escalation
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kentico database setup"})Description
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 are susceptible to a privilege escalation attack. An attacker can obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
Impact
An attacker can gain administrative privileges on the Kentico CMS system.
Remediation
Upgrade to the latest version of Kentico CMS to fix the privilege escalation vulnerability.
Kerio Connect Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kerio Connect Client"})Description
Kerio Connect login panel was detected.
Kerio Controle Panel - Detect
Author: johnk3rAdded: Feb 13, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-631002664"Description
Protect your network from viruses, malware and malicious activity with GFI KerioControl, the easy-to-administer yet powerful all-in-one security solution.
Kettle - Default Login
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Kettle'})Description
Kettle contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Kettle Panel - Detect
runzero-match
any(each(service["http.head.wwwAuthentications"]), {# contains 'realm="Kettle'})Description
Kettle panel was detected.
KeyCloak - Information Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)keycloak"}) || service["http.body"] matches "(?i)keycloak" || service["favicon.ico.image.mmh3"] == "-1105083093"Description
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
Impact
The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.
Remediation
Apply the latest security patches or updates provided by the KeyCloak vendor.
Keycloak Admin Console Configuration Disclosure
Author: 0x_AkokoAdded: Jan 5, 2026
runzero-match
service["product"] contains "RedHat:Keycloak"Description
Detected Keycloak admin console configuration was exposing realm name, client ID, SSL requirements, and authentication server URL enabling reconnaissance and targeted authentication attacks.
Keycloak Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1105083093" || any(each(service["html.titles"]), {# matches "(?i)keycloak"}) || service["http.body"] matches "(?i)keycloak"Description
Keycloak admin login panel was detected.
Kiali - Detect
Author: righettodAdded: Aug 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kiali"})Description
kiali panel was detected.
Kibana - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Impact
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to potential information disclosure and further attacks.
Remediation
Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
Kibana Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana login panel was detected.
Kibana Timelion - Arbitrary Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kibana"})Description
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Impact
Arbitrary code execution can result in unauthorized access, data leakage, and system compromise.
Remediation
Apply the latest security patches or upgrade to a patched version of Kibana to mitigate the vulnerability.
Kiteworks PCN Panel - Detect
Author: righettodAdded: Oct 29, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1215318992"Description
Kiteworks PCN Login Panel was detected.
KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/kivicare-clinic-management-system"Description
The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the visit_type parameter in the tax_calculated_data action to extract the complete clinic database including patient records, medical history, and appointment data.
Remediation
To remediate this vulnerability, validate and sanitize all user inputs on the server side before using them in SQL queries. Use prepared statements or stored procedures, and ensure that data is properly escaped.
Kiwi TCMS Information Disclosure
Author: act1on3Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kiwi TCMS - Login"})Description
Internal info exposed in Kiwi TCMS.
Kiwi TCMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kiwi tcms - login"})Description
Kiwi TCMS login panel was detected.
KoboldAI Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)KoboldAI Lite"})Description
KoboldAI was detected. KoboldAI was an AI text adventure and story generation interface that supports multiple local and remote language models including koboldcpp and AI Horde.
Koel Panel - Detect
Author: rxeriumAdded: Feb 27, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Koel"})Description
Personal audio streaming service that works.
Kong Manager OSS/Admin - Exposure
Author: Krishna JaishwalAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kong Manager"})Description
Exposed Kong Manager (OSS/Admin) interface accessible without authentication.
Kopano WebApp Login Panel - Detect
Author: righettodAdded: Feb 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kopano WebApp"})Description
Kopano WebApp login panel was detected.
Kraken Cluster Monitoring Dashboard - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Kraken dashboard"})Description
Kraken Cluster Monitoring Dashboard was detected.
KubeOperator Foreground `kubeconfig` - File Download
runzero-match
service["http.body"] matches "(?i)kubeoperator"Description
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.
Impact
An attacker can download sensitive files from the KubeOperator Foreground kubeconfig file, potentially leading to unauthorized access or exposure of sensitive information.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
KubePi <= v1.6.4 LoginLogsSearch - Unauthorized Access
runzero-match
service["http.body"] matches "(?i)kubepi"Description
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.
Impact
An attacker can gain unauthorized access to sensitive information.
Remediation
Upgrade KubePi to a version higher than v1.6.4 to mitigate the vulnerability.
KubePi JwtSigKey - Admin Authentication Bypass
runzero-match
service["http.body"] matches "(?i)kubepi"Description
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access and control of the Kubernetes cluster.
Remediation
The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.
KubeView <=0.1.31 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubeview"}) || service["favicon.ico.image.mmh3"] == "-379154636"Description
KubeView through 0.1.31 is susceptible to information disclosure. An attacker can obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication and retrieves certificate files that can be used for authentication as kube-admin. An attacker can thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Unauthenticated attackers can access Kubernetes certificate files through the unauthenticated api/scrape/kube-system endpoint, potentially obtaining kube-admin credentials and gaining complete control over the Kubernetes cluster.
Remediation
Upgrade KubeView to a version higher than 0.1.31 to mitigate the information disclosure vulnerability (CVE-2022-45933).
KubeView Dashboard - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-379154636" || any(each(service["html.titles"]), {# matches "(?i)kubeview"})Description
KubeView dashboard was detected.
Kubeflow Pipelines Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Kubeflow Pipelines"})Description
Kubeflow Pipelines is an open-source platform for building and deploying portable, scalable ML workflows.
It provides a web UI for managing ML pipelines, experiments, and runs on Kubernetes.
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
runzero-match
service["product"] contains "Kubernetes:Kubernetes"Description
The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption (Billion Laughs attack), leading to API server crash.
Impact
Attackers can cause the API server to crash or become unavailable by consuming excessive CPU or memory resources.
Remediation
Upgrade to Kubernetes v1.13.12, v1.14.8, v1.15.5, v1.16.2 or later versions with fixed input validation.
Kubernetes Enterprise Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
Kubernetes Enterprise Manager panel was detected.
Kubernetes Local Cluster Web View Panel- Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kubernetes web view"})Description
Kubernetes local cluster web view panel discovered.
Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/kubio/"Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
Unauthenticated attackers can include and execute arbitrary files through the kubio_hybrid_theme_load_template function, allowing arbitrary PHP code execution and potential complete server compromise.
Remediation
Fixed in 2.5.2
Kyocera Printer d-COPIA253MF - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-50306417"Description
Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server.
Impact
An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.
Remediation
Apply the latest firmware update provided by Kyocera to fix the directory traversal vulnerability.
Kyocera TASKalfa printer - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-50306417"Description
CCRX has a Path Traversal vulnerability. Path Traversal is an attack on web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
Impact
Unauthenticated attackers can manipulate file path values to access sensitive file system resources including source code and critical system configuration files.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
LDAP Account Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LDAP Account Manager"})Description
LDAP Account Manager login panel was detected.
LM Studio Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "LM Studio Chat"})Description
LM Studio is a desktop application for discovering, downloading, and running local
LLMs
LOYTEC LGATE-902 6.3.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)LGATE-902"Description
LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the device, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest firmware update provided by LOYTEC to fix the LFI vulnerability.
LaRecipe < 2.8.1 Remote Code Execution via SSTI
runzero-match
service["http.body"] matches "(?i)/binarytorch/larecipe/"Description
LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations.
Impact
Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration.
Remediation
Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
LabKey Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sign in: /home"})Description
LabKey Server login panel was detected.
Label Studio - Login Panel
Author: DhiyaneshDKAdded: Jul 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-1649949475"Description
Detects the presence of the Label Studio Login Page.
Laminas Project laminas-http - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)laminas"Description
Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
Impact
Attackers can execute arbitrary code remotely by controlling serialized content during deserialization.
Remediation
Update to laminas-http 2.14.2 or later; note that Zend Framework is no longer supported.
Lancom Router Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)LANCOM Systems GmbH"Description
Lancom router login panel was detected.
LangSmith Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^LangSmith"})Description
LangSmith panel was detected. LangSmith is LangChain's platform for debugging, testing, evaluating, and monitoring LLM applications.
Langflow - Broken Access Control
runzero-match
service["http.body"] matches "(?i)Langflow"Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.
Impact
Unauthenticated attackers can access sensitive user data and perform destructive actions, risking data loss and privacy breaches.
Remediation
Update to version 1.7.0.dev45 or later.
Langflow < 1.9.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1727196746" || service["http.body"] matches "(?i)Langflow"Description
Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
Impact
Remote attackers can execute arbitrary Python code without authentication, leading to full system compromise.
Remediation
Update to version 1.9.0 or later.
Langflow AI - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Langflow"Description
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Impact
Unauthenticated attackers can execute arbitrary code through crafted POST requests to the /api/v1/validate/code endpoint, achieving complete server compromise.
Remediation
Upgrade to Langflow version 1.3.0 or later that properly validates user input before passing it to code execution functions.
Langflow AI <= 1.6.9 - CORS Misconfiguration
runzero-match
service["product"] contains "Langflow:Langflow"Description
Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint.
Impact
An attacker can steal authentication tokens via CORS and execute arbitrary code on the server.
Remediation
Upgrade to Langflow version 1.7.0 or later which restricts CORS origins properly.
Langfuse Panel - Detect
Author: ChrisJr404Added: May 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Langfuse"})Description
Langfuse panel was detected. Langfuse is an open-source LLM engineering platform for observability, evaluations, prompt management and analytics. Exposed instances may reveal LLM prompts, traces, evaluations, and connected API keys.
Lansweeper Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lansweeper - login"})Description
Lansweeper login panel was detected.
Lansweeper Unauthenticated SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lansweeper - login"})Description
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
Impact
This vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire Lansweeper system.
Remediation
Apply the latest security patch or update provided by Lansweeper to fix the SQL Injection vulnerability.
Laravel Backpack Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Backpack Admin"})Description
Laravel Backpack admin login panel was detected.
Laravel Filemanager v2.5.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Laravel Filemanager"Description
Laravel Filemanager (aka UniSharp) through version 2.5.1 is vulnerable to local file inclusion via download?working_dir=%2F.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, sensitive data exposure, and remote code execution.
Remediation
Upgrade to a patched version of Laravel Filemanager v2.5.1 or apply the recommended security patches provided by the vendor.
Laravel Login - Panel Detection
Author: ProjectDiscoveryAIAdded: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches `(?i)Login\s*[\p{Pd}|]?\s*Laravel`})Description
A Laravel login panel was detected.
Leantime - Detect
Author: icarotAdded: Mar 9, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Leantime"})Description
Detects a Leantime server, a project management system for non-project managers.
LearnDash LMS < 4.10.2 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.
Impact
Unauthenticated attackers can access the LearnDash API to obtain sensitive quiz materials, questions, and course content that should be restricted to enrolled learners.
Remediation
Fixed in 4.10.2
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
Impact
Unauthenticated attackers can access the LearnDash API to obtain uploaded student assignments and coursework that should be restricted to instructors and enrolled learners.
Remediation
Fixed in 4.10.2
LearnDash LMS < 4.10.3 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sfwd-lms"Description
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
Impact
Unauthenticated attackers can access the LearnDash API to obtain quiz questions, answer options, and point values, compromising the integrity of course assessments.
Remediation
Fixed in 4.10.3
LearnPress < 4.2.6.8.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
LearnPress – WordPress LMS Plugin contains a sensitive information exposure caused by incorrect implementation of get_items_permissions_check function in all versions up to 4.2.6.8, letting unauthenticated attackers extract user emails and basic information.
Impact
Unauthenticated attackers can access sensitive user information, including emails, leading to privacy breaches.
Remediation
Update to version 4.2.6.9 or later.
LearnPress < 4.2.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress"Description
The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
LearnPress < 4.2.7.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
Impact
Unauthenticated attackers can exploit SQL injection through the c_fields parameter to extract sensitive database information including user credentials, course data, and personal information from the LearnPress LMS.
Remediation
Update the LearnPress plugin to version 4.2.7.1 or later.
LearnPress < 4.2.7.4 - Course Material - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
LearnPress – WordPress LMS Plugin contains a sensitive information exposure caused by insecure handling in class-lp-rest-material-controller.php, letting unauthenticated attackers extract paid course material, exploit requires no authentication.
Impact
Unauthenticated attackers can access and extract sensitive paid course content, leading to intellectual property theft and privacy breaches.
Remediation
Update to the latest version beyond 4.2.7.3 or apply security patches provided by the vendor.
LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Impact
Unauthenticated attackers can access sensitive admin curriculum, quiz answers, and course materials, compromising educational content confidentiality.
Remediation
Update to the latest version beyond 4.2.9.4.
LearnPress < 4.3.2 - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress/"Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts.
Impact
Unauthenticated attackers can view sensitive order statistics including revenue and order status, leading to information disclosure.
Remediation
Update to a version later than 4.3.1 or the latest available version.
LearnPress <= 4.2.5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress" || service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the order_by parameter to extract the complete WordPress database including user credentials and course data.
Remediation
Fixed in version 4.2.5.8
LearnPress Plugin < 4.2.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress"Description
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, remote code execution, or information disclosure.
Remediation
Upgrade to the latest version of LearnPress Plugin (4.2.0 or higher) to mitigate this vulnerability.
LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learnpress" || service["http.body"] matches "(?i)wp-content/plugins/learnpress"Description
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the order_by parameter in the LearnPress courses archive endpoint, potentially extracting sensitive database information including user credentials, course data, and student information.
Remediation
Update LearnPress plugin to version 4.2.0 or later that properly sanitizes and parameterizes the order_by parameter.
Lenovo Fan Power Controller Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)fan and power controller"Description
Lenovo Fan Power Controller login panel was detected.
Leostream Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Leostream"})Description
Leostream default admin credentials were discovered.
Leostream Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Leostream"})Description
Leostream login panel was detected.
Letta Letta 0.7.12 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Letta"})Description
Letta 0.7.12 is vulnerable to remote code execution via POST /v1/tools/run in letta.server.rest_api.routers.v1.tools.run_tool_from_source, allowing attackers to execute arbitrary Python and OS commands via crafted tool source code.
Impact
Unauthenticated attackers can execute arbitrary Python code through crafted tool source code in the /v1/tools/run endpoint, achieving remote code execution.
Remediation
Upgrade Letta to a version later than 0.7.12 that properly validates and sandboxes tool source code execution.
Letta Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Letta$"})Description
Letta (formerly MemGPT) is an open-source framework for building stateful LLM agents with long-term memory.
LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header
runzero-match
service["product"] contains "LibreChat:LibreChat"Description
danny-avila/librechat 0.7.9 contains a stored XSS caused by improper sanitization of the Accept-Language header, letting logged-in users inject arbitrary HTML into the html lang= tag, exploit requires user to be logged in.
Impact
Logged-in attackers can inject arbitrary HTML leading to cross-site scripting attacks, potentially compromising user sessions or data.
Remediation
Update to the latest version where this issue is fixed.
LibreChat Login Panel - Detection
Author: KazgangapAdded: Dec 31, 2025
runzero-match
service["product"] contains "LibreChat:LibreChat"Description
Detected LibreChat login panel. LibreChat is an open-source, self-hosted AI chat interface.
LibreNMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)librenms"})Description
LibreNMS login panel was detected.
LibrePhotos Panel - Detect
Author: ritikchaddhaAdded: Nov 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LibrePhotos"})LibreSpeed Panel - Detect
Author: ritikchaddhaAdded: Nov 8, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LibreSpeed"})Description
LibreSpeed is a very lightweight speed test implemented in Javascript, using XMLHttpRequest and Web Workers.
Liferay Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "129457226"Description
Liferay login panel was detected,
Liferay Portal Unauthenticated < 7.2.1 CE GA2 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "129457226"Description
Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Impact
Unauthenticated attackers can execute arbitrary code via JSON web services, leading to complete server compromise and access to all portal data.
Remediation
Upgrade Liferay Portal to version 7.2.1 CE GA2 or later to mitigate the vulnerability.
Lightdash version <= 0.510.3 Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)lightdash"})Description
packages/backend/src/routers in Lightdash before 0.510.3
has insecure file endpoints, e.g., they allow .. directory
traversal and do not ensure that an intended file extension
(.csv or .png) is used.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing user credentials, database credentials, and other confidential data.
Remediation
Upgrade Lightdash to a version higher than 0.510.3 to mitigate the vulnerability.
LimeSurvey - Default Admin Credentials
Author: 0x_AkokoAdded: Mar 25, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LimeSurvey"})Description
Detected the LimeSurvey survey management platform was found to be using default administrator credentials (admin:password). An attacker was able to gain full administrative access to manage surveys, responses, and user accounts.
Lin CMS Spring Boot - Default JWT Token
runzero-match
service["http.body"] matches "(?i)心上无垢,林间有风"Description
An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.
Impact
Unauthenticated attackers can access backend administrative information and functions using a hardcoded default JWT token, potentially gaining complete control over the Lin CMS Spring Boot application including user management and content administration.
Remediation
Update Lin CMS Spring Boot to a version later than 0.2.1 that uses unique JWT secret keys, removes hardcoded tokens, and implements proper token rotation.
LinShare Login Panel - Detect
Author: righettodAdded: Feb 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LinShare"})Description
LinShare login panel was detected.
Linear eMerge E3-Series - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Linear eMerge"Description
Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or update provided by the vendor to fix the XSS vulnerability in the Linear eMerge E3-Series.
Linear eMerge E3-Series - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)linear emerge"}) || any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are susceptible to information disclosure. Admin credentials are stored in clear text at the endpoint /test.txt in situations where the default admin credentials have been changed. An attacker can obtain admin credentials, access the admin dashboard, control building access and cameras, and access employee information.
Impact
An attacker can exploit this vulnerability to gain sensitive information from the device.
Remediation
Apply the latest firmware update provided by the vendor to fix the vulnerability.
Linkerd Panel - Detect
runzero-match
service["http.body"] matches "(?i)data-controller-namespace"Description
Linkerd panel was detected.
Linksys Smart Wi-Fi Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Linksys Smart WI-FI"})Description
Linksys Smart Wi-Fi login panel was detected.
Linkwarden Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "1726765983" || any(each(service["html.titles"]), {# matches "(?i)Linkwarden"})Description
Linkwarden (linkwarden.app / github.com/linkwarden/linkwarden) is a popular open-source self-hosted bookmark and link archiving manager. Default Docker port 3000. Exposed instances may reveal users' archived link collections, screenshots, and PDFs.
ListSERV Maestro <= 9.0-8 RCE
runzero-match
service["http.body"] matches "(?i)struts problem report" || service["http.body"] matches "(?i)apache struts" || any(each(service["html.titles"]), {# matches "(?i)struts2 showcase"})Description
A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of ListSERV Maestro that is not affected by this vulnerability.
ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/listingpro"Description
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin.
Impact
Unauthenticated attackers can arbitrarily install, activate or deactivate plugins, potentially installing malicious plugins to gain complete site control.
Remediation
Upgrade to ListingPro version 2.6.1 or later.
ListingPro < 2.6.1 - Sensitive Data Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/listingpro"Description
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts.
Impact
Unauthenticated attackers can extract sensitive user data including usernames, email addresses, phone numbers, and physical addresses from all registered users.
Remediation
Upgrade to ListingPro version 2.6.1 or later.
LiteLLM API - Swagger UI Detection
Author: rxeriumAdded: Feb 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LiteLLM API - Swagger UI"})Description
Detects exposed LiteLLM API Swagger UI interface. LiteLLM is a unified API for 100+ LLM providers (OpenAI, Azure, Anthropic, etc.).
Live Helper Chat Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)live helper chat"})Description
Live Helper Chat admin login panel was detected.
LiveZilla Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)livezilla"Description
LiveZilla login panel was detected.
LocalAI - Partial Local File Read
runzero-match
service["favicon.ico.image.mmh3"] == "-976853304"Description
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
Impact
Attackers can exploit SSRF to access internal HTTP services and partially read local files through error messages, potentially exposing sensitive information.
Remediation
Update LocalAI to version 2.17 or later to address the SSRF and LFI vulnerabilities.
LocalGPT Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "LocalGPT"})Description
LocalGPT is an open-source project that allows users to chat with their documents
locally using LLMs with no data leaving their device
LockSelf Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LockSelf"})Description
LockSelf login panel was detected.
Locklizard Web Viewer Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Locklizard Web Viewer"Description
Locklizard Web Viewer login panel was detected.
Login as User or Customer < 3.3 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/login-as-customer-or-user"Description
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
Impact
Unauthenticated attackers can obtain valid admin sessions by exploiting missing authorization checks in the Login as User or Customer plugin, potentially gaining complete control over the WordPress site and all user accounts.
Remediation
Fixed in version 3.3
Logitech Harmony Pro Installer Portal Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Logitech Harmony Pro Installer"})Description
Logitech Harmony Pro Installer Portal login panel was detected.
Lomnido Panel - Detect
Author: righettodAdded: Jan 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lomnido Login"})Description
Lomnido was detected.
Looker Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)lookerVersion"Description
Looker login panel was detected.
LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/lottiefiles"Description
LottieFiles LottieFiles <= 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges.
Impact
Attackers can bypass authorization to access or modify restricted resources, potentially leading to data exposure or unauthorized actions.
Remediation
Update to the latest version beyond 3.0.0.
Loxone Intercom Video Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Loxone Intercom Video"})Description
Loxone Intercom Video panel was detected.
Loxone WebInterface Panel - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
service["http.body"] matches "(?i)<title>Webinterface</title>"Loytec PLC - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1081604898"Description
Identified Loytec PLC web interfaces that were accessible using default credentials (admin:loytec4u). These devices were commonly deployed in building automation and industrial control environments. When left unchanged, default credentials could have allowed unauthorized users to gain administrative access to the system.
Lucee - Default Login
runzero-match
service["http.body"] matches "Lucee"Description
Lucee admin panel using the default login password was discovered.
Lucee - Unset Credentials
runzero-match
service["http.body"] matches "(?i)Lucee"Description
The Lucee admin panel has a first-time setup page which allows any user to set the administrator password.
Lucee < 6.0.1.59 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lucee"})Lucee Web and Lucee Server Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Lucee"})Description
Lucee admin login panels were detected in both Web and Server tabs.
M-Bus Converter Web Interface - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)JC-e converter webinterface"})M-Files Web Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)m-files web"Description
M-Files Web login panel was detected.
MAG Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MAG Dashboard Login"})Description
MAG Dashboard login panel was detected.
MCMS 5.2.4 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
MCMS 5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.4.
MCMS 5.2.5 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
MCMS 5.2.5 contains a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.5.
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MCP Inspector"})Description
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio.
Impact
Unauthenticated attackers can launch arbitrary MCP commands over stdio due to lack of authentication between Inspector client and proxy, enabling remote code execution.
Remediation
Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
MISP Threat Intelligence Sharing Platform Panel - Detect
Author: johnk3r,darsesAdded: May 31, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-137577333" || any(each(service["html.titles"]), {# matches "(?i)users - misp"}) || any(each(service["html.titles"]), {# matches "(?i)errors - misp"})MLFlow < 2.8.1 - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mlflow"})Description
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
Impact
An attacker can access sensitive information stored in MLFlow.
Remediation
Upgrade MLFlow to a version that has patched CVE-2023-43472.
MLflow Absolute Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mlflow"})Description
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
Impact
This vulnerability can lead to unauthorized access to sensitive information stored on the server.
Remediation
Upgrade to a patched version of MLflow to mitigate the Absolute Path Traversal vulnerability.
MLflow Job API - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MLflow"})Description
MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
Impact
Unauthenticated attackers can execute jobs remotely, potentially leading to remote code execution, denial of service, or data exposure.
Remediation
Update to the latest version with fixed authentication enforcement on job endpoints.
MLflow Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "MLflow"})Description
MLflow is an open-source platform for managing the end-to-end machine learning
lifecycle including experimentation, reproducibility, and deployment. This template
detects exposed MLflow tracking server UI instances.
MOFI4500-4GXeLTE-V2 Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^MOFI4500"})Description
Mofi Network MOFI4500-4GXELTE wireless router default admin credentials were discovered.
MOVEit Transfer - SQL Injection
runzero-match
service["product"] contains "Progress Software:MOVEit MFT"Description
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Impact
Attackers can modify and disclose sensitive database content, leading to data breach and potential system compromise.
Remediation
Update to fixed versions: 2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, or latest available version.
MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal
runzero-match
service["http.body"] matches "(?i)MPDV"Description
MPDV Mikrolab GmbH HYDRA X, MIP 2, and FEDRA 2 <= Maintenance Pack 36 with Servicepack 8 (week 36/2025) contain an unauthenticated local file disclosure vulnerability caused by improper validation of the "Filename" parameter in the public $SCHEMAS$ resource, letting attackers read arbitrary Windows OS files, exploit requires local access.
Impact
Attackers can read arbitrary files on the Windows operating system, potentially exposing sensitive information.
Remediation
Update to Maintenance Pack 36 with Servicepack 8 (week 36/2025) or later.
MPFTVC Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AdminLogin - MPFTVC"})Description
MPFTVC admin login panel was detected.
MSNSwitch Firmware MNT.2408 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-2073748627"Description
MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations.
Impact
Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability.
MSPControl Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MSPControl - Sign In"})Description
MSPControl login panel was detected.
MStore API < 3.9.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind SQL injection via the product_id parameter.
Impact
Allows an attacker to extract sensitive data from the database
Remediation
Update MStore API WordPress Plugin to the latest version to mitigate the vulnerability
MStore API <= 3.9.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Impact
Attackers can log in as any user, including administrators, potentially gaining full control over the site.
Remediation
Update to version 3.9.2 or later.
MStore API <= 3.9.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Impact
An attacker can bypass authentication and gain unauthorized access to the MStore API, potentially leading to data breaches or unauthorized actions.
Remediation
Upgrade to a patched version of MStore API (version 3.9.3 or above) to mitigate the authentication bypass vulnerability.
MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mstore-api/"Description
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
Impact
Attackers can log in as any user and escalate privileges, potentially leading to full account compromise.
Remediation
No patch available yet; monitor for updates from the developer and apply patches as soon as they are released.
MachForm Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MachForm Admin Panel"})Description
MachForm Admin panel was detected.
Maestro LISTSERV - Detect
Author: righettodAdded: Sep 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)LISTSERV Maestro"})Description
Maestro LISTSERV panel was detected.
Maestro LuCI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Maestro - LuCI"})Description
Maestro LuCI login panel was detected.
Mage AI - Insecure Default Authentication Setup
runzero-match
service["http.body"] matches "(?i)<title>Mage</title>"Description
A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it.
Impact
Attackers can exploit insecure default authentication configuration to gain unauthorized access to Mage AI installations, potentially leading to remote code execution and complete system compromise.
Remediation
Implement proper authentication configuration by following the vendor's security hardening guidelines.
Mage AI Panel - Detect
Author: ChrisJr404Added: May 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mage"})Description
Mage AI (mage.ai / github.com/mage-ai/mage-ai) is an open-source data pipeline + orchestration platform with a notebook-style UI. Self-hosted instances default to TCP 6789 and historically have shipped without authentication. Exposed instances may reveal pipeline source, secrets, and provide an authenticated path to arbitrary code execution via custom blocks.
Magnolia CMS Default Login - Detect
runzero-match
service["http.body"] matches "Magnolia is a registered trademark"Description
Magnolia CMS default login credentials were detected.
Magnolia CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Magnolia is a registered trademark"Description
Magnolia CMS login panel was detected.
MagnusBilling - Default Login
Author: DhiyaneshDkAdded: May 20, 2025
runzero-match
service["http.body"] matches "MagnusBilling"Description
MagnusBilling installs with a default administrative account using the credentials root / magnus. If unchanged, these credentials grant full access to the system, allowing attackers to manage billing data, modify configurations, and potentially execute arbitrary code or commands via exposed interfaces.
Impact
An unauthenticated attacker can gain full administrative control over the MagnusBilling platform, leading to compromise of billing systems, data leakage, and potential pivoting into internal infrastructure.
MagnusBilling - Login Panel
Author: DhiyaneshDKAdded: May 20, 2025
runzero-match
service["http.body"] matches "(?i)MagnusBilling"Description
Identified an exposed MagnusBilling login panel.
Mail Mint < 1.19.5 - Unauthenticated Email Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mail-mint/"Description
Mail Mint WordPress plugin < 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication.
Impact
Unauthenticated attackers can retrieve email addresses of users, leading to privacy breaches and potential phishing attacks.
Remediation
Update to version 1.19.5 or later.
MailEnable Mail Service < v10 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MailEnable"})Description
Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component.
Impact
Attackers can execute arbitrary JavaScript in victim browsers through the state parameter in failure.aspx, potentially leading to session hijacking and credential theft.
Remediation
Upgrade to MailEnable version 10 or later that properly sanitizes user input in the failure.aspx component.
MailHog Panel - Detect
runzero-match
service["http.body"] matches "(?i)mailhog"Description
MailHog panel was detected.
MailWatch Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MailWatch Login Page"})Description
MailWatch login panel was detected.
Mailpit < 1.28.3 - Server-Side Request Forgery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mailpit"})Description
Mailpit <= 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests.
Impact
Attackers can access internal network services and APIs, potentially exposing sensitive internal resources.
Remediation
Update to version 1.28.1 or later.
MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mainwp"Description
MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
Impact
Unauthenticated attackers can inject scripts that execute in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to the latest version of the plugin that addresses this vulnerability.
MajorDoMo - Unauthenticated RCE
runzero-match
service["http.body"] matches "(?i)templates/application\\.html"Description
MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
Impact
Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version with the fix for the include order bug and proper exit after redirect.
MajorDoMo thumb.php - OS Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1903390397"Description
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
Impact
Unauthenticated attackers can execute arbitrary OS commands via shell metacharacters in the thumb.php transport parameter, potentially compromising the entire system.
Remediation
Update MajorDoMo to a version newer than commit 0662e5e which addresses the command injection vulnerability.
Maltrail Panel - Detect
Author: ritikchaddhaAdded: Aug 19, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Maltrail"})Description
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name, URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value.
Malwared (Build Your Own Botnet) - Detect
Author: pdteamAdded: Aug 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "487145192"Description
Detects the presence of the Malwared - Build Your Own Botnet tool on the target system.
Malwared BYOB - Unauthenticated Remote Code Execution
Author: pdteamAdded: Aug 17, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "487145192"Description
Malwared BYOB - Unauthenticated RCE allows remote code execution.
Impact
Potential unauthorized access and control of the target system by threat actors.
Remediation
Remove any instances of the Malwared - Build Your Own Botnet tool from the target system and conduct a thorough security audit.
ManageEngine Applications Manager - Default Credentials
Author: 0midC13Added: Mar 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Applications Manager Login Screen"})Description
Default credentials grants administrative access to ManageEngine Applications Manager, which can be later escalated into a RCE via DB queries.
ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Impact
An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage.
Remediation
Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches.
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized password resets and unauthorized administrative access.
Remediation
Upgrade MantisBT to a version higher than 2.30 to mitigate this vulnerability.
MantisBT Default Admin Login
runzero-match
any(each(service["html.titles"]), {# matches "MantisBT"})Description
A MantisBT default admin login was discovered.
MantisBT Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
MantisBT login panel was detected.
MapSVG < 6.2.20 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/mapsvg/"Description
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute SQL injection via REST API endpoint to extract database contents or execute arbitrary commands, potentially compromising the entire WordPress database.
Remediation
Upgrade to MapSVG version 6.2.20 or later.
MapTiler Tileserver-php v2.0 - Unauthenticated File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TileServer-php"})Description
MapTiler Tileserver-php v2.0 contains a directory traversal caused by improper sanitization of GET parameters in renderTile function, letting attackers read arbitrary files on the server, exploit requires crafted web requests
Impact
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to the latest version of MapTiler Tileserver-php.
MapTiler Tileserver-php v2.0 - Unauthenticated XSS
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TileServer-php"})Description
MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter \"layer\" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers.
Impact
Unauthenticated attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking or phishing.
Remediation
Update to the latest version of MapTiler Tileserver-php.
Marimo Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "marimo"})Description
Marimo is an open-source reactive Python notebook and app framework that replaces Jupyter
with git-friendly, reproducible notebooks.
MasterSAM Star Gate v11 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)MasterSAM"Description
MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the server, potentially exposing sensitive configuration data, credentials, and system files.
Remediation
Contact MasterSAM for a patched version of Star Gate v11 that addresses the directory traversal vulnerability.
MasterStudy LMS WordPress Plugin <= 3.2.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/masterstudy-lms-learning-management-system/"Description
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can extract sensitive information from the database including usernames, passwords, and other confidential data via time-based SQL injection.
Remediation
Update MasterStudy LMS plugin to version 3.2.6 or later.
Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/learning-management-system/"Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
Impact
An unauthenticated attacker can access course progress and user learning data without logging in.
Remediation
Update the Masteriyo LMS plugin to the latest version and enforce proper authentication and authorization checks on REST API endpoints.
Matomo Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-2023266783"Description
google analytics alternative that protects your data and your customers privacy.
Mattermost Login - Panel
Author: darsesAdded: Jun 10, 2025
runzero-match
service["http.body"] matches "(?i)'content=\"Mattermost\"'"Description
Mattermost Login Panel was discovered.
MeTube Instance Detected
Author: rxeriumAdded: Aug 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MeTube"})Description
A MeTube instance was detected.
Mealie Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mealie"})Description
Detected Mealie was a self-hosted recipe manager and meal planner with a Vue/Nuxt frontend and FastAPI backend.
Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/media-library-assistant"Description
Media Library Assistant plugin for WordPress before 2.82 contains a local file inclusion caused by unsanitized mla_gallery link parameter, letting attackers include arbitrary local files, exploit requires access to the vulnerable link.
Impact
Attackers can include arbitrary local files, potentially leading to information disclosure or code execution.
Remediation
Update to version 2.82 or later.
Meduza Stealer Panel - Detect
Author: dwisiswant0Added: Feb 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Meduza Stealer"})Description
Meduza Stealer panel were detected.
Memos 0.13.2 - Cross-Site Scripting & SSRF
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Memos"})Description
An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
Impact
Attackers can inject malicious scripts and perform SSRF attacks, compromising user data and accessing internal resources.
Remediation
Update Memos to version 0.13.3 or later.
Memos Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)memos"})Description
Memos is a privacy-first, lightweight note-taking service
MeshCentral Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)meshcentral - login"})Description
MeshCentral login panel was detected.
Mesop AI Sandbox <= 1.2.2 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Mesop"Description
Mesop <= 1.2.2 contains an unrestricted remote code execution caused by unauthenticated ingestion and execution of base64-encoded Python code in the /exec-py endpoint of ai/testing module, letting attackers execute arbitrary commands on the host, exploit requires HTTP access to the server.
Impact
Attackers can execute arbitrary commands on the host, leading to full system compromise.
Remediation
Upgrade to version 1.2.3 or later.
MetInfo CMS <= 8.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MetInfo"})Description
MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.
Impact
Remote attackers can execute arbitrary code, gaining full control over the affected server.
Remediation
Update to the latest version beyond 8.1.
Metabase - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded.
Impact
The vulnerability can result in unauthorized access to sensitive files or execution of arbitrary code on the affected system.
Remediation
This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Metabase < 0.46.6.1 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.
Metabase Installer - Exposure
Author: 0x_AkokoAdded: Dec 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Metabase"}) && service["http.body"] contains "setup"Description
Detected Metabase installer page, allowing unauthorized database setup and configuration.
Metabase Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metabase"})Description
Metabase login panel was detected.
Metaflow UI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Metaflow UI"})Description
Metaflow is an open-source ML platform created by Netflix for building and managing real-life data science projects.
The Metaflow UI provides a web interface for monitoring and managing Metaflow runs and flows.
Metasploit Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metasploit"}) || any(each(service["html.titles"]), {# matches "(?i)metasploit - setup and configuration"})Description
Metasploit Web Panel is detected
Metasploit Setup and Configuration Page - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)metasploit - setup and configuration"}) || any(each(service["html.titles"]), {# matches "(?i)metasploit"})Description
Metasploit setup and configuration page was detected.
MeterSphere Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)metersphere"Description
MeterSphere login panel was detected.
Metersphere - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)metersphere"Description
Metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1
Impact
This vulnerability can lead to unauthorized access to sensitive information, such as configuration files, credentials, and other sensitive data.
Remediation
Users are advised to upgrade. There are no known workarounds for this vulnerability.
Micro Focus Application Lifecycle Management - Panel
Author: righettodAdded: May 21, 2024
runzero-match
service["http.body"] matches "(?i)Micro\u00a0Focus\u00a0Application\u00a0Lifecycle\u00a0Management"Description
Micro Focus Application Lifecycle Management login panel was detected.
Micro Focus Filr Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)micro focus filr"Description
Micro Focus Filr login panel was detected.
Micro Focus Vibe Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)micro focus vibe"Description
Micro Focus Vibe login panel was detected.
Microsoft Exchange - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)outlook"}) || service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Server Information Disclosure Vulnerability. This vulnerability enables an attacker to bypass authentication and gain access to the Exchange Server's internal.
Impact
Unauthenticated attackers can bypass authentication using a SecurityToken cookie, gaining access to Exchange Server's internal API endpoints and sensitive information.
Remediation
Apply security updates provided by Microsoft to fix the authentication bypass vulnerability.
Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
runzero-match
service["product"] contains "Microsoft:Exchange Server"Description
Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise or data breach
Remediation
Apply the latest security patches and updates provided by Microsoft for Exchange Server
Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
runzero-match
service["product"] contains "Microsoft:Exchange Server"Description
Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server.
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise or data breach
Remediation
Apply the latest security patches and updates provided by Microsoft for Exchange Server
Microsoft Exchange Admin Center Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119" || any(each(service["html.titles"]), {# matches "(?i)outlook"})Description
Microsoft Exchange Admin Center login panel was detected.
Microsoft Exchange Server End-of-Life - Detect
Author: Shivam KambojAdded: Mar 3, 2026
runzero-match
service["product"] contains "Microsoft:Outlook Web Access"Description
Detected Microsoft Exchange Server versions that have reached End-of-Life (EOL) and no longer receive security updates.
Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.
Remediation
Apply the latest security updates provided by Microsoft to mitigate this vulnerability.
Microsoft Exchange Web Service - Detect
Author: bhutch,userdehghaniAdded: Feb 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)outlook"}) || service["favicon.ico.image.mmh3"] == "1768726119"Description
Microsoft Exchange Web Services was detected.
Microsoft Windows 'HTTP.sys' - Remote Code Execution
runzero-match
service["http.head.server"] matches `(?i)microsoft-iis`Description
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Impact
Attackers can execute arbitrary code remotely on Windows servers running vulnerable HTTP.sys, potentially leading to complete system compromise and data breach.
Remediation
Apply Microsoft security update MS15-034 immediately to patch the vulnerability.
Microsys Promotic SCADA - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "PROMOTIC"})Description
Microsys Promotic is a SCADA/HMI software platform widely deployed in central European
industrial and building automation applications. The embedded web server exposes a
runtime panel accessible over HTTP on non-standard ports.
Microweber <1.1.20 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)microweber" || service["favicon.ico.image.mmh3"] == "780351152"Description
Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Upgrade Microweber to version 1.1.20 or later to mitigate the vulnerability.
Microweber <1.2.15 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "780351152"Description
Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
MikroTik Router OS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mikrotik routeros > administration"})Description
MikroTik Router OS login panel was detected.
MikroTik RouterOS Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mikrotik routeros > administration"})Description
MikroTik RouterOS admin login panel was detected.
Milesight Routers - Information Disclosure
runzero-match
service["http.body"] matches "(?i)rt_title"Description
A critical security vulnerability has been identified in Milesight Industrial Cellular Routers, compromising the security of sensitive credentials and permitting unauthorized access. This vulnerability stems from a misconfiguration that results in directory listing being enabled on the router systems, rendering log files publicly accessible. These log files, while containing sensitive information such as admin and other user passwords (encrypted as a security measure), can be exploited by attackers via the router's web interface. The presence of a hardcoded AES secret key and initialization vector (IV) in the JavaScript code further exacerbates the situation, facilitating the decryption of these passwords. This chain of vulnerabilities allows malicious actors to gain unauthorized access to the router.
Impact
Unauthenticated attackers can access publicly exposed log files containing encrypted admin and user passwords, then decrypt them using the hardcoded AES key found in JavaScript code, gaining full administrative access to industrial cellular routers.
Remediation
Update Milesight Industrial Cellular Router firmware to disable directory listing, restrict access to log files, and remove hardcoded cryptographic keys from the web interface.
MinIO Browser Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)minio browser"}) || any(each(service["html.titles"]), {# matches "(?i)minio console"})Description
MinIO Browser login panel was detected.
MinIO Cluster Deployment - Information Disclosure
runzero-match
service["http.body"] matches "(?i)symfony profiler" || any(each(service["html.titles"]), {# matches "(?i)minio console"}) || any(each(service["html.titles"]), {# matches "(?i)minio browser"})Description
MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.
Impact
An attacker can gain unauthorized access to sensitive information stored in the MinIO cluster.
Remediation
All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
MinIO Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MinIO Console"})Description
MinIO Console login panel was detected.
Mingsoft MCMS - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or update to the latest version.
Mingsoft MCMS 5.2.9 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to the latest version of Mingsoft MCMS or apply security patches that sanitize input parameters.
Mingsoft MCMS v5.2.7 - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1464851260"Description
Mingsoft MCMS v5.2.7 contains an SQL injection vulnerability via /cms/content/list that allows unauthenticated attackers to execute arbitrary SQL commands on the affected database server.
Impact
Unauthenticated attackers can execute arbitrary SQL commands through the categoryId parameter in /cms/content/list, potentially extracting sensitive database information, modifying data, or compromising the entire Mingsoft MCMS database.
Remediation
Upgrade Mingsoft MCMS to version 5.2.8 or later, which contains patches for this vulnerability.
Minio Default Login
runzero-match
service["http.body"] matches "symfony Profiler"Description
Minio default admin credentials were discovered.
Mirantis Kubernetes Engine Panel - Detect
runzero-match
service["http.body"] matches "(?i)Mirantis Kubernetes Engine"Description
Mirantis Kubernetes Engine panel was detected.
Mirth Connect - Default Admin Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mirth Connect"})Description
Detected Mirth Connect was using default credentials admin:admin. Mirth Connect is a widely used healthcare integration engine for HL7, FHIR, and other medical data standards.
MistServer Installation Wizard - Exposure
Author: DhiyaneshDkAdded: Mar 24, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MistServer"})Description
MistServer installation/setup wizard is publicly accessible, allowing unauthorized users to create admin accounts and take full control of the streaming server. This is a first-user-wins vulnerability.
Impact
An attacker can create an admin account on unconfigured MistServer instances,
gaining full control over the streaming server configuration and content.
Mitel 6000 - Default Login
Author: matejsmyckaAdded: Sep 29, 2025
runzero-match
service["http.head.server"] matches "Aragorn Mitel"Description
This template detects the use of default credentials (admin:22222) on Mitel 6000 devices, which may allow unauthorized access to system information.
Mitel Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)mitel networks"Description
Mitel login panel was detected.
Mitel MiCollab - Arbitary File Read
runzero-match
service["http.body"] matches "(?i)Mitel Networks"Description
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
Impact
Unauthenticated attackers can bypass authentication and exploit path traversal to read arbitrary files from the MiCollab server, exposing sensitive configuration, credentials, and system data.
Remediation
Update Mitel MiCollab according to MISA-2024-0029 advisory to address the authentication bypass and path traversal vulnerabilities.
Mitel MiCollab - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Mitel Networks"Description
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
Impact
Unauthenticated attackers can exploit path traversal to access sensitive user data, system configurations, and corrupt or delete information.
Remediation
Update Mitel MiCollab to a version later than 9.8 SP1 FP2 that patches CVE-2024-41713.
Mitel MiCollab - Information Disclosure & Denial of Service
runzero-match
service["http.body"] matches "(?i)MiCollab End User Portal"Description
Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contain a vulnerability in the TP-240 component caused by improper handling, letting remote attackers obtain sensitive information and cause denial of service, exploit requires remote access.
Impact
Attackers can retrieve sensitive information and cause performance degradation or denial of service, including DDoS attacks.
Remediation
Update to version 9.4 SP1 FP1 or later for MiCollab, and latest version for MiVoice Business Express.
Mitel MiCollab <= 9.8.0.33 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Mitel\" html:\"MiCollab"Description
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
Impact
Unauthenticated attackers can execute arbitrary SQL queries to access sensitive information and execute arbitrary database and management operations.
Remediation
Update Mitel MiCollab to a version later than 9.8.0.33.
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)Mitel\" html:\"MiCollab"Description
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
Impact
An attacker can exploit this vulnerability to view, modify, or delete arbitrary files on the system, potentially leading to unauthorized access or data leakage.
Remediation
Apply the latest security patches or updates provided by Mitel to mitigate the vulnerability and prevent unauthorized access.
Mitel MiCollab Login Panel - Detect
Author: righettod,darsesAdded: Apr 7, 2024
runzero-match
service["http.body"] matches "(?i)MiCollab End User Portal" || service["favicon.ico.image.mmh3"] == "-1922044295"Description
Mitel MiCollab login panel was detected.
Mitel NuPoint Unified Messaging Panel - Detect
Author: s4e-ioAdded: Sep 10, 2025
runzero-match
service["http.body"] matches "(?i)mitel networks" || service["favicon.ico.image.mmh3"] == "-1922044295" || service["http.body"] matches "(?i)micollab end user portal"Description
Mitel NuPoint Unified Messaging login panel was detected.
Mobile Management Platform Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)移动管理平台-企业管理"})Description
Mobile Management Platform panel was detected.
MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "967636089"Description
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier contain a vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the MobileIron infrastructure.
Remediation
Upgrade MobileIron Core & Connector and Sentry to versions above v10.6 & v9.8 respectively
MobileIron Core - Remote Unauthenticated API Access
runzero-match
service["favicon.ico.image.mmh3"] == "362091310"Description
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain.
Impact
Remote attackers can exploit this vulnerability to gain unauthorized access to sensitive data and perform malicious actions.
Remediation
Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM)
MobileIron Sentry Panel - Detect
Author: pdteamAdded: Jul 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "967636089"Description
MobileIron Sentry panel was detected.
Mobotix - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Mobotix"})Description
Mobotix contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Modoboa < 2.1.0 - Improper Authorization
runzero-match
service["favicon.ico.image.mmh3"] == "1949005079" || service["http.body"] matches "(?i)modoboa"Description
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
Impact
Unauthenticated attackers can access sensitive configuration parameters including default passwords and authentication settings through the API endpoint, potentially compromising the entire email management system.
Remediation
Update Modoboa to version 2.1.0 or later that implements proper authorization checks for the parameters API endpoint.
Modoboa Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)modoboa" || service["favicon.ico.image.mmh3"] == "1949005079"Description
Modoboa login panel was detected.
Modular DS - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/plugins/modular-connector/"Description
Modular DS = 2.5.1 contains a broken access control vulnerability caused by incorrect privilege assignment, letting attackers escalate their privileges, exploit requires no special conditions.
Impact
Attackers can escalate their privileges, potentially gaining unauthorized access to sensitive functions or data.
Remediation
Update to the latest version beyond 2.5.1.
Molgenis - Default Login
Author: ritikchaddhaAdded: Jul 8, 2025
runzero-match
service["http.body"] contains "MOLGENIS" || service["last.http.body"] contains "MOLGENIS"Description
Attempts to login to Molgenis using the default credentials (admin/admin). Successful login may indicate a security risk due to unchanged default credentials.
MongoDB Ops Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MongoDB Ops Manager"})Description
MongoDB Ops Manager login panel was detected.
Mongoose - NoSQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mongoose"})Description
NoSQL injection vulnerability in Mongoose < 8.9.5 affecting the populate() function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operators like $and, allowing execution of arbitrary JavaScript code on MongoDB server, bypassing authentication, and accessing sensitive administrative data.
Impact
Attackers can bypass authentication and execute arbitrary JavaScript code on MongoDB servers through nested $where operators in the populate() function, potentially accessing sensitive administrative data and compromising database integrity.
Remediation
Upgrade to Mongoose version 8.9.5 or later that properly blocks nested $where operators.
Monitorr Panel - Detect
Author: ritikchaddhaAdded: Apr 25, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-211006074"Monsta FTP - Detect
Author: rxeriumAdded: Nov 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Monsta FTP"})Description
Detects Monsta FTP web-based file manager interface.
Monstra Admin Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "419828698"Description
Monstra admin panel was detected.
Moodle LTI module Reflected - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Moodle"})Description
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
Impact
Attackers can inject malicious JavaScript through the LTI module that executes in educators' or students' browsers, potentially stealing Moodle session credentials and accessing sensitive course information.
Remediation
Update Moodle to a patched version that properly sanitizes user input in the LTI module and prevents execution of injected scripts.
Moodle Workplace Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
service["http.body"] matches "(?i)moodle"Description
Moodle workplace login panel was detected.
Morningstar ProStar MPPT Solar Charge Controller - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Prostar MPPT - Live Data"})Description
Morningstar ProStar MPPT is a solar charge controller with a built-in web server providing
live data monitoring for off-grid and industrial solar installations.
The exposed interface displays real-time array, battery, and load data without authentication.
Movable Type Pro Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)サインイン \\| movable type pro"})Description
Movable Type Pro login panel was detected.
Moxa MXview One - Network Management Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "MXview One Central Manager"})Description
Moxa MXview One is a network management platform for industrial Ethernet
infrastructure, OT network monitoring, and topology visualisation. It is
widely used in manufacturing, energy, and transportation to manage industrial
switches and routers.
Multiple Shipping Address Woocommerce < 2.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/multiple-shipping-address-woocommerce"Description
The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
Impact
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially exposing sensitive WooCommerce customer and order data.
Remediation
Update the Multiple Shipping Address Woocommerce plugin to version 2.0 or later.
Munin Monitoring Dashboard - Exposure
Author: 0x_AkokoAdded: Dec 4, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Munin"})Description
Detected Munin monitoring dashboard, exposing system metrics and server statistics.
MyBB - Full Path Disclosure
Author: 0x_AkokoAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)MyBB"Description
Detected MyBB forum software exposed the server's full filesystem path through PHP fatal errors when files that implemented interfaces were accessed without dependencies.
MyBB Installation Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mybb"})Description
MyBB installation panel was detected.
MyBB Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)mybb"})Description
MyBB login panel was detected.
MyQ Print Server Panel - Detect
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-924708843" || any(each(service["html.titles"]), {# matches "(?i)MyQ"}) || service["favicon.ico.image.mmh3"] == "864100810" || service["favicon.ico.image.mmh3"] == "784616151" || service["favicon.ico.image.mmh3"] == "-2012429205"MyStrom Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)myStrom"})Description
Mystrom panel was detected.
Mystic Stealer Panel - Detect
Author: pussycat0xAdded: Jul 7, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Mystic Stealer"})Description
Mystic Stealer panel were detected.
N-able N-central < 2024.2 - Authentication Bypass Detection
runzero-match
service["product"] contains "N-able:N-central"Description
N-central server versions prior to 2024.2 contain an authentication bypass in the user interface, letting attackers access restricted areas without proper credentials, exploit requires no specific conditions.
Impact
Attackers can access sensitive user interface features, potentially leading to unauthorized data access or control.
Remediation
Update to version 2024.2 or later.
N-central - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)N-central Login"})Description
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
Impact
Attackers can hijack sessions without authentication, potentially leading to unauthorized access.
Remediation
Update to version 2025.4 or later.
N-central Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)N-central Login"})Description
N-central login panel was detected.
N8n - Config
Author: icarotAdded: Sep 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)n8n.io*workflow automation"})Description
The `/rest/settings` endpoint in N8n was publicly exposed, which could have disclosed internal configuration details and sensitive application information.
NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NAKIVO"})Description
NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlying system.
Impact
Unauthenticated attackers can read arbitrary files from the NAKIVO Backup & Replication server.
Remediation
Update NAKIVO Backup & Replication to a version that patches CVE-2024-48248.
NConf Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nconf"})Description
NConf login panel was detected.
NETGEAR Routers - Authentication Bypass
runzero-match
service["http.head.wwwAuthenticate"] matches `(?i)^Basic realm="NETGEAR`Description
NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server.
Impact
Successful exploitation of this vulnerability can lead to unauthorized configuration changes, network compromise, and potential exposure of sensitive information.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NETGEAR Routers - Remote Code Execution
runzero-match
service["http.head.wwwAuthenticate"] matches `(?i)^Basic realm="NETGEAR`Description
NETGEAR routers R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly others allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to unauthorized access, data theft, or network compromise.
Remediation
Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.
NI Web-based Configuration & Monitoring - Detect
Author: DhiyaneshDK,matejsmyckaAdded: Sep 24, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NI Web-based Configuration & Monitoring"}) || service["favicon.ico.image.mmh3"] == "1192389544"NP Data Cache Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NP Data Cache"})Description
NP Data Cache panel was detected.
NPS - Authentication Bypass
Author: SleepingBag945Added: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)window\\.nps"Description
This will reveal all parameters configured on the NPS, including the account username and password of the proxy.
NPort Web Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NPort Web Console"})Description
NPort Web Console login panel was detected.
NS-ASG Application Security Gateway 6.3 - Sql Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)“NS-ASG”"})Description
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Impact
Authenticated attackers can extract sensitive database information via SQL injection in the NS-ASG Application Security Gateway.
Remediation
Update NS-ASG Application Security Gateway to a version newer than 6.3.
NSQ Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nsqadmin"})Description
NSQ admin panel was detected.
NUUO NVRmini - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NUUO"})Description
NUUO NVRmini is vulnerable to unauthenticated remote command execution through the upgrade_handle.php file. The vulnerability allows an attacker to execute arbitrary commands by manipulating the uploaddir parameter.
Impact
Unauthenticated attackers can execute arbitrary commands on the NUUO NVRmini device by manipulating the uploaddir parameter in upgrade_handle.php, leading to complete device compromise and potential unauthorized access to video surveillance systems and recordings.
Remediation
Update NUUO NVRmini to a patched version later than the 2016 firmware that properly validates the uploaddir parameter and restricts command execution.
NZBGet Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)nzbget"Description
NZBGet login panel was detected.
Nacos - Information Disclosure
Author: s4e-ioAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nacos"})Description
Nacos unauthorized download of configuration information.
NagVis Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)nagvis"Description
NagVis login panel was detected.
Nagios Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nagios Core"})Description
Nagios default admin credentials were discovered.
Nagios Log Server - Detect
Author: ritikchaddhaAdded: Oct 24, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1460499495"Description
Detects the presence of Nagios Log Server by identifying specific response patterns, HTTP headers, or unique page elements.
Nagios Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios"})Description
Nagios login panel was detected.
Nagios XI Default Admin Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "Nagios XI"})Description
Nagios XI default admin login credentials were detected.
Nagios XI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
Nagios XI login panel was detected.
NagiosXI <= 5.4.12 - SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 `commandline.php` SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 logbook.php SQL injection
runzero-match
service["favicon.ico.image.mmh3"] == "1460499495" || any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
NagiosXI <= 5.4.12 menuaccess.php - SQL injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nagios xi"})Description
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
Impact
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
Remediation
Upgrade to Nagios XI version 5.4.13 or later.
Navicat On-Prem Server Panel - Detect
Author: ritikchaddhaAdded: Aug 21, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "598296063"Description
Navicat On-Prem Server is an on-premise solution that provides you with the option to host a cloud environment for storing Navicat objects internally at your location. In our On-Prem environment, you can enjoy complete control over your system and maintain 100% privacy. It is secure and reliable that allow you to maintain a level of control that the cloud often cannot.
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
runzero-match
service["http.body"] matches "(?i)content=\"Navidrome"Description
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
Impact
Attackers can bypass authentication using non-existent usernames and empty password hashes to gain read-only access to user playlists and other data through Subsonic API endpoints.
Remediation
Upgrade to Navidrome version 0.54.5 or later that properly validates authentication credentials.
Ncast busiFacade - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)高清智能录播系统"})Description
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
Impact
Allows remote attackers to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Neo4j Browser - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)neo4j browser"})Description
The Neo4j Browser has been detected.
Neobox Web Server Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)NeoboxUI"Description
Neobox Web Server login panel was detected.
NetAlert X - Arbitary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netalert x"})Description
A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18 - v24.9.12.
Impact
This vulnerability allows remote attackers to list directories on the affected system. Successful exploitation could enable unauthorized users to explore the system’s internal structure.
Remediation
Fixed in v24.10.12
NetBox - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetBox"}) && service["http.body"] contains "netbox-community"Description
Detected that NetBox was using the default credentials admin:admin. The official netbox-docker deployment set SUPERUSER_NAME=admin and SUPERUSER_PASSWORD=admin by default.
NetMRI < 7.6.1 - Authentication Bypass via Hardcoded Credentials
runzero-match
service["favicon.ico.image.mmh3"] == "-319724102"Description
An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur.
Impact
Attackers can bypass authentication using hardcoded credentials to access administrative functions and read sensitive system files including /etc/shadow.
Remediation
Upgrade to Infoblox NetMRI version 7.6.1 or later and change all default credentials immediately.
NetMRI Unauthenticated SQL Injection via skipjackUsername
runzero-match
service["favicon.ico.image.mmh3"] == "-319724102"Description
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Impact
Unauthenticated attackers can extract sensitive data including encrypted passwords through SQL injection in the skipjackUsername parameter, potentially leading to complete system compromise.
Remediation
Upgrade to Infoblox NetMRI version 7.6.1 or later that properly sanitizes SQL input parameters.
NetMizer LogManagement System Data - Directory Exposure
Author: DhiyaneshDkAdded: Aug 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetMizer"})Description
Directory Exposure vulnerability in the NetMizer log management system of Beijing Lingzhou Network Technology Co., Ltd. Due to the loose control of /data, attackers can use this vulnerability to obtain sensitive information.
NetMizer LogManagement System cmd.php - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetMizer"})Description
Remote Command Execution vulnerability in the NetMizer log management system cmd.php, and the attacker can execute the command by passing in the cmd parameter.
NetSUS Server Default Login
runzero-match
any(each(service["html.titles"]), {# matches "NetSUS Server Login"})Description
NetSUS Server default admin credentials were discovered.
NetSUS Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetSUS Server Login"})Description
NetSUS Server login panel was detected.
NetScaler Console - Panel
Author: DhiyaneshDkAdded: Apr 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Console"})Description
NetScaler Console login panel was discovered.
NetScaler Console - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NetScaler Gateway"})Description
Sensitive information disclosure in NetScaler Console
Impact
Attackers can access sensitive information including session secrets and administrative credentials from the NetScaler Console without proper authentication.
Remediation
Apply the patches specified in Citrix advisory CTX677998 to address the information disclosure vulnerability in NetScaler Console.
Netdata Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netdata dashboard"})Description
Netdata Dashboard panel was detected.
Netdata Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netdata dashboard"}) || any(each(service["html.titles"]), {# matches "(?i)Netdata Console"}) || service["http.head.server"] matches "netdata embedded http server"Description
Netdata panel was discovered.
Netdisco Admin - Default Login
Author: ritikchaddhaAdded: Oct 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Netdisco"})Description
Detects use of hard-coded credentials in Netdisco.
Impact
Attackers can potentially exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Update the application to remove hard-coded credentials and implement secure credential management practices.
Netentsec NS-ICG - Default Login
runzero-match
service["http.head.server"] matches "(?i)netentsec"Description
Netentsec NS-ICG contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Netflix Conductor UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)conductor ui"})Description
Netflix Conductor UI panel was detected.
Netflow Analyzer - Default Login
Author: DhiyaneshDKAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "Login - Netflow Analyzer"Description
Netflow Analyzer default login was discovered.
Netflow Analyzer Login - Panel
Author: DhiyaneshDkAdded: Jul 18, 2024
runzero-match
service["http.body"] matches "(?i)Login - Netflow Analyzer"Netgear DGN2200 - Improper Authentication
runzero-match
any(each(service["html.titles"]), {# matches "(?i)DGN2200"})Description
A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the requested url, it will be recognized as passing the authentication.
Impact
Attackers on the local network can bypass authentication by appending '?x=1.gif' to URLs, gaining unauthorized access to administrative functions and router configuration.
Remediation
Update Netgear DGN2200 router to firmware version later than v1.0.0.46 that addresses the authentication bypass vulnerability.
Netgear WNR614 - Improper Authentication
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WNR614"})Description
A vulnerability in the Netgear WNR614 router permits unauthorized individuals to bypass the authentication. When adding "%00currentsetting.htm" to the the requested url, it will be recognized as passing the authentication.
Netgear-WN604 downloadFile.php - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netgear"})Description
There is an information leakage vulnerability in the downloadFile.php interface of Netgear WN604. A remote attacker using file authentication can use this vulnerability to obtain the administrator account and password information of the wireless router, causing the router's background to be controlled. The attacker can initiate damage to the wireless network or further threaten it.
Impact
Unauthenticated attackers can download configuration files containing administrator account and password information, enabling complete router compromise.
Remediation
Update Netgear WN604 to the latest firmware version that addresses the information disclosure vulnerability in downloadFile.php.
Netis Wifi Router - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netis"})Description
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component.
Impact
Unauthenticated attackers can access sensitive router configuration information including network settings and credentials.
Remediation
Update affected Netis router models to versions that patch the information disclosure vulnerability.
Netmaker - Hardcoded DNS Secret Key
runzero-match
service["http.body"] matches "(?i)netmaker"Description
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints.
Impact
Unauthenticated attackers can access DNS API endpoints using the hardcoded secret key, potentially manipulating DNS configurations and redirecting WireGuard network traffic in the Netmaker VPN infrastructure.
Remediation
Update Netmaker to version 0.17.1 or 0.18.6 or later that removes hardcoded credentials and implements proper authentication for DNS API endpoints.
Netris Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Netris Dashboard"})Description
Netris Dashboard panel was detected.
Netsparker Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sign in to Netsparker Enterprise"})Description
Netsparker login panel was detected.
Network Technologies Inc ENVIROMUX - Default Login
Author: M.Sarmad ShafiqAdded: May 14, 2025
runzero-match
service["http.body"] matches "ENVIROMUX"Description
The ENVIROMUX environment monitoring system from Network Technologies Inc was found to be using its default login credentials. This default configuration could have allowed unauthorized users to gain access to the web management interface without authentication, potentially leading to information disclosure or unauthorized control over environmental monitoring systems.
Newspaper Theme 6.4–6.7.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)wp-content/themes/mTheme-Unus/"Description
Newspaper Theme versions 6.4 to 6.7.1 for WordPress lacked proper options access control through td_ajax_update_panel, which led to a Privilege Escalation vulnerability.
Impact
Unauthenticated attackers can escalate their privileges to administrator level, allowing complete control over the WordPress site including content manipulation, user management, and potential site takeover.
Remediation
Update to Newspaper Theme version 6.7.2 or later.
Next Terminal - Default Login
Author: ritikchaddhaAdded: Apr 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Next Terminal"})Description
Next Terminal default login was discovered.
Next.js <9.3.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/_next/static"Description
Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
This issue is fixed in version 9.3.2.
Next.js Cache Poisoning
Author: Ice3man543Added: Apr 23, 2025
runzero-match
service["http.body"] matches "(?i)/_next/static"Description
Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/nextgen-gallery/"Description
The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin.
Impact
Unauthenticated attackers can perform unauthorized actions within the NextGEN Gallery plugin.
Remediation
Update NextGEN Gallery to version 3.60 or later.
NextcloudPi Login - Panel
Author: ritikchaddhaAdded: Jun 3, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NextcloudPi"})Description
Detects the presence of a NextcloudPi login page. NextcloudPi is a ready-to-use Nextcloud instance for Raspberry Pi.
Nexus Default Login
runzero-match
service["http.head.setCookie"] contains "NXSESSIONID"Description
Nexus default admin credentials were discovered.
Nexus Login Panel - Detect
Author: righettodAdded: Mar 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sonatype Nexus Repository"})Description
Nexus login panel was detected.
Nexus Repository Manager - Anonymous Access Enabled
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nexus Repository Manager"})Description
Detected Nexus Repository Manager instance with anonymous access enabled, allowing unauthenticated users to list and browse repositories containing private artifacts including source code, packages, and Docker images.
Nginx Admin Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginx admin manager"})Description
Nginx Admin Manager login panel was detected.
Nginx Proxy Manager - Default Login
Author: barttran2000Added: Sep 16, 2024
runzero-match
service["http.body"] matches "Nginx Proxy Manager"Description
Default Nginx Proxy Manager credentials was discovered.
Nginx Proxy Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nginx Proxy Manager"})Description
Nginx Proxy Manager login panel was detected.
Nginx UI - Broken Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nginx UI"})Description
Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.
Impact
An unauthenticated attacker with a valid MCP session ID can inject arbitrary nginx configurations,create reverse proxies for credential theft, and achieve remote code execution via nginx config primitives.
Remediation
Upgrade to nginx-ui v2.3.4 or later which adds AuthRequired() to /mcp_message.
Nginx UI < 2.3.3 - Information Disclosure
runzero-match
service["product"] contains "Nginx UI:Nginx UI"Description
Nginx UI < 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups.
Impact
Unauthenticated attackers can access and decrypt full system backups, exposing sensitive data including credentials and private keys.
Remediation
Upgrade to version 2.3.3 or later.
Nginx UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginx ui"})Description
Nginx UI panel was detected.
Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read
Author: xbow,DhiyaneshDkAdded: Jul 15, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ninja-tables/"Description
The Ninja Tables plugin for WordPress (versions < 4.1.9) is vulnerable to an unauthenticated arbitrary file download vulnerability. The issue exists due to the improper validation of the 'url' parameter in the 'ninja_table_force_download' AJAX action.
Impact
An unauthenticated attacker can download sensitive files from the server, such as '/etc/passwd' or '/wp-config.php', potentially exposing sensitive information including database credentials.
Remediation
Update the Ninja Tables plugin to version 4.1.9 or later.
NoEscape Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)NoEscape - Login"})Description
NoEscape login panel was detected.
NocoBase - Default Login
Author: Fur1na, icarotAdded: Apr 22, 2025
runzero-match
any(each(service["http.bodies"]), {# matches "'NOCOBASE_'"})Description
NocoBase default login was discovered.
NocoDB Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "206985584"Description
NocoDB Login panel was discovered.
NocoDB version <= 0.106.1 - Arbitrary File Read
runzero-match
service["favicon.ico.image.mmh3"] == "-2017596142"Description
NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Impact
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing user credentials, database contents, and other confidential data.
Remediation
Upgrade NocoDB to a version higher than 0.106.1 to mitigate the vulnerability.
Node RED Dashboard <2.26.2 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Node-RED"})Description
NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.
Node-Red - Default Login
Author: savikAdded: Jan 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "321591353"Description
Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials.
Node.js REPL History Disclosure
Author: pussycat0xAdded: Dec 18, 2025
runzero-match
service["http.body"] matches "(?i)\\.node_repl_history"Description
The Node.js REPL history file (.node_repl_history) was exposed, which had contained a log of commands entered into the Node.js interactive shell.
NodeBB XML-RPC Request xmlrpc.php - XML Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nodebb"})Description
A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.
Impact
Unauthenticated attackers can inject arbitrary PHP code through crafted XML-RPC requests to the xmlrpc.php endpoint, potentially gaining full control over the NodeBB forum server and accessing user data.
Remediation
Update NodeBB to version 1.18.6 or later that properly validates and sanitizes XML-RPC input to prevent code injection attacks.
Nodogsplash - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenWRT"})Description
Nodogsplash product was affected by a directory traversal vulnerability that also impacted the OpenWrt product. This vulnerability was addressed in Nodogsplash version 5.0.1. Exploiting this vulnerability, remote attackers could read arbitrary files from the target system.
Impact
An attacker can exploit this vulnerability to view, modify, or delete sensitive files on the system, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Nordex Control Wind Farm Portal Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Nordex Control"Description
Nordex Control Wind Farm Portal login panel was detected.
Normhost Backup Server Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Normhost Backup server manager"})Description
Normhost Backup server manager panel was detected.
Nortek Linear eMerge E3-Series - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Linear eMerge"})Description
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter.
Impact
Unauthenticated attackers can exploit SQL injection in the idt parameter to extract sensitive access control data including badge information, user credentials, and building security configurations from the eMerge access control system.
Remediation
Update Nortek Linear eMerge E3-Series firmware to a patched version that uses parameterized queries and properly sanitizes the idt parameter.
Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"}) || any(each(service["html.titles"]), {# matches "(?i)linear emerge"})Description
Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability.
Nortek Linear eMerge Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Nortek Linear eMerge panel was detected.
NotificationX <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/notificationx"Description
The NotificationX - Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can extract sensitive database information including usernames, passwords, and other confidential data via time-based SQL injection.
Remediation
Update NotificationX plugin to version 2.8.3 or later.
NotificationX Dropshipping < 4.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-dropshipping"Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection
Impact
Unauthenticated attackers can exploit time-based SQL injection through the REST endpoint to extract sensitive WooCommerce data including customer information, order details, and payment records.
Remediation
Update NotificationX Dropshipping plugin to version 4.4 or later that properly sanitizes and escapes parameters in REST endpoints.
Nozomi Guardian Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Please Login \\| Nozomi Networks Console"})Description
Nozomi Guardian login panel was detected.
Nsfocus - Arbitrary User Login
Author: ritikchaddhaAdded: Sep 10, 2024
runzero-match
service["http.body"] matches "(?i)/needUsbkey\\.php\\?username="Description
Nsfocus bastion host has an arbitrary user login vulnerability. Attackers can use the vulnerability to log in any user by including www/local_user.php
Nuxeo Platform Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Nuxeo Platform"})Description
Nuxeo Platform login panel was detected.
O2 Router Setup Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)O2 Easy Setup"})Description
O2 router setup panel was detected.
O2OA - Default Login
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "O2OA"})Description
O2OA is an open source and free enterprise and team office platform. It provides four major platforms portal management, process management, information management, and data management. It integrates many functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration. Meet various management and collaboration needs of enterprises.
OCS Inventory Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OCS Inventory"})Description
OCS Inventory login panel was detected.
OKIOK S-Filer Portal Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)S-Filer"})Description
OKIOK S-Filer Portal login panel was detected.
OLT Web Management Interface Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OLT Web Management Interface"})Description
OLT Web Management Interface login panel was detected.
OLYMPIC Banking System Login Panel - Detect
Author: righettodAdded: Oct 22, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)olympic banking system"})Description
OLYMPIC Banking System was detected.
OPNsense Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1148190371" || service["favicon.ico.image.mmh3"] == "-1068289244" || any(each(service["html.titles"]), {# matches "(?i)\\| OPNsense"}) || service["http.head.server"] matches "OPNsense"Description
OPNsense panel was detected.
OSASI Login - Panel
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["http.body"] matches "(?i)/css/osasiasp\\.css"Description
OSASI Login panel was discovered.
OSASI PLC - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-268676052"Description
Detected OSASI PLC web interface accessible with default credentials, potentially allowing unauthorized administrative access to industrial control systems.
OSIsoft PI Vision - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^PI Vision"})Description
OSIsoft PI Vision (now AVEVA PI Vision) is a web-based data visualisation
platform for the PI System, widely used in energy, utilities, oil and gas,
and manufacturing for real-time operational data monitoring. Exposed instances
may provide access to sensitive operational technology data.
OSNEXUS QuantaStor Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OSNEXUS QuantaStor Manager"})Description
OSNEXUS QuantaStor Manager login panel was detected.
OTOBO Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)otobo"})Description
OTOBO login panel was detected.
OcoMon Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)ocomon"Description
a tiny helpdesk system written in php
OctoberCMS - Default Admin Discovery
runzero-match
service["favicon.ico.image.mmh3"] == "3823102"Description
OctoberCMS default admin credentials were discovered.
Odoo - Database Manager Discovery
Author: __Fazal,R3dg33kAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Description
Odoo database manager was discovered.
Odoo - Panel Detect
Author: DhiyaneshDK,righettodAdded: May 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Odoo Apps - Cross-Site Scripting via Prototype Pollution
runzero-match
service["http.body"] matches "(?i)Odoo"Description
jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
Impact
Attackers can modify Object.prototype, leading to potential security issues like property overwrites and application behavior manipulation.
Remediation
Update to the latest version of jquery-bbq that addresses this vulnerability or apply patches to prevent prototype pollution.
Odoo OpenERP Database Selector Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)odoo"})Description
Odoo OpenERP database selector panel was detected.
Office Web Apps Server Panel - Detect
runzero-match
service["http.body"] matches "(?i)provide a link that opens word"Description
Microsoft Office Web App Login Panel was discovered.
OfficeKeeper Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-800060828"Description
OfficeKeeper admin login panel was detected.
Okta Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)okta"})Description
Okta login panel was detected.
Omnia MPX 1.5.0+r1 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Omnia MPX Node \\| Login"})Description
Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of Omnia MPX.
Omnia MPX Node Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Omnia MPX"Description
Omnia MPX Node login panel was detected.
Omnissa Workspace ONE UEM - Path Traversal
Author: DhiyaneshDK,slcyberAdded: Aug 30, 2025
runzero-match
service["http.body"] matches "(?i)/airwatch/default\\.aspx"Description
Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
Impact
Malicious actors can access sensitive information by exploiting path traversal in API endpoints.
Remediation
Update to the latest version.
OneDev < 4.0.3 - User Access Token Leak
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OneDev"})Description
OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/{id}, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions.
Impact
Attackers can access sensitive user data and tokens, leading to impersonation, data leaks, and potential full account compromise.
Remediation
Update to version 4.0.3 or later where user info is removed from the REST API.
OneDev Panel - Detect
Author: vultzaAdded: Oct 28, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OneDev"})Description
OneDev is a Git Server with CI/CD, Kanban, and Packages.
OneDev.io < 11.0.9 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)onedev\\.io"Description
Files on the host computer can be accessed by directory traversal.
Impact
An attacker would be able to view the contents of a file on the computer.
Remediation
Update to version 11.0.9.
Open Game Panel Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Open Game Panel"})Description
Open Game Panel login panel was detected.
Open Virtualization Userportal & Webadmin Panel Detection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ovirt-Engine"})Description
Open Virtualization Userportal & Webadmin panels were detected. Open Virtualization Manager is an open-source distributed virtualization solution designed to manage enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.
Open Web Analytics Login - Detect
Author: DhiyaneshDKAdded: Sep 17, 2024
runzero-match
service["http.body"] matches "(?i)OWA CONFIG SETTINGS"Description
Detects the presence of Open Web Analytics login page.
Open WebUI - Default Login
Author: matejsmyckaAdded: Nov 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-286484075"Description
Detected the presence of an OpenWebUI panel with default credentials (admin@localhost/admin). Successful authentication using these default credentials allows attackers to access the admin interface and potentially perform remote code execution by defining a custom "tool".
OpenAM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openam"})Description
OpenAM login panel was detected.
OpenBao Web UI Panel - Detect
Author: ritikchaddhaAdded: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenBao"})Description
Detects the presence of the OpenBao web console.
OpenBullet 2 - Panel
Author: MaStErChOAdded: Jun 25, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1264095219"Description
Openbullet was detected.
OpenCATS - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencats"})Description
OpenCATS contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
OpenCATS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencats"})Description
OpenCATS login panel was detected.
OpenCMS 14 & 15 - Cross Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opencms"})Description
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
Impact
Unauthenticated attackers can inject malicious JavaScript through multiple parameters in OpenCMS Mercury template pages to steal user session cookies and execute attacks against OpenCMS users.
Remediation
Update to version OpenCMS 16
OpenCart Core 4.0.2.3 'search' - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenCart"})Description
Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenCart Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)opencart"Description
OpenCart login panel was detected.
OpenCode < 1.0.216 - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)opencode"Description
OpenCode versions prior to 1.0.216 contain an unauthenticated remote code execution vulnerability. The application exposes session and shell execution endpoints without proper authentication, allowing remote attackers to create sessions and execute arbitrary shell commands on the underlying server.
Impact
Unauthenticated attackers can execute arbitrary commands on the server, potentially leading to full system compromise.
Remediation
Upgrade OpenCode to version 1.0.216 or later.
OpenEMR - Default Admin Discovery
runzero-match
service["http.body"] matches "OpenEMR"Description
OpenEMR default admin credentials were discovered.
OpenEMR Product Registration Panel - Detect
runzero-match
service["http.body"] matches "(?i)openemr" || any(each(service["html.titles"]), {# matches "(?i)openemr"}) || service["favicon.ico.image.mmh3"] == "1971268439"Description
OpenEMR Product Registration panel was detected.
OpenEdge Login Panel - Detect
Author: rxeriumAdded: Aug 13, 2024
runzero-match
service["http.body"] matches "(?i)Welcome to Progress Application Server for OpenEdge"Description
An OpenEdge login panel was detected.
OpenEnergyMonitor emonCMS - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Emoncms - user login"})Description
emonCMS is an open-source energy monitoring web application by OpenEnergyMonitor,
used in homes and small businesses to track electricity, gas, and temperature.
The login page is commonly exposed on port 80, 443, or 8010.
OpenHands Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenHands"})Description
OpenHands (formerly OpenDevin) was detected. OpenHands is an open-source AI software engineering agent platform that can write code, run commands, and perform development tasks autonomously. Exposed instances may allow unauthenticated access to the agent.
OpenLiteSpeed WebAdmin - Default Login
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenLiteSpeed WebAdmin"})Description
Detected OpenLiteSpeed WebAdmin Console was using default credentials.
OpenMediaVault - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "OpenMediaVault"})OpenMetadata - Admin User Enumeration
Author: icarotAdded: Sep 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenMetadata"})Description
Enumerates the admin users registered on OpenMetadata server.
OpenObserve Login Panel - Detect
Author: righettodAdded: Dec 18, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenObserve"})Description
OpenObserve products was detected.
OpenPLC Webserver v3 - Default Login
Author: machevalia,shriyanssAdded: Jun 25, 2025
runzero-match
service["http.body"] matches "(?i)OpenPLC"Description
Identifies default credentials (openplc:openplc) on OpenPLC Webserver v3, allowing unauthorized access to the web interface.
OpenProject - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenProject"})Description
Detected OpenProject was found using the default administrator credentials admin:admin. An attacker could gain full administrative control, including user management, project data, and system configuration.
OpenProject < 12.5.4 - Project Identifiers Exposure
runzero-match
service["http.body"] matches "(?i)OpenProject"Description
OpenProject versions before 12.5.6 generate a publicly accessible robots.txt file revealing project identifiers, even if the instance is set to 'Login required', letting attackers gather project info, exploit requires no authentication.
Impact
Attackers can enumerate project identifiers, potentially aiding targeted attacks or information gathering.
Remediation
Upgrade to version 12.5.6 or later, or apply the provided patch to versions above 10.0.
OpenSCADA - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^OpenSCADA"})Description
OpenSCADA is an open-source SCADA (Supervisory Control and Data Acquisition)
system. Exposed instances may provide access to industrial control interfaces
and operational technology (OT) data without authentication.
OpenSIS 7.3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensis"})Description
OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
Apply the latest security patch or upgrade to a patched version of OpenSIS.
OpenSIS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensis"})Description
OpenSIS login panel was detected.
OpenSearch Dashboard Panel - Detect
Author: ritikchaddhaAdded: Jun 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpenSearch"})Description
OpenSearch Dashboard is a visualization and management tool for OpenSearch. This template detects the presence of the OpenSearch Dashboard login panel, which is the default authentication interface for accessing the dashboard.
OpenSign Login Panel - Detect
Author: righettodAdded: Jun 23, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opensign"})Description
OpenSign Login panel was discovered.
OpenText Content Server Login Panel - Detect
Author: righettodAdded: Feb 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Content Server"})Description
OpenText Content Server products was detected.
OpenVPN Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn-admin"}) || service["http.body"] matches "(?i)router management - server openvpn"Description
OpenVPN Admin login panel was detected.
OpenVPN Connect Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openvpn connect"})Description
OpenVPN Connect panel was detected.
OpenVPN Server Router Management Panel - Detect
runzero-match
service["http.body"] matches "(?i)router management - server openvpn" || any(each(service["html.titles"]), {# matches "(?i)openvpn-admin"})Description
OpenVPN Server Router Management Panel was detected.
OpenVZ Web Panel Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1898583197"Description
OpenVZ Web Panel login panel was detected.
OpenVas Login Panel - Detect
Author: rxeriumAdded: Feb 27, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1606029165"Description
An OpenVas Admin login panel was detected.
OpenX/Revive Adserver Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)revive adserver"}) || service["favicon.ico.image.mmh3"] == "106844876"Description
OpenX login panel was detected. Note that OpenX is now a Revive Adserver.
Openfire Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire admin console"}) || any(each(service["html.titles"]), {# matches "(?i)openfire"})Description
Openfire Admin Console login panel was detected.
Openfire Administration Console - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openfire"}) || any(each(service["html.titles"]), {# matches "(?i)openfire admin console"}) || service["http.body"] matches "(?i)welcome to openfire setup"Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
Impact
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Openfire Administration Console.
Remediation
The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Opentwrt Login / Configuration Interface
Author: For3stCo1d,TechbrunchFRAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openwrt - luci"})Opentwrt luCI - Admin Login Page
Author: For3stCo1dAdded: Dec 2, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openwrt - luci"})Description
An Opentwrt admin login page was discovered.
Openweb UI Panel - Detect
Author: rxerium,righettodAdded: May 6, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-286484075"Description
OpenWebUI was detected - a platform for running AI on your own terms
Opinio Login Panel - Detect
Author: righettodAdded: Feb 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Opinio"})Description
Opinio login panel was detected.
Opsview Monitor Pro - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Opsview"})Description
Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass.
Impact
An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade to the latest version of Opsview Monitor Pro to fix the local file inclusion vulnerability.
Opto 22 groov - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)<i>groov</i> is a registered trademark of Opto 22.`Description
Opto 22 groov is an IIoT and industrial automation platform providing browser-based
HMI and edge computing capabilities. The groov View and groov Admin interfaces allow
control of industrial devices and data acquisition systems. Exposed instances may
provide unauthenticated access to industrial control panels.
Oracle ADF Faces Deserialization of Untrusted Data Vulnerability
runzero-match
service["product"] matches "(?i)Oracle:WebLogic"Description
Vulnerability in versions 12.2.1.3.0 and 12.2.1.4.0 of the Oracle Application Development
Framework (ADF) component of Oracle Fusion Middleware that allows for unauthenticated
attackers to remotely execute arbitrary code.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Oracle Access Management Login Panel - Detect
Author: righettodAdded: May 29, 2024
runzero-match
service["http.body"] matches "(?i)/oam/pages/css/login_page\\.css" || any(each(service["html.titles"]), {# matches "(?i)oracle access management"})Description
Oracle Access Management login panel was detected.
Oracle Access Manager - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle access management"}) || service["http.body"] matches "(?i)/oam/pages/css/login_page\\.css"Description
The Oracle Access Manager portion of Oracle Fusion Middleware (component: OpenSSO Agent) is vulnerable to remote code execution. Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by Oracle to mitigate this vulnerability.
Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability
runzero-match
service["product"] contains "Oracle:Agile PLM Framework"Description
A vulnerability found within version 9.3.6 of the Oracle Agile PLM Framework allows an unauthenticated
attacker access to critical data or complete access to all Oracle Agile PLM Framework accessible data.
Remediation
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Oracle Application Server Panel - Detect
Author: righettodAdded: Jun 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle Containers for J2EE"})Description
Oracle Application Server login panel was detected.
Oracle Business Intelligence Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence default admin credentials were discovered.
Oracle Business Intelligence Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence login panel was detected.
Oracle Commerce Business Control Center Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle commerce"})Description
Oracle Commerce Business Control Center login panel was detected.
Oracle E-Business Suite 12.2.3–12.2.14 – Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)E-Business Suite"})Description
Oracle Concurrent Processing 12.2.3-12.2.14 contains a remote code execution caused by unauthenticated network access via HTTP, letting unauthenticated attackers fully compromise the system, exploit requires network access via HTTP.
Impact
Unauthenticated attackers can fully compromise Oracle Concurrent Processing, leading to complete system takeover.
Remediation
Update to the latest available version beyond 12.2.14.
Oracle E-Business Suite <=12.2 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login\" \"x-oracle-dms-ecid"}) || service["http.body"] matches "(?i)oracle uix"Description
Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the Oracle E-Business Suite application.
Remediation
Apply the necessary security patches or updates provided by Oracle to mitigate this vulnerability.
Oracle E-Business Suite Login Panel - Detect
Author: righettodAdded: May 21, 2024
runzero-match
service["http.body"] matches "(?i)Oracle UIX"Description
Oracle E-Business Suite login panel was detected.
Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"}) || service["http.body"] matches "(?i)weblogic application server"Description
An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,
11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown
vectors related to Report Server Component.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution.
Remediation
Apply the necessary patches and updates provided by Oracle to mitigate this vulnerability.
Oracle Fusion - Directory Traversal/Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle business intelligence sign in"})Description
Oracle Business Intelligence Enterprise Edition 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 are vulnerable to local file inclusion vulnerabilities via "getPreviewImage."
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files, execute arbitrary code, or gain unauthorized access to the system.
Remediation
Apply the latest security patches and updates provided by Oracle to fix this vulnerability.
Oracle Fusion Middleware WebLogic Server Administration Console - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
The Oracle Fusion Middleware WebLogic Server admin console in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is vulnerable to an easily exploitable vulnerability that allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.
Oracle Identity Manager REST WebServices - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle access management"})Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager.
Impact
Allows unauthenticated attacker to fully compromise Oracle Identity Manager via HTTP(S), leading to complete loss of confidentiality, integrity, and availability.
Remediation
Apply the latest security updates released by Oracle as referenced in the October 2025 Critical Patch Update.
Oracle Integrated Lights Out Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle\\(R\\) Integrated Lights Out Manager"})Description
Oracle Integrated Lights Out Manager login panel was detected.
Oracle Opera Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle Opera"})Oracle PeopleSoft - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Oracle PeopleSoft Sign-in"})Description
Oracle PeopleSoft contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Oracle PeopleSoft Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft enterprise"})Description
Oracle PeopleSoft Enterprise login panel detected.
Oracle PeopleSoft Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Oracle PeopleSoft Sign-in"})Description
Oracle PeopleSoft login panel was detected.
Oracle Peoplesoft - Unauthenticated File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft enterprise"})Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component- Portal). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data.
Impact
Unauthenticated attackers can read arbitrary files from the PeopleSoft server through the wsrp-url parameter in the Portal component, potentially accessing critical data including configuration files and sensitive employee information.
Remediation
Update Oracle PeopleSoft Enterprise PeopleTools to a version newer than 8.60 that validates and restricts file:// URLs in the wsrp-url parameter.
Oracle Retail Xstore Suite - Pre-authenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)xstoremgwt"Description
Vulnerability in the Oracle Retail Xstore Office product of Oracle Retail Applications (component: Security). Supported versions that are affected are 19.0.5, 20.0.3, 20.0.4, 22.0.0 and 23.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Xstore Office. While the vulnerability is in Oracle Retail Xstore Office, attacks may significantly impact additional products (scope change).
Impact
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Xstore Office accessible data.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Oracle WebLogic Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic login panel was detected.
Oracle WebLogic Server - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"}) and service["service.transport"] contains "tcp" and service["protocol"] contains "http"Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contain an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Install the suitable patch as per the Oracle Critical Patch Update advisory
Oracle WebLogic Server - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic Server (Oracle Fusion Middleware (component: WLS Core Components) is susceptible to a remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 2.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability could allow unauthenticated attackers with network access via IIOP to compromise Oracle WebLogic Server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches provided by Oracle to mitigate this vulnerability.
Oracle WebLogic Server - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)weblogic"}) || service["http.body"] matches "(?i)weblogic application server"Description
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
Impact
Unauthenticated attackers can compromise Oracle WebLogic Server via the Web Services component, potentially leading to complete server takeover and unauthorized access to sensitive data.
Remediation
Apply the latest security patches provided by Oracle to fix the vulnerability and ensure proper input validation and sanitization of XML data.
Oracle WebLogic Server Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
Impact
An attacker can read sensitive files containing credentials, configuration details, or other sensitive information.
Remediation
Apply the latest security patches provided by Oracle to fix the vulnerability.
Oracle WebLogic UDDI Explorer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)oracle peoplesoft sign-in"})Description
Oracle WebLogic UDDI Explorer panel was detected.
Orchid Core VMS Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)orchid core vms"})Description
Orchid Core VMS panel was detected.
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/order-delivery-date-for-woocommerce"Description
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.
Impact
Unauthenticated attackers can modify WordPress options to enable user registration with administrator role, allowing complete site takeover without authentication.
Remediation
Update to version 12.3.1 or later.
OurMGMT3 Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OurMGMT3"})Description
OurMGMT3 admin login panel was detected.
OutBack Power Mate3s Gateway - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Outback Power"})Description
OutBack Power Mate3s is a system hub and gateway for OutBack FX-series inverter-chargers
used in off-grid, grid-hybrid, and battery backup solar power systems.
The built-in web interface exposes system status, battery metrics, and inverter data.
OutSystems Service Center Login Panel - Detect
Author: righettodAdded: Apr 2, 2024
runzero-match
service["http.body"] matches "(?i)outsystems"Description
OutSystems Service Center login panel was detected.
Outline Panel - Detect
Author: ChrisJr404Added: May 4, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "811213058" || any(each(service["html.titles"]), {# matches "(?i)Outline"})Description
Outline (getoutline.com / github.com/outline/outline) is a popular open-source team knowledge base / wiki, often self-hosted as a Notion alternative. Exposed self-hosted instances may reveal team documents and provide a path to login enumeration if SSO is misconfigured.
OwnCloud - Phpinfo Configuration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)owncloud"})Description
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.
Impact
Unauthenticated attackers can access phpinfo configuration details exposing sensitive credentials including admin passwords, mail server credentials, and license keys in containerized deployments.
Remediation
Upgrade ownCloud graphapi to version 0.2.1 or 0.3.1 or later, and remove or secure the GetPhpInfo.php file.
Owncast - Default Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Owncast"})Description
Detected Owncast using default admin credentials admin:abc123. The admin API was accessible via HTTP Basic authentication, allowing full server configuration access.
PAHTool Login Panel - Detect
Author: righettodAdded: Mar 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PAHTool"})Description
PAHTool login panel was detected.
PAN-OS Management Interface - Path Confusion to Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
Impact
Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure.
Remediation
Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
PAN-OS Management Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "873381299"Description
PAN-OS management panel was detected.
PAN-OS Management Web Interface - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities
Impact
Unauthenticated attackers with network access to the management interface can bypass authentication to gain full administrator privileges, allowing them to tamper with configurations, exploit additional vulnerabilities, and completely compromise the Palo Alto firewall and connected networks.
Remediation
Upgrade to the latest patched version of PAN-OS as specified in the vendor security advisory.
PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"Description
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files on the server, potentially exposing sensitive configuration files, wp-config.php containing database credentials, and other critical system files.
Remediation
Update PDF Generator Addon for Elementor Page Builder plugin to a version later than 1.7.5 that properly validates and sanitizes file paths in the rtw_pgaepb_dwnld_pdf function.
PDI Intellifuel - Device Page
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["http.body"] matches "(?i)PDI Intellifuel"PHP CGI - Argument Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)php warning\" \\|\\| \"fatal error"})Description
PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.
Impact
Successful exploitation could lead to remote code execution on the affected system.
Remediation
Apply the vendor-supplied patches or upgrade to a non-vulnerable version.
PHP LDAP Admin Panel - Detect
Author: ritikchaddha,DhiyaneshDkAdded: Sep 12, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpLDAPadmin"})PHP Login System 2.0.1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)klik_loginsystem"Description
msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL
Impact
Attackers can execute arbitrary JavaScript in users' browsers, potentially stealing cookies or session tokens.
Remediation
Implement proper input validation and output encoding for the 'validator' parameter.
PHPCI Configuration Exposure "phpci.yml" Exposure
Author: DhiyaneshDkAdded: Dec 16, 2025
runzero-match
service["http.body"] matches "(?i)phpci\\.yml"Description
PHPCI Configuration "phpci.yml" File was exposed.
PHPCMS 2008 - Remote Code Execution via Template Injection
runzero-match
service["http.body"] matches "(?i)Powered by phpcms"Description
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
Remediation
The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it.
PHPGurukul Hospital Management System 4.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Hospital Management System"})Description
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information.
Impact
Successful exploitation allows attackers to access sensitive data from the database, potentially leading to data leakage and further compromise of the application.
Remediation
Upgrade to the latest version or apply proper input sanitization and parameterized queries to mitigate this vulnerability.
PHPIPAM <v1.5.1 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)phpipam ip address management"Description
In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via find_full_subnets.php endpoint. The bug lies in the fact that find_full_subnets.php does not verify if the user is authorized to access the data, and if the script was started from a command line.
Impact
Unauthenticated attackers can access sensitive network information including IP subnet descriptions, ranges, and usage rates through the find_full_subnets.php endpoint without authorization.
Remediation
Update phpIPAM to version 1.5.1 or later that implements proper authorization checks in find_full_subnets.php before returning subnet information.
PHPJabbers Food Delivery Script - SQL Injection
runzero-match
service["http.body"] matches "(?i)PHPJabbers"Description
PHPJabbers Food Delivery Script 3.0 has a SQL injection (SQLi) vulnerability in the "q" parameter of index.php.
Impact
Unauthenticated attackers can exploit SQL injection in the q parameter to extract sensitive database information including customer orders, payment details, delivery addresses, and admin credentials from the Food Delivery platform.
Remediation
Update PHPJabbers Food Delivery Script to a version newer than 3.0 that properly sanitizes the q parameter and uses parameterized queries.
PHPJabbers Food Delivery Script v3.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)PHPJabbers"Description
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
Impact
Unauthenticated attackers can exploit SQL injection in the column parameter to extract sensitive database information including customer orders, payment details, delivery addresses, and admin credentials from the Food Delivery platform.
Remediation
Update PHPJabbers Food Delivery Script to a version newer than 3.0 that properly sanitizes the column parameter and uses parameterized queries.
PHPJabbers Shuttle Booking Software 1.0 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)php jabbers\\.com"Description
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
Impact
Unauthenticated attackers can inject malicious JavaScript through URL parameters, potentially stealing session tokens and login credentials of shuttle booking system administrators and customers.
Remediation
Update PHPJabbers Shuttle Booking Software to a version newer than 1.0 that properly sanitizes URL parameters in the admin login functionality.
PHPJabbers Taxi Booking 2.0 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)php jabbers\\.com"Description
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely.
Impact
Unauthenticated attackers can inject malicious JavaScript through the index parameter, potentially stealing booking information and user credentials from the Taxi Booking platform.
Remediation
Update PHP Jabbers Taxi Booking to a version newer than 2.0 that properly sanitizes the index parameter and encodes output to prevent XSS attacks.
PHPMailer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PHP Mailer"})Description
PHPMailer panel was detected.
PMB 7.4.6 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1469328760"Description
PMB 7.4.6 contains a cross-site scripting vulnerability via the query parameter at /admin/convert/export_z3950_new.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of PMB.
PRONOTE Login Panel - Detect
Author: righettodAdded: Nov 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PRONOTE"})Description
PRONOTE products was detected.
PRTG Network Monitor - Hardcoded Credentials
runzero-match
service["favicon.ico.image.mmh3"] == "-655683626"Description
PRTG Network Monitor contains a hardcoded credential vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
PTC ThingWorx - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Thingworx"})Description
PTC ThingWorx is an Industrial IoT (IIoT) platform for building and deploying
connected industrial applications, machine monitoring, and remote service solutions.
Exposed instances may provide unauthenticated access to IIoT dashboards and
connected device management interfaces.
Pair Drop Panel - Detect
Author: rxeriumAdded: Feb 3, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PairDrop"})Description
Local file sharing in your browser. Inspired by Apple's AirDrop. Fork of Snapdrop.
Palo Alto Expedition - Admin Account Takeover
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Impact
Attackers with network access can exploit missing authentication to takeover Expedition admin accounts without credentials.
Remediation
Update Palo Alto Networks Expedition to the latest version that patches CVE-2024-5910 as specified in the Palo Alto security advisory.
Palo Alto Expedition - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Impact
Unauthenticated attackers can exploit SQL injection to reveal Expedition database contents including password hashes, usernames, device configurations, and API keys, and create or read arbitrary files on the system.
Remediation
Apply security updates from Palo Alto Networks as specified in security advisory PAN-SA-2024-0010 to address the SQL injection vulnerability in Expedition.
Palo Alto Expedition Project Login - Detect
Author: johnk3rAdded: Oct 10, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1499876150"Description
Palo Alto Expedition Project login panel was detected.
Palo Alto Network PAN-OS - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-631559155"Description
Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches and updates provided by Palo Alto Networks.
Palo Alto Networks PAN-OS Default Login
runzero-match
any(each(service["html.bodies"]), {# contains "window.Pan = window.Pan || {}"})Description
Palo Alto Networks PAN-OS application default admin credentials were discovered.
Pandora FMS Mobile Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pandora fms"})Description
Pandora FMS Mobile Console login panel was detected.
PaperCut < 22.1.3 - Path Traversal
runzero-match
service["http.body"] matches "(?i)content=\"papercut" || service["http.body"] matches "(?i)papercut" || any(each(service["html.titles"]), {# matches "(?i)papercut"})Description
PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.
Impact
An attacker can exploit this vulnerability to access sensitive files, potentially leading to unauthorized disclosure of information or remote code execution.
Remediation
Upgrade PaperCut to version 22.1.3 or later to mitigate the vulnerability.
PaperCut NG Unauthenticated XMLRPC Functionality
runzero-match
service["http.body"] matches "(?i)content=\"papercut" || service["http.body"] matches "(?i)'content=\"papercut'"Description
PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
Impact
Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Paperless-ngx Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Paperless-ngx"})Description
Detected Paperless-ngx was a self-hosted document management platform for scanning, OCR-ing and tagging paper documents.
Parallels H-Sphere 3.6.1713 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)h-sphere"})Description
Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patch or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability.
Parallels H-Sphere Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parallels h-sphere"}) || any(each(service["html.titles"]), {# matches "(?i)h-sphere"})Description
Parallels H-Sphere login panel was detected.
Parse Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parse dashboard"})Description
Parse Dashboard login panel was detected.
Parse Server - GraphQL Schema Information Disclosure
Author: securitytatersAdded: Jul 20, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)parse server\" \\|\\| \"parse-server"})Description
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
Impact
Unauthenticated attackers can access GraphQL schema metadata without authentication, potentially expanding the attack surface through exposure of API structure and query capabilities.
Remediation
Upgrade Parse Server to the latest version that requires authentication for GraphQL schema introspection.
Passbolt Login Panel
Author: righettodAdded: Feb 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Passbolt \\| Open source password manager for teams"})Description
Passbolt login panel was detected.
Payroll Management System Web Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Admin \\| Employee's Payroll Management System"})Description
Payroll Management System Web login panel was detected.
Pega Infinity Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pega platform"})Description
Pega Infinity login panel was detected.
Pelco Sarix - Default Login
runzero-match
asset["hw"] matches "(i)Pelco Sarix"Description
Pelco Sarix camera default login credentials (admin/admin) were discovered using Digest Authentication.
Pentaho Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^Pentaho User Console"})Description
Pentaho default admin credentials were discovered.
Perforce Repository Disclosure
Author: DhiyaneshDkAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)Perforce"Description
Detected an exposed .p4ignore file, which could have revealed ignored files, sensitive paths, or developer-specific information useful for further enumeration.
Perplexica Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Perplexica"})Description
Perplexica is an open-source AI-powered search engine that uses SearXNG to search
the web and provides AI-generated answers.
Persis Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Persis"})Description
Persis panel was detected,
Personal Weather Station Dashboard 12 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PWS Dashboard"})Description
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
Impact
Unauthenticated attackers can read arbitrary files including private SSL keys through directory traversal in the test parameter, potentially exposing sensitive cryptographic material.
Remediation
Upgrade Personal Weather Station Dashboard to a version later than 12_lts that properly validates file paths.
Phabricator Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)phabricator-standard-page"Description
Phabricator login panel was detected.
Phoenix Contact CHARX SEC-3XXX AC Charging Controller Panel - Detect
Author: inokiiAdded: Jul 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Phoenix Contact CHARX SEC-3XXX AC Charging Controller panel was detected.
Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API - Detect
Author: inokiiAdded: Jul 16, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API was detected.
Phoenix Contact CHARX SEC-3XXX AC Controller < 1.7.3 - Multiple Vulnerabilities
Author: inokiiAdded: Sep 11, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Phoenix Contact - CHARX"})Description
Multiple vulnerabilities exist in Phoenix Contact CHARX SEC-3XXX AC Controller versions prior to 1.7.3. Successful exploitation may allow attackers to bypass authentication, disclose sensitive information, or execute arbitrary code.
Phoronix Test Suite Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phoronix-test-suite"})Description
Phoronix Test Suite panel was detected.
Photo Gallery by 10Web < 1.6.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/photo-gallery"Description
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
Remediation
This is resolved in release 1.6.0.
PhotoPrism Panel - Detect
Author: rxerium,ritikchaddhaAdded: Aug 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PhotoPrism"})Description
PhotoPrism is an AI-powered photos app for the decentralized web. This template detects the presence of PhotoPrism login panel.
PhpMyAdmin - Unauthenticated Access
Author: pwnhxlAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)server_databases\\.php"Description
Unauthenticated Access to phpmyadmin dashboard.
PhpMyAdmin <4.8.2 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
PhpMyAdmin before version 4.8.2 is susceptible to local file inclusion that allows an attacker to include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Impact
An attacker can exploit this vulnerability to read arbitrary files on the server.
Remediation
Upgrade PhpMyAdmin to version 4.8.2 or later to fix the vulnerability.
PhpMyAdmin Scripts - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system.
Remediation
Update PhpMyAdmin to the latest version or apply the necessary patches.
Pichome 2.1.0 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PicHome"})Description
A vulnerability, which was classified as critical, was found in zyx0814 Pichome 2.1.0. This affects an unknown part of the file /index.php?mod=textviewer. The manipulation of the argument src leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the src parameter, potentially exposing sensitive configuration files, credentials, and user data.
Remediation
Upgrade to Pichome version 2.1.1 or later that properly validates file paths.
Pichome Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "933976300"Description
Pichome login panel was detected.
Pimcore Admin Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Welcome to Pimcore!"Description
Pimcore admin login interface was discovered.
Piwigo - User Enumeration via Password Reset
runzero-match
service["http.body"] matches "(?i)Piwigo"Description
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
Impact
Unauthenticated attackers can enumerate valid usernames or email addresses, aiding further targeted attacks.
Remediation
Update to the latest version when available or apply mitigations to unify response messages.
Piwigo Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "540706145"Description
Piwigo login panel was detected.
Planet eStream Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - planet estream"})Description
Planet eStream login panel was detected.
Plausible Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["http.body"] matches "(?i)Plausible"Description
Plausible is intuitive, lightweight and open source web analytics.
Plesk End-of-Life - Detect
Author: Shivam KambojAdded: Mar 2, 2026
runzero-match
service["http.head.xPoweredByPlesk"] != ""Description
Detected Plesk versions that have reached End-of-Life (EOL) and no longer receive security updates.
Plesk Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)plesk onyx"Description
Plesk login panel was detected.
Plesk Obsidian Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)plesk obsidian" || any(each(service["html.titles"]), {# matches "(?i)plesk obsidian"})Description
Plesk Obsidian login panel was detected.
PocketBase Panel - Detect
Author: userdehghaniAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "981081715"Description
PocketBase Login panel was discovered.
Polarion Siemens Login - Panel
Author: Th3l0newolfAdded: May 17, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-1135703796" || service["favicon.ico.image.mmh3"] == "707299418"Description
Detects the exposed Polarion Siemens login page.
Polycom HDX - Web Interface Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Polycom HDX"})Description
Detecetd Polycom HDX video conferencing system web interface, potentially allowing unauthorized access to device configuration and video calls.
Polynote Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Polynote"})Description
Polynote is a polyglot notebook supporting Scala, Python, SQL, and Spark with a rich UI
Popup-Maker < 1.8.12 - Broken Authentication
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/popup-maker/"Description
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
Impact
Unauthenticated attackers can gain administrative access to the WordPress site.
Remediation
Update Popup-Maker plugin to version 1.8.12 or later.
Portainer - Init Deploy Discovery
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Portainer"})Description
Portainer initialization deployment files were discovered.
Portainer Login Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)portainer"})Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)i3geo"Description
Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request.
Impact
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
Remediation
Apply the latest patch or upgrade to a newer version of i3geo to fix the LFI vulnerability.
Post Grid <= 2.2.50 - Information Exposure via REST API
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/post-grid-combo/"Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo – 36+ Gutenberg Blocks.This issue affects Post Grid Combo – 36+ Gutenberg Blocks: from n/a through 2.2.50.
Impact
Unauthorized actors can access sensitive information, leading to privacy breaches and potential misuse of data.
Remediation
Update to the latest version beyond 2.2.50 or apply available security patches.
PostHog Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)posthog"})Description
PostHog login panel was detected.
Poste.io Admin Panel - Detect
Author: ritikchaddhaAdded: Mar 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Administration login"})Description
Poste.io login panel was detected.
PowerChute Network Shutdown Panel - Detect
Author: DhiyaneshDKAdded: Apr 11, 2024
runzero-match
service["http.body"] matches "(?i)PowerChute Network Shutdown"PowerCom Network Manager
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerCom Network Manager"})PowerJob - Default Login
Author: j4vaovoAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "PowerJob"})Description
PowerJob default login credentials were discovered.
PowerJob <=4.3.2 - Unauthenticated Access
runzero-match
service["http.body"] matches "(?i)powerjob"Description
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions.
Remediation
Upgrade PowerJob to a version higher than 4.3.2 or apply the necessary patches to fix the authentication bypass issue.
PowerJob List - Authorization Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerJob"})Description
PowerJob = 5.1.2 contains a broken access control caused by missing authorization in /user/list function, letting remote attackers access unauthorized resources, exploit requires no special privileges.
Impact
Remote attackers can access unauthorized resources, potentially leading to data exposure or privilege escalation.
Remediation
Update to the latest version beyond 5.1.2.
PowerJob Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PowerJob"})Description
PowerJob login panel was detected.
PowerShell Universal - Default Login
Author: ap3rAdded: Jan 17, 2024
runzero-match
service["http.body"] matches "PowerShell Universal"Description
PowerShell Universal default admin credentials were discovered.
Powertek Firmware <3.30.30 - Authorization Bypass
runzero-match
service["http.body"] matches "(?i)powertek"Description
Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
Impact
An attacker can bypass authentication and gain unauthorized access to the Powertek Firmware, potentially leading to further compromise of the system.
Remediation
Upgrade the Powertek Firmware to version 3.30.30 or higher to mitigate the vulnerability.
Pre-Auth Takeover of Build Pipelines in GoCD
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Create a pipeline - Go\" html:\"GoCD Version"})Description
GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access and control over the build pipelines, potentially resulting in the execution of arbitrary code or unauthorized modifications.
Remediation
Upgrade to version v21.3.0. or later.
PrestaShop < 1.7.6.6 - Information Exposure via Upload Directory
runzero-match
service["product"] contains "PrestaShop:PrestaShop"Description
PrestaShop versions after 1.5.0.0 and before 1.7.6.6 are vulnerable to information exposure through directory listing in the upload directory due to a missing index.php file.
Impact
Attackers can enumerate uploaded files potentially exposing sensitive customer data, invoices, or internal documents.
Remediation
Upgrade to PrestaShop version 1.7.6.6 or later, or add an empty index.php file in the upload directory as a workaround.
PrestaShop Theme Volty CMS Blog - SQL Injection
runzero-match
service["http.body"] matches "(?i)/tvcmsblog"Description
In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop `tshirtecommerce` Module - SQL Injection
runzero-match
service["http.body"] matches "(?i)Prestashop"Description
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the designer endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the parent_id parameter in the designer endpoint to extract the complete PrestaShop database including user credentials and order data.
Remediation
Update the tshirtecommerce module to the latest version and apply all security patches.
PrestaShop fieldpopupnewsletter Module - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)fieldpopupnewsletter"Description
Fieldpopupnewsletter Prestashop Module v1.0.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback parameter at ajax.php.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential theft of sensitive information, session hijacking, or defacement.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop productsalert - SQL Injection
runzero-match
service["http.body"] matches "(?i)/productsalert"Description
In the module 'Products Alert' (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
PrestaShop xipblog - SQL Injection
runzero-match
service["http.body"] matches "(?i)/xipblog"Description
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access and data leakage.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
Prestashop posstaticfooter <= 1.0.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)posstaticfooter"Description
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract database contents including customer data, orders, payment information, and administrative credentials from the PrestaShop database.
Remediation
Upgrade to the latest version of the posstaticfooter module from posthemes.
Prettier - Ignore File Disclosure
Author: ritikchaddhaAdded: Dec 26, 2025
runzero-match
service["http.body"] matches "(?i)\\.prettierignore"Description
The .prettierignore file is publicly accessible, potentially revealing project structure, sensitive file paths, and internal directory organization.
Prime Mover < 1.9.3 - Sensitive Data Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/prime-mover"Description
Prime Mover plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.2 via directory listing in the 'prime-mover-export-files/1/' folder. This makes it possible for unauthenticated attackers to extract sensitive data including site and configuration information, directories, files, and password hashes.
Impact
Unauthenticated attackers can exploit directory listing to access export files containing sensitive site configuration data, database information, and password hashes from WordPress Prime Mover installations.
Remediation
Fixed in 1.9.3
Primetek Primefaces 5.x - Remote Code Execution
runzero-match
service["product"] contains "Primetek:Primefaces"Description
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or upgrade to a newer version of the Primetek Primefaces application.
Prison Management System - SQL Injection Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Prison Management System"})Description
Sql injection vulnerability was found on the login page in Prison Management System
Impact
Attackers can bypass authentication via SQL injection to gain unauthorized administrative access to the Prison Management System.
Remediation
Apply security patches for Prison Management System addressing SQL injection vulnerabilities.
Pritunl - Panel
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pritunl"})Description
Realtime website and application monitoring tool
PrivateGPT - Detect
Author: ritikchaddhaAdded: Aug 16, 2024
runzero-match
service["http.body"] matches "(?i)private gpt"Description
PrivateGPT panel has been detected.
ProFTPD mod_sql - Preauth User Backdoor
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches "(?i)ProFTPd"Description
ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
Impact
Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Upgrade to version 1.3.10rc1 or later.
ProcessWire Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)processwire"Description
ProcessWire login panel was detected.
Procore Login - Panel
Author: rxeriumAdded: Aug 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "1952289652"Prodigy Commerce <= 3.3.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/prodigy-commerce/"Description
Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
Impact
Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access sensitive data, potentially leading to full server compromise.
Remediation
Update to the latest version beyond 3.2.9.
ProfileGrid <= 5.7.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/profilegrid-user-profiles-groups-and-communities/"Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied 'search' parameter and lack of sufficient preparation on the existing SQL query.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to ProfileGrid version 5.7.9 or later.
Progress Kemp LoadMaster - Command Injection
runzero-match
service["http.body"] matches "(?i)LoadMaster"Description
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Impact
Unauthenticated attackers can execute arbitrary system commands through the LoadMaster management interface, leading to complete system compromise.
Remediation
Upgrade to LoadMaster versions 7.2.59.2, 7.2.54.8, or 7.2.48.10 depending on your current version.
Progress Kemp LoadMaster Panel - Detect
Author: rxeriumAdded: Sep 10, 2024
runzero-match
service["http.body"] matches "(?i)Kemp Login Screen"Description
A Progress Kemp LoadMaster panel was detected.
Progress ShareFile Storage Zones Controller - Authentication Bypass
runzero-match
service["product"] contains "Progress Software:ShareFile Storage Zones Controller"Description
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Impact
Unauthenticated attackers can change system configuration and potentially execute remote code, leading to full system compromise.
Remediation
Update ShareFile Storage Zones Controller to version 5.12.4 or later.
Project Insight Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)project insight - login"})Description
Project Insight login panel was detected.
ProjectSend Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)provided"Description
ProjectSend login panel was detected.
Proofpoint Protection Server Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "942678640"Description
Proofpoint Protection Server panel was detected.
Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/protect-wp-admin"Description
The Protect WP Admin WordPress plugin before version 4.0 disclosed the URL of the admin panel through the redirection of a crafted URL, bypassing the protection offered.
Impact
Unauthenticated attackers can exploit URL redirection to discover the protected admin panel URL and bypass the protection mechanism offered by the plugin.
Remediation
Fixed in 4.0 or later
Proxmox Virtual Environment Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "213144638"Description
Proxmox Virtual Environment login panel was detected.
Pterodactyl Panel - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pterodactyl"}) || service["favicon.ico.image.mmh3"] == "-456405319" || service["favicon.ico.image.mmh3"] == "846001371"Description
Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
Impact
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
Remediation
Upgrade to Pterodactyl version 1.11.11+. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Pterodactyl game server - Panel
Author: darsesAdded: Jun 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pterodactyl"}) || service["favicon.ico.image.mmh3"] == "-456405319" || service["favicon.ico.image.mmh3"] == "846001371"Description
Detects Pterodactyl game server management panel.
Pulsar Admin Console Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pulsar admin console"}) || any(each(service["html.titles"]), {# matches "(?i)pulsar admin ui"})Description
Pulsar admin console panel was detected.
Pulsar Admin UI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pulsar admin ui"}) || any(each(service["html.titles"]), {# matches "(?i)pulsar admin console"})Description
Pulsar admin UI panel was detected.
Pulsar360 Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Pulsar Admin"})Description
Pulsar360 admin panel was detected.
Pulse Connect Secure SSL VPN Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)welcome\\.cgi\\?p=logo" || any(each(service["html.titles"]), {# matches "(?i)ivanti connect secure"})Description
Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 all contain an arbitrary file reading vulnerability that could allow unauthenticated remote attackers to send a specially crafted URI to gain improper access.
Impact
An attacker can access sensitive information stored on the system, potentially leading to further compromise.
Remediation
Apply the latest security patches and updates provided by Pulse Secure.
Puppetboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Puppetboard"})Description
Puppetboard panel was detected.
Pure Storage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pure storage login"})Description
Pure Storage login panel was detected.
PyLoad Default Login
Author: DhiyaneshDkAdded: Jul 6, 2023
runzero-match
service["http.body"] matches "(?i)pyload"Description
PyLoad Default Credentials were discovered.
PyLoad Login - Panel
Author: DhiyaneshDkAdded: Jul 6, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - pyload"}) || service["http.body"] matches "(?i)pyload" || any(each(service["html.titles"]), {# matches "(?i)pyload"})Description
A Pyload Login was detected.
Python Requirements File Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)index of"})Description
Detected Python requirements.txt file. This file contains Python package dependencies and versions that could reveal technology stack, vulnerable package versions, and internal dependencies.
Python Setup Configuration - Exposure
Author: DhiyaneshDkAdded: Dec 16, 2025
runzero-match
service["http.body"] matches "(?i)setup\\.py"Description
Python Setup Configuration "setup.py" File was exposed.
QNAP HBS 3 - Broken Access Control
runzero-match
asset["hw"] matches "(?i)QNAP"Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Impact
Remote attackers can log in without proper authorization, potentially leading to full system compromise or unauthorized data access.
Remediation
Update to the latest versions: v16.0.0415 or later for QTS 4.5.2, v3.0.210412 or later for QTS 4.3.6, v3.0.210411 or later for QTS 4.3.4 and 4.3.3, v16.0.0419 or later for QuTS hero h4.5.1, and v16.0.0419 or later for QuTScloud c4.5.1~c4.5.4.
QNAP Music Station < 5.4.0 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
Impact
Unauthenticated attackers can bypass authentication in Music Station to read arbitrary files from the QNAP system including /etc/passwd, potentially accessing sensitive configuration files and user credentials.
Remediation
Update QNAP Music Station to version 5.4.0 or later that implements proper authentication validation in the as_get_file_api.php endpoint.
QNAP Photo Station - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Impact
Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
Remediation
Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
QNAP Photo Station Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
QNAP Photo Station panel was detected.
QNAP QTS Photo Station External Reference - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap"}) || any(each(service["html.titles"]), {# matches "(?i)photo station"})Description
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.
Impact
An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.
Remediation
Apply the latest security patches and updates provided by QNAP to fix the local file inclusion vulnerability in QTS Photo Station.
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)photo station"}) || any(each(service["html.titles"]), {# matches "(?i)qnap"})Description
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station.
QNAP Turbo NAS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qnap turbo nas"})Description
QNAP QTS login panel was detected.
Qlik Sense Enterprise - HTTP Request Smuggling
runzero-match
service["http.body"] matches "(?i)qlik" || service["favicon.ico.image.mmh3"] == "-74348711" || any(each(service["html.titles"]), {# matches "(?i)qlik-sense"})Description
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Impact
Authenticated attackers with low privileges can exploit HTTP request tunneling to escalate privileges and execute malicious requests on the Qlik Sense repository application backend server.
Remediation
Update Qlik Sense Enterprise for Windows to August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13 that fixes HTTP request smuggling in the repository application.
Qlik Sense Enterprise - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qlik-sense"}) || service["favicon.ico.image.mmh3"] == "-74348711" || service["http.body"] matches "(?i)qlik"Description
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Impact
Unauthenticated attackers can exploit path traversal to generate anonymous sessions and access unauthorized API endpoints, potentially extracting sensitive business intelligence data and manipulating Qlik Sense dashboards.
Remediation
Update Qlik Sense Enterprise to August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13 that properly validates resource paths and enforces authentication.
Qlik Sense Server Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qlik-sense"}) || service["favicon.ico.image.mmh3"] == "-74348711" || service["http.body"] matches "(?i)qlik"Description
Qlik Sense Server panel was detected.
QlikView AccessPoint Login Panel - Detect
Author: righettodAdded: May 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)QlikView - AccessPoint"})Description
QlikView AccessPoint login panel was detected.
QloApps 1.6.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qloapps"})Description
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
QmailAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qmailadmin"})Description
QmailAdmin login panel was detected.
Qualitor ITSM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1217039701"Description
Qualitor ITSM login panel was detected.
Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-463230636"Description
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
Impact
An attacker can execute arbitrary commands on the affected system, potentially leading to complete system compromise, data theft, or further network exploitation.
Remediation
Upgrade to a patched version of Quest KACE System Management Appliance or apply the necessary security patches provided by Quest Software.
Quest Modem Configuration Login - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Advanced Setup - Security - Admin User Name & Password"})Description
Quest Modem Configuration login Panel was detected.
Quick.CMS v6.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Quick\\.Cms v6\\.7"Description
Quick.CMS version 6.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
Quilium Panel - Detect
Author: righettodAdded: Sep 8, 2023
runzero-match
service["http.body"] matches "(?i)CMS Quilium"Description
Quilium CMS Login Panel was detected.
Quiz and Survey Master <= 8.1.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/quiz-master-next"Description
ExpressTech Quiz And Survey Master (versions up to 8.1.4) contains an SQL injection caused by improper neutralization of special elements used in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of Quiz And Survey Master that addresses this vulnerability.
Qwik - Unauthenticated RCE via server$ Deserialization
runzero-match
service["http.body"] matches "(?i)q:version"Description
Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
Impact
Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
Remediation
Update to version 1.19.1 or later.
RAGFlow Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "RAGFlow"})Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep
document understanding.
RCDevs WebADM Panel - Detect
Author: righettodAdded: Oct 19, 2023
runzero-match
service["http.body"] matches "(?i)WebADM"Description
RCDevs WebADM Login Panel was detected.
RD Web Access Panel - Detect
Author: rxerium,sorrowx3Added: Nov 9, 2023
runzero-match
service["http.body"] matches "(?i)rd web access"Description
RD web access panel was discovered.
RDWeb RemoteApp and Desktop Connections - Web Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RD Web Access"})Description
RDWeb RemoteApp and Desktop Connections does not display.
RG-UAC Ruijie - Password Hashes Leak
Author: ritikchaddha,galogetAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)Get_Verify_Info"Description
Multiple Firewall Devices from vendor Ruijie Networks are affected by an information leakage vulnerability where credentials are included in the source code of the web admin login interface (usernames, roles, MD5 hashes and additional details of each user). Attackers can use this information to illegally access into the vulnerable devices, obtain sensitive device information and change configurations. The vulnerability is identified by CNVD-2021-14536.
RStudio Sign In Panel - Detect
Author: DhiyaneshDkAdded: Oct 6, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RStudio Sign In"})Description
RStudio Sign In panel was detected.
RWS WorldServer - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WorldServer"})Description
An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint.
Impact
Unauthenticated attackers can bypass all authentication by adding a token parameter with value 02, then upload and execute arbitrary Java code via JAR archives, potentially compromising the translation management system and accessing sensitive multilingual content.
Remediation
Upgrade to RWS WorldServer version 11.7.3 or later that properly validates authentication tokens and restricts API access.
RabbitMQ Default Login
runzero-match
any(each(service["html.titles"]), {# matches "RabbitMQ Management"})Description
RabbitMQ default admin credentials were discovered.
Racksnet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)My Datacenter - Login"})Description
Racksnet login panel was detected.
RaidenMAILD Mail Server v.4.9.4 - Path Traversal
runzero-match
service["http.body"] matches "(?i)RaidenMAILD"Description
Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.
Impact
Attackers can traverse directories to obtain sensitive information from the mail server.
Remediation
Update RaidenMAILD to a version later than 4.9.4 that patches the directory traversal vulnerability.
RailsAdmin Dashboard Exposure
Author: 0x_AkokoAdded: Jan 26, 2026
runzero-match
service["http.body"] matches "(?i)RailsAdmin"Description
Detected RailsAdmin dashboard was exposed without proper authentication, allowing unauthorized access to data management interface.
Rainloop WebMail - Default Admin Login
Author: For3stCo1dAdded: Apr 27, 2023
runzero-match
any(each(service["html.bodies"]), {# matches "rainloop/"})Description
Rainloop WebMail default admin login credentials were successful.
Rallly Login - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches `^Login | Rally`})Description
Rallly login interface was discovered.
Rancher Dashboard Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1324930554" || service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher Dashboard was detected.
Rancher Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.
Rancher Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "464587962"Description
Rancher login panel was detected.
Rapid7 Nexpose VM Security Console - Detect
Author: johnk3rAdded: Nov 2, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-516760689"Description
Rapid7 Nexpose VM Security Console login panel was detected.
Raritan PDU - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)Raritan PDU`Description
Raritan intelligent PDU web interface panel has been detected.
RaspAP 2.8.7 - Unauthenticated Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1465760059"Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Impact
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Upgrade to a patched version of RaspAP or apply the vendor-supplied patch to mitigate this vulnerability.
RaspberryMatic Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-578216669"Description
RaspberryMatic login panel was detected.
Ray API - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)ray dashboard" || service["favicon.ico.image.mmh3"] == "463802404"Description
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
Impact
Unauthenticated attackers can read any file on the server via the log API endpoint, potentially accessing sensitive configuration files, credentials, and application data.
Remediation
Update Ray to a patched version that properly validates file paths in the logs endpoint.
Ray Static File - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "463802404" || service["http.body"] matches "(?i)ray dashboard"Description
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
Impact
Unauthenticated attackers can read any file on the server via path traversal in the /static/ directory, potentially exposing sensitive configuration files and credentials.
Remediation
Update Ray to a patched version that restricts static file access.
Rclone RC - Broken Access Control
runzero-match
service["http.head.server"] matches "(?i)^rclone"Description
Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
Impact
Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
Remediation
Upgrade to version 1.73.5 or later.
ReCrystallize Server - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ReCrystallize"})Description
This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.
Impact
Unauthenticated attackers can bypass authentication by manipulating the AdminUsername cookie to gain administrative access to ReCrystallize Server.
Remediation
Update ReCrystallize Server to a patched version that addresses CVE-2024-26331.
React Server Components - Remote Code Execution
Author: DhiyaneshDk,princechaddha,assetnote,lachlan2k,maple3142,iamnooobAdded: Dec 4, 2025CWE-502CVE-2025-55182
runzero-match
service["http.head.xPoweredBy"] matches `(?i)Next\.js`Description
React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel,
react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused
by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting
unauthenticated attackers execute arbitrary code remotely, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.
Remediation
Update to the latest version that fixes the unsafe deserialization issue.
Really Simple Security < 9.1.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/really-simple-ssl"Description
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Impact
Unauthenticated attackers can exploit improper error handling in the two-factor authentication REST API to bypass authentication and log in as any user including administrators when two-factor authentication is enabled.
Remediation
Fixed in 9.1.2
Red Hat JBoss Enterprise Application Platform - Sensitive Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jboss"})Description
Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 is susceptible to sensitive information disclosure. A remote attacker can obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks.
Remediation
Apply the necessary patches or updates provided by Red Hat to fix the vulnerability.
Red Hat Satellite Panel - Detect
runzero-match
service["http.body"] matches "(?i)redhat"Red Lion HMI - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?i)www\.redlion\.net`Description
Red Lion HMI web interface panel has been detected.
Redash Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "698624197"Description
Redash login panel was detected.
Redash Setup Configuration - Default Secrets Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "698624197"Description
Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
Impact
An attacker can gain unauthorized access to sensitive information and potentially compromise the Redash application.
Remediation
Remove or update the default secrets in the Redash setup configuration file.
Redis Commander - Default Login
Author: DhiyaneshDKAdded: Nov 28, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Redis Commander"})Description
Redis Commander Default Login credentials were discovered.
Redis Enterprise - Detect
Author: tessAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Enterprise-Class Redis for Developers"})Redis Sandbox Escape - Remote Code Execution
runzero-match
service["service.transport"] == "tcp" and service["service.port"] == "6380" and service["protocol"] contains "redis"Description
This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and compromise of the affected system.
Remediation
Update to the most recent versions currently available.
Redmine - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["product"] contains "Redmine:Redmine"Description
Detected Redmine project management application was found to have been using the default administrator credentials (admin:admin). An attacker could have gained full administrative access to manage projects, users, and system settings.
Redmine Login Panel - Detect
Author: righettodAdded: Mar 4, 2024
runzero-match
service["http.body"] matches "(?i)'content=\"Redmine'"Description
Redmine login panel was detected.
Regify Login Panel - Detect
Author: righettodAdded: Oct 23, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1817615343"Description
Regify Login Panel was detected.
Registrations for the Events Calendar < 2.7.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/registrations-for-the-events-calendar/"Description
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
Impact
Unauthenticated attackers can execute SQL injection through the event_id parameter, potentially extracting all Events Calendar registration data including attendee information.
Remediation
Fixed in 2.7.6
Reliable Controls MACH-Pro - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Reliable Controls"})Description
Reliable Controls MACH-ProWebSys is a web-based building controller for
HVAC, lighting, and energy management using BACnet/IP. These controllers
are widely deployed in commercial buildings across North America and are
often directly internet-facing with no VPN protection.
RemKon Device Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Remkon Device Manager"})Description
RemKon Device Manager login panel was detected.
Remedy Axis Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)BMC Remedy"Remote Spark Gateway Configuration/Credentials - Exposure
runzero-match
service["http.body"] matches "(?i)SparkView"Description
Remote Spark Gateway config found via /gateway.conf.
Remotely Registration Enabled
Author: ritikchaddhaAdded: Jan 22, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Remotely$"})Description
Checks if the Remotely self-hosted remote desktop and collaboration web application has its user registration endpoint enabled, potentially allowing anyone to register without invitation.
Impact
Enabling open registration on Remotely instances may allow unauthorized users to register and gain access to the application, depending on configuration.
Remediation
Disable open registration if not required by setting 'RequireInvitationCodeForRegistration' to true in the Remotely configuration.
Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reolink"})Description
Reolink E1 Zoom camera through 3.0.0.716 is susceptible to information disclosure. The web server discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An attacker with network-level access to the camera can can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, potentially compromising user privacy and security.
Remediation
Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the information disclosure vulnerability (CVE-2021-40150).
Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Reolink"})Description
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.
Impact
An attacker can obtain the private key, potentially leading to unauthorized access and compromise of the camera.
Remediation
Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the vulnerability.
Reolink Panel - Detect
Author: s4e-ioAdded: Oct 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Reolink"})Description
Reolink panel was discovered.
Repetier Server - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)repetier-server"})Description
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
Impact
An attacker can read, modify, or delete arbitrary files on the server, potentially leading to unauthorized access, data leakage, or system compromise.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in Repetier Server.
Repetier Server Panel - Detect
Author: ritikchaddhaAdded: May 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)repetier-server"})Description
Repetier Server login panel detected.
Reportico Administration Page - Detect
Author: geeknikAdded: Dec 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reportico administration page"})Description
Create a simple report using the designer front end in seconds from a single SQL statement. Add expressions, user criteria, charts, groups, aggregations, page headers, page footers, hyperlinks and even custom plugin code.
Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read
runzero-match
service["favicon.ico.image.mmh3"] == "1212523028"Description
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version 3.5.12. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-074.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files including the reposilite.db database file.
Remediation
Update Reposilite to version 3.5.12 or later.
Reposilite Login Panel - Detect
Author: righettodAdded: Jan 27, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)reposilite"})Description
Reposilite products was detected.
Reprise License Manager 14.2 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)reprise license manager" || service["http.body"] matches "(?i)reprise license"Description
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
Impact
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the Reprise License Manager.
Remediation
Apply the latest security patch or upgrade to a patched version of Reprise License Manager to mitigate this vulnerability.
Reprise License Manager 14.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)reprise license"Description
Reprise License Manager 14.2 contains a reflected cross-site scripting vulnerability in the /goform/login_process 'username' parameter via GET, whereby no authentication is required.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
Remediation
Upgrade to a patched version of Reprise License Manager or apply the vendor-supplied patch to mitigate this vulnerability.
Reprise License Manager 14.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Reprise License"Description
Reprise License Manager 14.2 contains a cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in Reprise License Manager 14.2.
Reprise License Manager 14.2 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)reprise license" || service["http.body"] matches "(?i)reprise license manager"Description
Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. An attacker can possibly obtain further sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of Reprise License Manager.
Request Tracker - Panel
Author: bursoAdded: Apr 10, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "203612613"Description
Request Tracker panel was discovered.
Residential Gateway Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login - Residential Gateway"})Description
Residential Gateway login panel was detected.
RestroPress 3.0.0-3.2.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/restropress/"Description
RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.
Impact
Unauthenticated attackers can forge JWT tokens and authenticate as any user, including administrators, leading to full account takeover.
Remediation
Update to the latest version beyond 3.1.9.2.
Retool Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Retool"})Description
Retool login panel was detected.
RevPi Webstatus <= v2.4.5 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RevPi"})Description
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Impact
Unauthenticated attackers can bypass authentication through incorrect type conversion in the login mechanism, achieving complete device compromise.
Remediation
Upgrade RevPi Webstatus to version 2.4.6 or later that properly validates authentication credentials.
Revive Adserver 4.2 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "106844876" || any(each(service["html.titles"]), {# matches "(?i)revive adserver"})Description
Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g. serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Apply the latest security patches or upgrade to a newer version of Revive Adserver.
Revive Adserver <5.1.0 - Open Redirect
runzero-match
service["favicon.ico.image.mmh3"] == "106844876"Description
Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability could allow an attacker to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.
Remediation
Upgrade Revive Adserver to version 5.1.0 or later to mitigate this vulnerability.
Revive Adserver <=5.0.3 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)revive adserver"})Description
Revive Adserver 5.0.3 and prior contains a reflected cross-site scripting vulnerability in the publicly accessible afr.php delivery script. In older versions, it is possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script is printed back without proper escaping, allowing an attacker to execute arbitrary JavaScript code on the browser of the victim.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.
Remediation
There are currently no known exploits. As of 3.2.2, the session identifier cannot be accessed as it is stored in an http-only cookie.
Ricoh Web Image Monitor - Detect
Author: righettodAdded: Dec 16, 2024
runzero-match
service["http.body"] matches "(?i)Web Image Monitor"Description
Ricoh Web Image Monitor device was detected.
Ricoh Web Image Monitor - Reflected XSS
runzero-match
service["http.body"] matches "(?i)Web Image Monitor"Description
A reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor.
Impact
Attackers can execute malicious JavaScript in user browsers through the profile parameter, potentially leading to session hijacking and credential theft.
Remediation
Apply the security patch from Ricoh for affected Web Image Monitor implementations.
Riello Netman 204 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netman 204"}) || service["http.body"] matches "(?i)ups network management card 4" || any(each(service["html.titles"]), {# matches "(?i)netman"})Description
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.
Impact
Unauthenticated attackers can exploit SQL injection to modify collected log data, extract sensitive information, and potentially gain complete control of the Netman 204 device through multiple vulnerable CGI endpoints.
Remediation
Apply security patches from Riello for Netman 204 firmware to address the SQL injection vulnerabilities in db_datalog_w.cgi, db_eventlog_w.cgi, and db_multimetr_w.cgi endpoints.
Riello UPS NetMan 204 Network Card - Default Login
Author: mabdullah22Added: Jun 12, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Netman"})Description
Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
Riello UPS NetMan 204 Panel - Detect
Author: s4e-ioAdded: Oct 4, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)netman 204"})Description
Riello UPS NetMan 204 login panel was detected.
RiteCMS - Default Login
Author: 0x_AkokoAdded: Oct 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ritecms"})Description
RiteCMS Default Credentials were discovered.
Rocket.Chat <=3.13 - NoSQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rocket\\.chat"})Description
Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, leading to unauthorized access, data manipulation, or denial of service.
Remediation
Upgrade Rocket.Chat to a version higher than 3.13 or apply the provided patch to mitigate the vulnerability.
RocketChat Login Panel - Detect
Author: righettodAdded: Feb 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rocket\\.Chat"})Description
RocketChat login panel was detected.
Rockmongo Default Login
runzero-match
any(each(service["html.titles"]), {# matches "^RockMongo"})Description
Rockmongo default admin credentials were discovered.
Rockwell Automation FactoryTalk ViewPoint - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "FactoryTalk ViewPoint"Description
Rockwell Automation FactoryTalk ViewPoint is a web-based HMI that allows remote
monitoring and control of industrial automation systems from a browser. It provides
access to FactoryTalk View Machine Edition and Site Edition displays. Exposed
instances may allow unauthorised access to industrial control system visualisations.
Roxy File Manager - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)roxy file manager"})Description
Roxy File Manager panel was detected.
Roxy-WI - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)roxy-wi"Description
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Users are advised to upgrade to latest version.
Roxy-WI < 6.1.1.0 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)roxy-wi"Description
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Users are advised to upgrade to latest version.
Ruckus Wireless - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ruckus"})Description
Ruckus Wireless router contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Ruckus Wireless Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ruckus"})Description
Ruckus Wireless admin login panel was detected.
Ruckus Wireless Unleashed Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)unleashed login"})Description
Ruckus Wireless Unleashed login panel was detected.
Ruckus vRioT IoT Controller - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)RIoT Controller"Description
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validate_token.py,letting unauthenticated attackers interact with the API without authentication.
Impact
Unauthenticated attackers can interact with the API without authentication via a hardcoded token, allowing complete control over the IoT controller and connected devices.
Remediation
Update to Ruckus vRioT version 1.5.1.0.22 or later.
Ruijie NBR Series Routers - Default Login
Author: pussycat0xAdded: Jul 4, 2024
runzero-match
service["http.body"] matches "(?i)上层网络出现异常,请检查外网线路或联系ISP运营商协助排查"Description
Ruijie NBR Series Routers Default Login username and password was discovered.
Ruijie RG-EG - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)请输入您的RG-EG易网关的用户名和密码"Description
Ruijie RG-EG easy gateway WEB management system front-end RCE has a command execution vulnerability. An attacker without identity authentication can execute arbitrary commands to control server permissions.
Ruijie RG-EW1200G Router Background - Login Bypass
runzero-match
service["http.body"] matches "(?i)app\\.2fe6356cdd1ddd0eb8d6317d1a48d379\\.css"Description
A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/sys/login. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-237518 is the identifier assigned to this vulnerability.
Impact
Attackers can bypass authentication on the Ruijie RG-EW1200G router through improper authentication checks in the login API, potentially gaining administrative access to the router and compromising network security.
Remediation
Update Ruijie RG-EW1200G firmware to a version newer than 07161417 r483 that implements proper authentication validation in the login API.
Ruijie RG-NBS2009G-P - Improper Authentication
runzero-match
service["http.body"] matches "(?i)ruijie\\.com\\.cn"Description
An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm.
Impact
Unauthenticated attackers can bypass authentication to gain administrative access and control the Ruijie switch configuration.
Remediation
Update Ruijie RG-NBS2009G-P firmware to a version that addresses CVE-2024-24116.
Ruijie RG-UAC Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)get_verify_info"Description
Ruijie RG-UAC login panel was detected.
Rundeck - Default Login
Author: karkis3cAdded: Aug 27, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Rundeck - Login"})Description
Rundeck default login was discovered.
Rundeck Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rundeck"})Description
Rundeck login panel was detected.
RustDesk Web Client - Default login
Author: 0x_AkokoAdded: Jan 23, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RustDesk API Admin"})Description
Detected RustDesk Web Client Admin Console was using default credentials.
Rustfs - Detect
Author: icarotAdded: Mar 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)RustFS"})Description
Detects a Rustfs server, a high-performance, distributed object storage system built in Rust.
Rustici Content Controller Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Rustici Content Controller"})Description
Rustici Content Controller panel was detected.
SAP Analytics Cloud Panel - Detect
runzero-match
service["http.body"] matches "(?i)SAP Analytics Cloud"Description
SAP Analytics Cloud panel was detected.
SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.
Remediation
Upgrade to a patched version of SAP Knowledge Warehouse (>=7.5.1) to mitigate the XSS vulnerability.
SAP Management Console - Panel
Author: LRVT,l4rm4ndAdded: Feb 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SAP Management Console"})Description
Detected the SAP Management Console (SAP MC) web panel by requesting /sapmc/sapmc.html and checking for a gSOAP server header the page title.
SAP Memory Pipes (MPI) Desynchronization
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Impact
Successful exploitation of this vulnerability can result in unauthorized access to sensitive data and potential data leakage.
Remediation
Apply the latest security patches and updates provided by SAP to mitigate this vulnerability.
SAP NetWeaver - Backdoor Detection
Author: DhiyaneshDkAdded: Apr 26, 2025
runzero-match
service["http.body"] matches "(?i)SAP NetWeaver Application Server Java"Description
Detected a potential backdoor in SAP NetWeaver allowing unauthorized command execution.
SAP NetWeaver Application Server Java 7.5 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP NetWeaver Application Server Java 7.5 is susceptible to local file inclusion in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access, data leakage, and potential system compromise.
Remediation
Apply the latest security patches and updates provided by SAP to fix the LFI vulnerability in SAP NetWeaver Application Server Java 7.5.
SAP NetWeaver Composition Environment Tools - Detect
Author: ap3rAdded: May 14, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
Detects the presence of the SAP NetWeaver Process Integration / Composition Environment Tools page
SAP NetWeaver SQL Injection Vulnerability
runzero-match
service["product"] contains 'SAP:NetWeaver Application Server'Description
SQL injection vulnerability in the UDDI server of the SAP NetWeaver J2EE Engine 7.40 allows remote attackers to
execute arbitrary SQL commands via unspecified vectors, as documented within SAP Security Note 2101079.
Remediation
Apply updates per vendor instructions.
SAP Solution Manager 7.2 - Remote Command Execution
runzero-match
service["favicon.ico.images.mmh3"] == "694811822"Description
SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
Remediation
Apply the latest security patches provided by SAP to mitigate this vulnerability.
SAP SuccessFactors Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - sap successfactors"})Description
SAP SuccessFactors login panel was detected.
SAP xMII 15.0 for SAP NetWeaver 7.4 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-266008933"Description
SAP xMII 15.0 for SAP NetWeaver 7.4 is susceptible to a local file inclusion vulnerability in the GetFileList function. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to /Catalog, aka SAP Security Note 2230978.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.
Remediation
Apply the latest security patches and updates provided by SAP to mitigate the vulnerability.
SAS Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "957255151"Description
SAS login panel has been detected.
SAUTER moduWeb Vision Panel - Detect
Author: righettodAdded: May 30, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1663319756"Description
Sauter moduWeb Vision was detected.
SEH utnserver Pro/ProMAX/INU-100 20.1.22 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)utnserver Control Center"Description
A vulnerability was found in utnserver Pro, utnserver ProMAX, and INU-100 version 20.1.22 and earlier, affecting the device description parameter in the web interface. This flaw allows stored cross-site scripting (XSS), enabling attackers to inject JavaScript code. The attack can be executed remotely by tricking victims into visiting a malicious website, potentially leading to session hijacking. This vulnerability is publicly disclosed and identified as CVE-2024-5420.
Impact
Authenticated attackers can inject malicious JavaScript into the device description field, leading to stored XSS that can hijack user sessions when victims access the interface.
Remediation
Update SEH utnserver Pro/ProMAX/INU-100 to a version later than 20.1.22 that addresses the XSS vulnerability.
SEL Real-Time Automation Controller - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^SEL-RTAC"})Description
Schweitzer Engineering Laboratories (SEL) Real-Time Automation Controller (RTAC)
is a programmable automation controller used in electric utility and industrial
automation environments for protection, control, and automation. The web interface
exposes a management panel for configuration and monitoring.
SGP Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SGP"})Description
SGP login panel was detected.
SHOUTcast Server Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SHOUTcast Server"})Description
SHOUTcast Server panel was detected.
SKYSEA Client View Panel - Detect
Author: rxeriumAdded: Oct 15, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "385597939"Description
SKYSEA Client View panel was detected.
SOPlanning - Default Login
Author: s4e-ioAdded: May 7, 2024
runzero-match
service["http.body"] matches "(?i)soplanning"Description
SOPlanning contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
SOUND4 IMPACT/FIRST/PULSE/Eco <= 2.x - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1548359600"Description
The application suffers from an SQL Injection vulnerability. Input passed through the 'username' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
Author: arafatansariAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)SOUND4"Description
The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
SPIP - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)spip\\.php\\?page=backend"Description
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest security patches or upgrade to a patched version of SPIP.
SQL Buddy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SQL Buddy"})Description
SQL Buddy login panel was detected.
SQL Monitor - Discovery
runzero-match
service["http.body"] matches "(?i)sql monitor"Description
SQL Monitor was discovered.
SSH PrivX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PrivX"})Description
SSH PrivX login panel was detected.
SSL VPN Session Hijacking
runzero-match
service["http.body.mmh3"] == "-1466805544"Description
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Impact
Unauthenticated attackers can hijack SSL VPN sessions by bypassing authentication mechanisms and gaining unauthorized access to the VPN.
Remediation
Update SonicWall to a version that patches CVE-2024-53704 as specified in PSIRT advisory SNWLID-2025-0003.
STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jira"})Description
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server.
Remediation
Upgrade STAGIL Navigation for Jira Menu & Themes to version 2.0.52 or higher to fix the Local File Inclusion vulnerability.
STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jira"})Description
STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server.
Remediation
Upgrade STAGIL Navigation for Jira Menu & Themes to version 2.0.52 or higher to fix the Local File Inclusion vulnerability.
SUNGROW Logger1000 Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)logger"})Description
SUNGROW (Solar Energy Inverter Monitoring Devices) Logger1000 panel was detected.
SUSE Manager Server - Panel
Author: darsesAdded: Jul 30, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SUSE Manager - Sign In"}) || any(each(service["html.titles"]), {# matches "(?i)SUSE Multi-Linux Manager - Sign In"}) || any(each(service["html.titles"]), {# matches "(?i)Uyuni - Sign In"}) || service["favicon.ico.image.mmh3"] == "1158194469"Description
SUSE Manager login panel detected.
SafeNet Authentication Login Panel - Detect
Author: righettodAdded: Mar 25, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Self Enrollment"})Description
SafeNet Authentication Service Self Enrollment login panel was detected.
Sage X3 Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sage x3"})Description
Sage X3 login panel was detected.
Saia PCD Web Server Panel - Detect
Author: DhiyaneshDkAdded: Oct 7, 2024
runzero-match
service["http.body"] matches "(?i)Saia PCD Web Server"Description
Saia PCD Web Server panel was detected.
SaltStack <=3002 - Shell Injection
runzero-match
service["json.return"] == "Welcome"Description
SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.
Impact
Unauthenticated attackers can execute arbitrary shell commands via the Salt API, leading to complete server compromise and access to all managed systems.
Remediation
Upgrade to a patched version of SaltStack (>=3003) to mitigate this vulnerability.
SaltStack Config Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SaltStack Config"})Description
SaltStack config panel was detected.
Samsung MagicINFO Panel - Detect
Author: s4e-ioAdded: Aug 22, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)MagicINFO"})Description
Samsung MagicINFO panel was discovered.
Samsung Printer - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SyncThru Web Service"})Description
Samsung printers contain a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Sanity Studio Panel - Detect
Author: Shivam KambojAdded: Jan 12, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sanity Studio"})Description
Sanity Studio panel was detected. Sanity is a headless CMS platform.
Sante PACS Server.exe - Path Traversal Information Disclosure
runzero-match
service["favicon.ico.image.mmh3"] == "1185161484"Description
A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed.
Impact
Unauthenticated attackers can exploit path traversal to download arbitrary files from the server, potentially exposing sensitive patient data, credentials, and configuration files.
Remediation
Upgrade to Sante PACS Server version 4.1.1 or later that properly validates file paths.
Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)intellian aptus web"})Description
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to a patched version of Satellian Intellian Aptus Web (version > 1.24).
Satis Composer Repository - Detect
runzero-match
service["http.body"] matches "(?i)<a href=\\\\"Description
Satis composer repository was detected
Sato - Default Login
Author: y0noAdded: Oct 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Sato"})Description
Sato using default credentials was discovered.
SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
runzero-match
service["http.body"] matches "(?i)Lighthouse Studio"Description
A pre-authentication remote code execution vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14. The issue arises from the unsafe use of the `eval` function within the Perl CGI component `ciwweb.pl`, where attacker-supplied input inside `hid_Random_ACARAT` is directly passed to `eval`. This allows remote unauthenticated attackers to execute arbitrary Perl code on the server.
Impact
Unauthenticated attackers can execute arbitrary Perl code through the hid_Random_ACARAT parameter due to unsafe eval usage, achieving complete server compromise.
Remediation
Upgrade to Sawtooth Software Lighthouse Studio version 9.16.14 or later that removes unsafe eval usage in ciwweb.pl.
ScadaBR - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)ScadaBR Software"Description
ScadaBR is an open-source SCADA system based on Mango Automation, widely
used in Brazil and Latin America for industrial monitoring. The "powered by
Mango" tagline in the title is a unique identifier. Instances are often
internet-facing without authentication controls.
Scan2Net - Panel
Author: matejsmyckaAdded: Sep 18, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1780061475" || any(each(service["html.titles"]), {# matches "(?i)Scan2Net"})Description
Scan2Net Login was detected. This software is used to manage ImageAccess devices.Universities and public institutions often use ImageAccess devices.
Schneider Electric ClearSCADA - Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches `(?:ClearSCADA|Geo SCADA Expert) Home`Description
ClearSCADA (now branded as EcoStruxure Geo SCADA Expert) is a Schneider Electric
SCADA platform used in water, oil and gas, and utilities sectors. Exposed instances
may provide unauthenticated access to industrial process data and control interfaces.
Schneider Electric EcoStruxure Link150 Default Login
runzero-match
asset["hw_product"] matches `LINK150` || any(each(service["html.titles"]), {# matches `Schneider Electric`}) && any(each(service["vscan.technologies"]), {# matches `schneider-electric-ecostruxure`})Description
Schneider Electric EcoStruxure Link150 Ethernet Gateway with default administrator credentials discovered.
Schneider Electric Pelco VideoXpert Enterprise 2.0 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VideoXpert"})Description
Schneider Electric Pelco VideoXpert Enterprise versions 2.0 and prior contain a directory traversal caused by insufficient input validation, letting unauthorized persons view web server files, exploit requires no authentication.
Impact
Unauthenticated attackers can view web server files and directories, potentially exposing sensitive configuration files, credentials, and system information.
Remediation
Apply security updates provided by Schneider Electric or upgrade to a non-vulnerable version.
Schneider Electric PowerLogic PM8000 Default Login
runzero-match
any(each(service["tls.cn"]), {# matches `(?i)PM8000-`}) || any(each(service["tls.names"]), {# matches `(?i)pm8000-`}) || any(each(service["service.vhost"]), {# matches `(?i)PM8000-`}) || (asset["hw"] matches `Schneider\s+Electric\s+PowerLogic\s+Power\s+Meter` && any(each(service["http.head.location"]), {# matches `/web/resources/monitoring.html`}))Description
Schneider Electric PowerLogic PM8000 Power Quality Meter with default User1/0 credentials discovered.
Schneider TAC Vista - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TAC Vista Webstation"})Description
Schneider TAC Vista building automation panel has been detected.
Scramble Laravel - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)Login\s*[\p{Pd}|]?\s*Laravel`})Description
Scramble for Laravel >= 0.13.2 and < 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation endpoints.
Impact
Remote attackers can execute arbitrary PHP code, potentially leading to full application compromise.
Remediation
Upgrade to version 0.13.22 or later.
Scribble Diffusion Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Scribble Diffusion"})Description
A tool to turn your rough sketch into a refined image using AI.
ScriptCase Panel Detect
Author: Ricardo Maia (Brainfork)Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ScriptCase"})ScriptCase Production Environment Login
Author: Ricardo Maia (Brainfork)Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ScriptCase"})Seafile Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1552322396"Description
Seafile panel was detected.
Seagate NAS Login - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seagate nas - seagate"})Description
Seagate NAS - SEAGATE Login was detected.
Seagate NAS OS 4.3.15.1 - Server Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seagate nas - seagate"})Description
Seagate NAS OS version 4.3.15.1 has insufficient access control which allows attackers to obtain information about the NAS without authentication via empty POST requests in /api/external/7.0/system.System.get_infos.
Impact
An attacker can gain sensitive information about the server, potentially leading to further attacks.
Remediation
Upgrade to a patched version of Seagate NAS OS.
SecurEnvoy Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securenvoy"})Description
SecurEnvoy login panel was detected.
SecurEnvoy Two Factor Authentication - LDAP Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SecurEnvoy"})Description
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
Impact
Unauthenticated attackers can exploit LDAP injection to exfiltrate sensitive Active Directory data including cleartext LAPS passwords.
Remediation
Update SecurEnvoy MFA to version 9.4.514 or later.
Securden Unified PAM - Authentication Bypass
Author: DhiyaneshDk,pussycat0x,iamnoooob,pdresearchAdded: Aug 28, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1798893256"Description
An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM.
Impact
Unauthenticated attackers can control administrator backup functions to compromise passwords, secrets, and application session tokens stored in Unified PAM.
Remediation
Upgrade Securden Unified PAM to the latest version that implements proper authentication checks on backup functions.
Secure Login Service Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Secure Login Service"})Description
Secure Login Service login panel was detected.
SecurePoint UTM 12.x Session ID Leak
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securepoint utm"})Description
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or perform actions on behalf of the user.
Remediation
Upgrade to version 12.2.5.1 or newer
Securepoint UTM - Leaking Remote Memory Contents
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securepoint utm"})Description
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information stored in the device's memory.
Remediation
Apply the latest security patches and updates provided by Securepoint to fix the memory leakage issue.
Security Onion Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)security onion"})Description
Security Onion is a free and open source Linux distribution for intrusion detection, security monitoring, and log management. It includes CyberChef, NetworkMiner, and many other security tools.
SecuritySpy Camera Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SecuritySpy"})Description
SecuritySpy Camera panel was detected.
SeedDMS Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SeedDMS"})Description
SeedDMS default admin credentials were discovered.
SeedDMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)seeddms"})Description
SeedDMS login panel was detected.
Seeyon OA A6 setextno.jsp - SQL Injection
runzero-match
service["http.body"] matches "(?i)yyoa"Description
Seeyon OA A6 initDataAssess.jsp has leaked user sensitive information,You can blast the user password through the obtained username to enter the background for further attacks
Selenium Grid Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Selenium Grid"})Description
Selenium Grid panel was detected.
SelfCheck System Manager - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SelfCheck System Manager"})Sensei LMS < 4.24.2 - Email Template Leak
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sensei-lms"Description
The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
Impact
Unauthenticated attackers can access and leak email templates through unprotected REST API endpoints, potentially exposing sensitive information included in email communications and template configurations.
Remediation
Update Sensei LMS plugin to version 4.24.2 or later to address the REST API protection issue.
Sensu by Sumo Logic Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-749942143"Description
Sensu by Sumo Logic login panel was detected.
SentinelOne Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SentinelOne - Management Console"})Description
SentinelOne Management Console login panel was detected.
Sentry Login Panel
Author: righettodAdded: Feb 2, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login \\| sentry"})Description
Sentry login panel was detected.
SequoiaDB Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SequoiaDB"})Description
SequoiaDB login panel was detected.
Serge Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Serge - Powered by LLaMa"})Description
Serge is a web interface for chatting with Alpaca through llama.cpp. This template detects the presence of a Serge chat interface.
Server Backup Manager SE Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Server Backup Manager SE"})Description
Server Backup Manager SE login panel was detected.
Service Finder Bookings - Authentication Bypass
runzero-match
service["http.body"] contains "/wp-content/plugins/sf-booking"Description
Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
Impact
Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
Remediation
Update to the latest version beyond 6.0.
ServiceNow - Incomplete Input Validation
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-5217.
ServiceNow Login Panel - Detect
Author: righettodAdded: Nov 1, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow Login Panel was detected.
ServiceNow UI Macros - Template Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1701804003" || any(each(service["html.titles"]), {# matches "(?i)servicenow"})Description
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Impact
Unauthenticated attackers can exploit SSTI to execute arbitrary code on ServiceNow servers.
Remediation
Apply security patches for ServiceNow as per KB1644293 and KB1645154.
SevOne NMS Network Manager
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SevOne NMS - Network Manager"})ShardingSphere ElasticJob UI Panel
runzero-match
service["favicon.ico.image.mmh3"] == "816588900"Description
An ShardingSphere ElasticJob UI panel was detected.
Sharefile Login - Panel
Author: irshad ahamedAdded: Jul 11, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sharefile login"})Description
ShareFile is a cloud-based file sharing and collaboration platform that provides secure access to files from anywhere.
Shell In A Box - Detect
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-629968763"Description
Shell In A Box implements a web server that can export arbitrary command line tools to a web based terminal emulator
Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-simple-firewall"Description
The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can exploit local file inclusion via render_action_template to execute arbitrary PHP code, potentially compromising the entire WordPress installation.
Remediation
Update Shield Security plugin to version 18.5.10 or later.
Shiziyu CMS Api Controller - SQL Injection
runzero-match
service["http.body"] matches "(?i)/seller\\.php\\?s=/Public/login"Description
Shiziyu CMS ApiController.class.php parameter filtering is not rigorous, resulting in SQL injection vulnerability.
ShokoServer System - Local File Inclusion (LFI)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Shoko WEB UI"})Description
ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read.
Impact
This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server.
Remediation
The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.
ShortPixel Adaptive Images < 3.6.3 - Cross Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/shortpixel-adaptive-images/"Description
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin
Impact
Unauthenticated attackers can inject malicious JavaScript to steal high-privilege user session cookies including administrator credentials.
Remediation
Fixed in version 3.6.3
ShowDoc Panel Detection
runzero-match
service["http.body"] matches "(?i)showdoc"Description
ShowDoc panel was detected. ShowDoc was a tool for documenting APIs and interfaces.
Sidekiq < 7.0.8 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sidekiq"})Description
An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system.
Impact
Unauthenticated attackers can inject malicious JavaScript through the period parameter in Sidekiq metrics endpoints, potentially stealing administrator session cookies and accessing sensitive job queue information and worker statistics.
Remediation
Update Sidekiq to version 7.0.8 or later that properly sanitizes the period parameter and encodes output in the metrics dashboard.
Sidekiq Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sidekiq"})Description
Sidekiq Dashboard panel was detected.
Siemens SIMATIC HMI Miniweb - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
any(each(service["html.titles"]), {# matches "Miniweb Start Page"})Description
Identified Siemens SIMATIC HMI MiniWeb interfaces that were accessible using default credentials.These interfaces are used to remotely monitor and control Human-Machine Interface (HMI) panels deployed in industrial environments. Leaving the default login in place posed a significant risk to operational technology (OT) systems.
Signet Explorer Dashboard - Detect
runzero-match
service["http.body"] matches "(?i)mempool-space"Description
Signet Explorer Dashboard was detected.
SillyTavern Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SillyTavern"})Description
SillyTavern was detected. SillyTavern is a character-based AI roleplay and chat frontend that connects to local or remote LLM backends. Exposed instances may allow unauthenticated access to AI models and conversation history.
SimpleHelp <= 5.5.7 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)SimpleHelp"Description
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
Impact
Unauthenticated attackers can exploit path traversal to download server configuration files containing secrets, hashed passwords, and other sensitive information.
Remediation
Update SimpleHelp to version 5.5.8 or later to address the path traversal vulnerabilities.
Sitecore - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Impact
Unauthenticated attackers can execute arbitrary code on Sitecore servers through the XAML parser by injecting malicious ASP.NET markup, potentially compromising the entire content management system and accessing sensitive customer data.
Remediation
Apply Sitecore security patches as outlined in KB1002979 for Experience Manager, Experience Platform, and Experience Commerce versions through 10.3.
Sitecore CMS - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)Sitecore"Description
Sitecore CMS contains a cross-site scripting vulnerability via the "special way" of displaying XML Controls directly, which allows for a Cross Site Scripting Attack.
Impact
Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of users.
Remediation
Update to a patched version of Sitecore CMS or apply vendor security updates.
Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Impact
Unauthenticated attackers can use hardcoded credentials to access administrative API endpoints over HTTP, potentially compromising the entire Sitecore platform.
Remediation
Apply the security patch as described in Sitecore KB1003667 and change all default credentials immediately.
Sitecore Experience Platform <= 10.4 - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sitecore"})Description
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
Impact
Unauthenticated attackers can read arbitrary files from the Sitecore server, potentially exposing sensitive configuration and credentials.
Remediation
Update Sitecore Experience Platform to a version that patches CVE-2024-46938.
Sitecore Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Welcome to Sitecore"})Description
Sitecore login panel was detected.
Sitefinity Login
Author: dhiyaneshDKAdded: Apr 27, 2023
runzero-match
service["product"] contains "Progress:Sitefinity"Description
This template identifies the Sitefinity login page.
Skeepers Login Panel - Detect
Author: righettodAdded: Mar 13, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Skeepers"})Description
Skeepers login panel was detected.
Skyvern Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Skyvern"})Description
Skyvern is an open-source AI agent that automates browser-based workflows using
LLMs and computer vision
Smart s200 Management Platform v.S200 - SQL Injection
runzero-match
service["http.body"] matches "(?i)Smart管理平台"Description
SQL Injection vulnerability in Baizhuo Network Smart s200 Management Platform v.S200 allows a local attacker to obtain sensitive information and escalate privileges via the /importexport.php component.
Impact
Authenticated attackers can extract sensitive database information via SQL injection in the importexport.php component.
Remediation
Update Smart s200 Management Platform to a version that addresses CVE-2024-27718.
SmartPing Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SmartPing Dashboard"})Description
SmartPing Dashboard panel was detected.
SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/smartsearchwp"Description
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
Impact
Unauthenticated attackers can retrieve and decode the OpenAI API key through an unsecured REST endpoint, potentially incurring API usage costs and data exposure.
Remediation
Update SmartSearchWP plugin to version 2.4.6 or later to address the API key disclosure vulnerability.
SmarterMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SmarterMail"})Description
SmarterMail login panel was detected.
Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting
runzero-match
service["product"] contains "WPWeb Infotech:Social Auto Poster"Description
Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
Impact
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
SoftEther VPN Admin Console - Default Login
Author: bhutchAdded: May 14, 2024
runzero-match
any(each(service["html.titles"]), {# matches "SoftEther VPN Server"})Description
The administrative password for the SoftEther VPN Server is blank.
SoftEther VPN Panel - Detect
Author: bhutchAdded: Mar 20, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SoftEther VPN Server"})Description
SoftEther VPN panel was detected.
Solar-Log - Monitoring Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Solar-Log"})Description
Solar-Log is a solar plant monitoring system by Solare Datensysteme GmbH (Germany)
used for PV system monitoring, yield optimisation, and fault detection. The web
interface is commonly exposed on port 80, 81, or non-standard ports.
SolarEdge Monitoring - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^SolarEdge"})Description
SolarEdge Telematics monitoring panel has been detected.
SolarView 6.00 - Remote Command Execution
runzero-match
service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact 6.00 is vulnerable to a command injection via network_test.php.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Apply the latest patch or upgrade to a non-vulnerable version of SolarView.
SolarView Compact 6.00 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)solarview compact" || service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact 6.00 was discovered to contain a command injection vulnerability, attackers can execute commands by bypassing internal restrictions through downloader.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.
Remediation
Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.
SolarView Compact 6.00 - OS Command Injection
runzero-match
service["http.body"] matches "(?i)solarview compact"Description
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.
Remediation
Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.
SolarView Compact <= 6.00 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)solarview compact"Description
There is an arbitrary read file vulnerability in SolarView Compact 6.00 and below, attackers can bypass authentication to read files through texteditor.php
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade to a patched version of SolarView Compact or apply the vendor-provided security patch to mitigate the LFI vulnerability.
SolarView Compact Panel - Detect
runzero-match
service["http.body"] matches "(?i)solarview compact" || service["favicon.ico.image.mmh3"] == "-244067125"Description
SolarView Compact panel was detected.
SolarWinds ARM (Access Rights Manager) - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1416464161"Description
SolarWinds ARM login panel was detected.
SolarWinds Orion API - Auth Bypass
runzero-match
service["product"] contains "SolarWinds:Orion"Description
SolarWinds Orion API is vulnerable to an authentication bypass vulnerability that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the SolarWinds Orion system.
Remediation
Apply the necessary patches or updates provided by SolarWinds to fix the authentication bypass vulnerability.
SolarWinds Orion Default Login
runzero-match
any(each(service["html.titles"]), {# matches "SolarWinds Orion"})Description
SolarWinds Orion default admin credentials were discovered.
SolarWinds Security Event Manager - Unauthenticated RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SolarWinds Security Event Manager"})Description
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Impact
Unauthenticated attackers on the adjacent network can execute arbitrary code remotely on the SolarWinds Security Event Manager, leading to complete system compromise and potential access to all security event data.
Remediation
Upgrade to SolarWinds Security Event Manager version 2023.4.1 or later.
SolarWinds Serv-U - Directory Traversal
runzero-match
service["http.body"] matches "(?i)Serv-U"Description
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Impact
Attackers can traverse directories and access sensitive files outside the intended directory structure.
Remediation
Update SolarWinds Serv-U to a version that patches the directory traversal vulnerability.
SolarWinds Web Help Desk - Authentication Bypass
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative functions including authentication configuration settings, SAML/CAS setup, and API key management.
Impact
An attacker can bypass authentication and access administrative configuration pages, potentially leading to full system compromise through authentication method manipulation.
Remediation
Update to Web Help Desk version 2026.1 or later.
SolarWinds Web Help Desk - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1895809524"Description
SolarWinds Web Help Desk contains an authentication bypass vulnerability caused by improper access control, letting attackers execute protected actions without authentication, exploit requires no special conditions.
Impact
Attackers can execute protected actions without authentication, potentially compromising system integrity and data security.
Remediation
Update to the latest version of SolarWinds Web Help Desk.
SolarWinds Web Help Desk - Hardcoded Credential
runzero-match
service["favicon.ico.image.mmh3"] == "1895809524"Description
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
Impact
Attackers with knowledge of the hardcoded credentials can gain unauthorized access to the SolarWinds Web Help Desk system.
Remediation
Update SolarWinds Web Help Desk to a version that removes the hardcoded credentials.
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk before version 12.8.3 contain a critical Java deserialization vulnerability that enables remote code execution. Attackers can exploit this flaw to execute arbitrary commands on the host machine. Initially reported as unauthenticated, SolarWinds was unable to reproduce without authentication but still recommended immediate patching. With a CVSS score of 9.8, this vulnerability was discovered by Inmarsat Government researchers and added to CISA's Known Exploited Vulnerabilities Catalog due to active exploitation in the wild. The complete attack vector requires low complexity and has high impact on confidentiality, integrity, and availability. This vulnerability was later bypassed, leading to CVE-2024-28988 and subsequently CVE-2025-26399. Fixed in version 12.8.3 Hotfix 1.
Impact
Attackers can execute arbitrary commands on the host machine, potentially leading to full system compromise.
Remediation
Apply the available patch provided by SolarWinds.
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
runzero-match
service["product"] contains "SolarWinds:Web Help Desk"Description
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Impact
Attackers can gain access to certain restricted functionality.
Remediation
Apply the available 12.8.8 Hotfix 1 (HF1) or upgrade to version 2026.1.
Solara <1.35.1 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-223126228"Description
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
Impact
Unauthenticated attackers can exploit LFI to read arbitrary files from the local filesystem.
Remediation
Update Solara to version 1.35.1 or later.
Somansa DLP Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)DLP system"Description
Somansa DLP login panel was detected.
Sonar Poller Login - Panel Detect
runzero-match
service["http.body"] matches "(?i)Sonar Poller"Description
Sonar Poller login/interface was discovered.
SonarQube Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "SonarQube"})Description
SonarQube contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade Sonatype Nexus Repository Manager to a version higher than 3.15.0.
Sonatype Nexus Repository Manager 3 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
Impact
Unauthenticated attackers can read arbitrary system files via path traversal in Sonatype Nexus Repository.
Remediation
Update Sonatype Nexus Repository 3 to version 3.68.1 or later.
Sonatype Nexus Repository Manager 3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nexus repository manager"})Description
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Sonatype Nexus Repository Manager 3.
SonicWall Analyzer Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sonicwall analyzer login"})Description
SonicWall Analyzer login panel was detected.
SonicWall Appliance Management Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)appliance management console login"})Description
SonicWall Appliance Management Console login panel was detected.
SonicWall GMS and Analytics - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1381126564"Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SonicWall GMS and Analytics allows an unauthenticated attacker to extract sensitive information from the application database. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
SonicWall Network Security Login - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sonicwall network security login"})Description
SonicWall Network Security Login panel was detected.
SonicWall SMA1000 LFI
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Appliance Management Console Login"})Description
Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the affected device, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or firmware updates provided by SonicWall to mitigate this vulnerability.
Sonicwall - Pre-Authentication Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)SonicWall\" html:\"SMA"Description
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Impact
Unauthenticated attackers can read arbitrary files from the SonicWall SMA100 filesystem including configuration files, logs, and sensitive data, potentially leading to further exploitation or complete system compromise.
Remediation
Upgrade to the latest patched version of SonicWall SMA100 or apply vendor-provided security updates.
Sophos Firewall <=18.5 MR3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos"})Description
Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the firewall.
Remediation
Upgrade to a patched version of Sophos Firewall (>=18.5 MR4) to mitigate this vulnerability.
Sophos Firewall Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos"})Description
Sophos Firewall login panel was detected.
Sophos Mobile Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sophos mobile"}) || service["favicon.ico.image.mmh3"] == "-1274798165"Description
Sophos Mobile panel was detected.
Sophos Web Appliance
Author: DhiyaneshDkAdded: Apr 27, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-893681401" || any(each(service["html.titles"]), {# matches "(?i)sophos web appliance"})Sound4 IMPACT/FIRST/PULSE/Eco <=2.x - Authentication Bypass
Author: r3Y3r53Added: Oct 17, 2023
runzero-match
service["http.body"] matches "(?i)SOUND4"Description
The application suffers from an SQL Injection vulnerability. Input passed through the 'password' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)spacelogic c-bus"Description
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
Remediation
Upgrade SpaceLogic C-Bus Home Controller to a version higher than 1.31.460 to mitigate this vulnerability.
SpaceLogic C-Bus Home Panel - Detect
Author: ritikchaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)spacelogic c-bus"Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugin/cleantalk-spam-protect/"Description
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
Impact
Unauthenticated attackers can extract database contents via time-based blind SQL injection through User-Agent header manipulation, potentially exposing all WordPress user data.
Remediation
Fixed in 5.153.4
Speedtest Panel - Detection
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Speedtest Tracker"})Description
Speedtest panel was discovered
SphinxOnline Panel - Detect
Author: righettodAdded: Oct 3, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Connection - SphinxOnline"})Description
SphinxOnline Login Panel was detected.
Splunk - Default Password
Author: pussycat0xAdded: Dec 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Splunk"})Description
Splunk Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
Splunk <=7.0.1 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - splunk"})Description
Splunk through 7.0.1 is susceptible to information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.
Remediation
Upgrade Splunk to a version higher than 7.0.1 to mitigate the vulnerability.
Splunk Enterprise - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Login \\| Splunk"Description
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Impact
Attackers can perform path traversal to access sensitive filesystem locations on Splunk Enterprise for Windows.
Remediation
Update Splunk Enterprise to version 9.2.2, 9.1.5, or 9.0.10 or later.
Splunk Enterprise Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - splunk"})Description
Splunk Enterprise login panel was detected.
Splunk MCP Server IDE Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^Splunk MCP Server"})Description
Splunk MCP Server IDE login interface was discovered.
Splunk SOAR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Splunk SOAR"})Description
Splunk SOAR login panel was detected.
SpotWeb Login Panel - Detect
Author: theamanrawatAdded: Jun 5, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spotweb - overview"})Spotweb <= 1.5.1 - Cross Site Scripting (Reflected)
runzero-match
any(each(service["html.titles"]), {# matches "(?i)spotweb - overview"})Description
There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, data theft, or other attacks.
Remediation
Fixed in version 1.5.2
Spring Cloud Config Server - Local File Inclusion
runzero-match
service["favicon.ico.images.mmh3"] == "116323821"Description
Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.
Impact
An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.
Remediation
Upgrade to a patched version of Spring Cloud Config Server or apply the recommended security patches.
SqWebMail Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SqWebMail"})Description
SqWebMail login panel was detected.
Squid End-of-Life - Detect
Author: Shivam KambojAdded: Mar 5, 2026
runzero-match
service["product"] contains "Squid Cache:Squid"Description
Detected Squid proxy versions that have reached End-of-Life (EOL) and no longer receive security updates.
Squid Proxy - HTTP Authentication Credentials Disclosure
runzero-match
service["http.head.server"] matches `(?i)squid/`Description
Squid versions prior to 7.2 fail to redact HTTP authentication credentials in error page responses. The Authorization header value is embedded in plain text inside the mailto: diagnostic block when Squid generates an error page (e.g. ERR_DNS_FAIL).
Impact
Attackers can extract tokens and credentials used by trusted clients or backend applications proxied through Squid.
Remediation
Update to the version 7.2+ or disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Squidex Headless CMS Panel - Detect
Author: johnk3rAdded: Feb 13, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "1099097618"Description
Squidex is an open source headless CMS and content management hub.
SquirrelMail 1.2.11 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail 1.2.11 is vulnerable to local file inclusion.
SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.
Remediation
Upgrade to a patched version of SquirrelMail or apply the necessary security patches to mitigate the XSS vulnerability.
SquirrelMail Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail login panel was detected.
Squirrelmail <=1.4.6 - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "1511806001" || any([service["http.body"], service["last.http.body"]], {# matches "(?i)squirrelmail"})Description
SquirrelMail 1.4.6 and earlier versions are susceptible to a PHP local file inclusion vulnerability in functions/plugin.php if register_globals is enabled and magic_quotes_gpc is disabled. This allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter.
Impact
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Upgrade Squirrelmail to a version higher than 1.4.6 or apply the necessary patches to fix the LFI vulnerability.
Stackposts Social Marketing Tool v1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)stackposts"Description
SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries.
Star Micronics Network Utility Panel - Detect
runzero-match
service["http.body"] matches "(?i)Network Utility"Description
Star Micronics Network Utility panel was detected.
Stash < 0.26.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)<title>Stash</title>"Description
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
Impact
Attackers can execute arbitrary SQL queries via the sort parameter, potentially extracting sensitive database information.
Remediation
Update Stash to version 0.26.0 or later.
SteVe Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SteVe - Steckdosenverwaltung"})Description
SteVe login panel was detected.
SteVe Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "SteVe - Steckdosenverwaltung"})Description
SteVe login panel was detected.
Stirling PDF Panel - Detect
Author: s4e-ioAdded: Jan 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)StirlingPDF"})Description
Stirling PDF panel was discovered.
Stock Ticker <= 3.23.2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/stock-ticker/"Description
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Impact
Unauthenticated attackers can inject malicious JavaScript through the class parameter in the ajax_stockticker_load function to execute attacks when users interact with malicious links.
Remediation
Fixed in version 3.23.3
Stop User Enumeration WordPress plugin - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/stop-user-enumeration/"Description
Stop User Enumeration WordPress plugin < 1.7.3 contains an authentication bypass caused by URL-encoding the REST API path /wp-json/wp/v2/users/, letting attackers bypass user enumeration restrictions, exploit requires crafted URL encoding.
Impact
Attackers can bypass user enumeration protection through URL-encoding manipulation, potentially facilitating brute force attacks against user accounts.
Remediation
Upgrade Stop User Enumeration WordPress plugin to version 1.7.3 or later that properly handles URL-encoded REST API paths.
Storybook Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)storybook"})Description
Storybook panel was detected.
Strapi Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)strapi"})Description
Strapi login panel was detected.
Strider CD Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "115295460"Description
Strider CD panel was detected.
Structurizr - Default Login
Author: DhiyaneshDKAdded: Nov 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1199592666"Description
Structurizr contains default credentials.
Structurizr Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1199592666"Description
Structurizr login panel was detected.
Subscribe to Category <= 2.7.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/subscribe-to-category/"Description
The Subscribe to Category contains a sql_injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
Remediation
Update to the latest version beyond 2.7.4 or apply security patches that neutralize special elements in SQL queries.
SugarCRM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)sugarcrm"}) || service["http.body"] matches "(?i)sugarcrm inc\\. all rights reserved"Description
SugarCRM login panel was detected.
SuiteCRM - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SuiteCRM"})Description
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive CRM data.
Remediation
Update SuiteCRM to version 7.14.4 or 8.6.1 or later.
SuiteCRM Unauthenticated Graphql Introspection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)suitecrm"})Description
Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.
Impact
An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.
Remediation
Update to version 8.4.2.
Sunbird DCIM - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "781922099"Description
Sunbird DCIM login panel was detected.
Supabase Studio Panel - Detect
Author: ChrisJr404Added: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Supabase Studio"})Description
Supabase Studio login panel was detected. The admin dashboard shipped with Supabase, the popular open-source Firebase alternative (Postgres + auth + realtime + storage + edge functions).
SuperAGI Panel - Detect
Author: rxeriumAdded: Apr 14, 2026
runzero-match
service["favicon.ico.image.mmh3"] == "-2056571568"Description
SuperAGI panel was detected. SuperAGI was an open-source autonomous AI agent platform that enables building, managing, and running AI agents. Exposed instances may allow unauthorized access to agent configurations and execution environments.
SuperAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Superadmin UI - 4myhealth"})Description
SuperAdmin login panel was detected.
SuperWebMailer 9.00.0.01710 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)SuperWebMailer"})Description
An issue was discovered in SuperWebMailer 9.00.0.01710 allowing XSS via crafted incorrect passwords.
Impact
Successful exploitation could lead to unauthorized access or data theft.
Remediation
Implement input validation and output encoding to prevent XSS attacks.
SuperWebmailer 7.21.0.01526 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)superwebmailer"})Description
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade to the latest version of SuperWebmailer to mitigate this vulnerability.
Supermicro BMC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Supermicro BMC Login"})Description
Supermicro BMC login panel was detected.
Supermicro Ipmi - Default Admin Login
Author: For3stCo1dAdded: Apr 27, 2023
runzero-match
any(each(service["html.bodies"]), {# matches "/cgi/login.cgi"})Description
Supermicro Ipmi default admin login credentials were successful.
Supershell - Default Login
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)supershell"})Description
Supershell is a WEB management platform that integrates the reverse_ssh service.
Supertokens Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)<title>SuperTokens "Description
A Supertokens login panel was detected.
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/supportcandy/"Description
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Impact
Attackers can inject malicious JavaScript via reflected XSS in pages with wpsc_create_ticket shortcode, potentially stealing user session cookies or manipulating support ticket data.
Remediation
Fixed in 2.2.7
Suprema BioStar 2 Panel - Detect
Author: ritikchaddhaAdded: Apr 12, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Biostar"})SwarmUI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "SwarmUI"})Description
SwarmUI (formerly StableSwarmUI) is a modular Stable Diffusion web interface built on ASP.NET Core.
It provides a feature-rich UI for AI image generation
Swift Performance Lite < 2.3.7.2 - Local PHP File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/swift-performance-lite"Description
A vulnerability in Swift Performance Lite before version 2.3.7.2 allows unauthenticated attackers to perform local PHP file inclusion via the 'ajaxify' parameter. This can lead to arbitrary code execution on the server.
Impact
Unauthenticated attackers can perform local PHP file inclusion via the ajaxify parameter to execute arbitrary code, potentially compromising the entire WordPress site.
Remediation
Update Swift Performance Lite plugin to version 2.3.7.2 or later.
Syfadis Xperience Login Panel - Detect
Author: righettodAdded: Apr 1, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Syfadis Xperience"})Description
Syfadis Xperience login panel was detected.
Symantec Data Loss Prevention Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)symantec data loss prevention"})Description
Symantec Data Loss Prevention login panel was detected.
Symantec Encryption Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Symantec Encryption Server"})Description
Symantec Encryption Server login panel was detected.
Symantec Endpoint Protection Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)symantec endpoint protection manager"})Description
Symantec Endpoint Protection Manager login panel was detected.
Symantec PGP Global Directory Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)PGP Global Directory"})Description
Symantec PGP Global Directory panel was detected.
Symfony Lock File - Exposure
Author: ritikchaddhaAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)symfony\\.lock"Description
symfony.lock was found accessible, exposing a full list of installed Composer packages, library versions, and metadata for a Symfony-based PHP application. Disclosure of this file can provide insight into the application's attack surface, potentially revealing vulnerable or outdated dependencies and aiding an attacker in choosing their exploit strategy.
Impact
Attackers can enumerate all installed Composer packages and versions, increasing the risk of targeted attacks (e.g., against known CVEs in dependencies) or application fingerprinting.
Remediation
Restrict direct access to internal and sensitive files such as symfony.lock via proper web server configuration (e.g., .htaccess, nginx directives) and consider excluding such files from the web root in deployment.
Symfony Profiler - Remote Access via Injected Arguments
runzero-match
service["http.body"] matches "(?i)<div id=\\\\"Description
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50340.
Symmetricom SyncServer Panel - Detect
Author: DhiyaneshDkAdded: Jun 22, 2023
runzero-match
service["http.body"] matches "(?i)symmetricom syncserver"Symmetricom SyncServer Unauthenticated - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)Symmetricom SyncServer"Description
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device.
Remediation
Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability.
Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"}) || service["favicon.ico.image.mmh3"] == "1624375939"Description
Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
Impact
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, leading to unauthorized access to sensitive information.
Remediation
Upgrade to the latest version of Synacor Zimbra Collaboration (8.7.11p10 or higher) to mitigate this vulnerability.
Synapse Mobility Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Synapse Mobility Login"})Description
Synapse Mobility login panel was detected.
SyncThru Web Service Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)syncthru web service"})Description
SyncThru Web Service panel was detected.
Synology DSM System Info - Detect
Author: DhiyaneshDkAdded: Mar 17, 2026
runzero-match
asset["hw_vendor"] == "Synology" && asset["type"] == "NAS"Description
Detected the disclosure of Synology DiskStation Manager (DSM) system information via the SYNO.API.Info endpoint, identifying all available APIs, versions, and installed packages returned without authentication.
Synopsys Coverity Panel
Author: idealphaseAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Coverity"})Description
Coverity® is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards.
Synway SMG Gateway 9-2radius.php - Remote Command Execution
Author: ChenkhAdded: Apr 8, 2026
runzero-match
service["http.body"] matches "(?i)text ml10 mr20" && any(each(service["html.titles"]), {# matches "(?i)(Gateway Management|网关管理软件)"})Description
Synway SMG Gateway Management Software contains a remote command execution vulnerability in 9-2radius.php, where the radius_address parameter is passed to a system() call without sanitization. This allows unauthenticated attackers to execute arbitrary commands on the server.
SysAid Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1540720428"Description
Detects the presence of a SysAid Help Desk Software login panel by identifying characteristic login pages, favicon hash, and system-specific content.
T-Up OpenFrame
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "824580113"TIBCO JasperReports Library - Directory Traversal
runzero-match
service["http.body"] matches "(?i)jasperserver-pro"Description
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.
Impact
An attacker can access sensitive files, potentially leading to unauthorized disclosure of sensitive information.
Remediation
Apply the latest security patches or upgrade to a patched version of TIBCO JasperReports Library.
TIBCO Jaspersoft Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)jaspersoft"})Description
TIBCO Jaspersoft login panel was detected.
TIBCO Managed File Transfer - Panel
Author: Th3l0newolfAdded: Apr 2, 2025
runzero-match
service["http.body"] matches "(?i)TIBCO Managed"Description
TIBCO Managed File Transfer Login Panel was discovered.
TITool PrintMonitor - Blind SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)printmonitor"})Description
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Impact
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially compromising user credentials and sensitive printing data.
Remediation
Upgrade to PM18.2.1.
TOTOLINK A3002RU 1.0.8 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK A3002RU firmware version 1.0.8 contains a vulnerability in which an unauthenticated attacker can obtain the plaintext admin password by making a GET request for `password.htm`. This allows remote attackers to gain administrative access without credentials.
Impact
Unauthenticated attackers can obtain the plaintext administrator password without any authentication, leading to complete device compromise.
Remediation
Update to the latest firmware version that addresses this vulnerability.
TOTOLINK A3700R - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.
Impact
Unauthenticated attackers can execute arbitrary commands on the router, potentially gaining full device control and compromising network security.
Remediation
Update TOTOLINK A3700R firmware to a version newer than 9.1.2u.6165_20211012.
TOTOLINK CP450 v4.1.0cu.747_B20191224 - Hard-Coded Password Vulnerability
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A critical vulnerability has been discovered in TOTOLINK CP450 version 4.1.0cu.747_B20191224. This vulnerability affects an unknown part of the file /web_cste/cgi-bin/product.ini of the Telnet Service component. The issue stems from the use of a hard-coded password, which can be exploited remotely without any user interaction.
Impact
Unauthenticated attackers can retrieve hard-coded credentials from the accessible product.ini file, enabling complete device compromise through Telnet service access with administrative privileges.
Remediation
Contact TOTOLINK for security updates addressing the hard-coded password vulnerability in CP450 firmware version 4.1.0cu.747_B20191224, or implement network segmentation to restrict access.
TOTOLINK CX-A3002RU - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)TOTOLINK"Description
An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
TOTOLINK EX1200T 4.1.2cu.5215 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK EX1200T 4.1.2cu.5215 is susceptible to authentication bypass. An attacker can bypass login by sending a specific request through formLoginAuth.htm, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the device, potentially leading to further compromise of the network.
Remediation
Apply the latest firmware update provided by TOTOLINK to fix the authentication bypass vulnerability.
TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
Impact
Unauthenticated attackers can execute arbitrary commands via the apcliEncrypType parameter, gaining device administrator privileges.
Remediation
Update TOTOLINK EX1800T firmware to a version that patches the command injection vulnerability.
TOTOLINK N150RT - Password Exposure
Author: ritikchaddhaAdded: Jun 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
Detects password exposure vulnerability in TOTOLINK N150RT router where sensitive credentials are exposed in the password.htm page.
TOTOLINK/Realtek Routers - CAPTCHA Bypass
runzero-match
service["http.body"] matches "(?i)TOTOLINK"Description
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via a POST request to the boafrm/formLogin URI with the JSON payload {"topicurl":"setting/getSanvas"}. This allows an unauthenticated attacker to bypass CAPTCHA verification, gaining unauthorized access to restricted functions. Once valid credentials are known or brute-forced, an attacker can fully control the device using HTTP requests and Basic Authentication. Affected router models include A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-derived devices.
Impact
Unauthenticated attackers can bypass CAPTCHA verification to brute-force credentials and gain unauthorized administrative access, leading to complete device control and potential network compromise.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLINK/Realtek Routers - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
Impact
Unauthenticated attackers can retrieve the entire router configuration including Wi-Fi passwords, admin credentials, and network settings, enabling complete network takeover.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLINK/Realtek Routers - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)totolink"})Description
A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
Impact
Unauthenticated attackers can retrieve the entire router configuration including Wi-Fi passwords, admin credentials, and network settings, enabling complete network takeover.
Remediation
Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
TOTOLink Router - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TOTOLINK"})Description
TOTOLink routers are vulnerable to unauthenticated remote command execution via the /boaform/formWsc endpoint. An attacker can inject OS commands through the localPin parameter.
TP-LINK - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tp-link"})Description
TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.
Impact
An attacker can read sensitive files on the TP-LINK router, potentially leading to unauthorized access or disclosure of sensitive information.
Remediation
Apply the latest firmware update provided by TP-LINK to fix the local file inclusion vulnerability.
TP-LINK WR840N v6 up to 0.9.1 4.16 - Improper Authentication
runzero-match
service["http.body"] matches "(?i)WR840N"Description
A vulnerability in the TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory.When adding Referer- http-//tplinkwifi.net to the the request, it will be recognized as passing the authentication.
Impact
Unauthenticated attackers can bypass authentication by adding a specific Referer header, gaining unauthorized access to router administrative interfaces.
Remediation
Update TP-Link WR840N v6 router to firmware version later than 0.9.1 4.16 that addresses the authentication bypass vulnerability.
TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TP-Link Router"})Description
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
Impact
Unauthenticated attackers can exploit OS command injection through the country parameter in the locale endpoint to execute arbitrary commands as root and completely compromise TP-Link Archer AX21 routers.
Remediation
Update to the latest firmware version provided by TP-Link.
TP-Link Archer C20 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)Archer C20"Description
A vulnerability in the TP-Link Archer C20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass authentication on interfaces under the /cgi directory. When adding a Referer header with value "http://tplinkwifi.net" to requests, the router will recognize the request as passing authentication, allowing access to protected administration interfaces.
Impact
Unauthenticated attackers can bypass authentication by adding a specific Referer header, gaining unauthorized access to protected administration interfaces and router configuration.
Remediation
Update TP-Link Archer C20 router to firmware version later than V6.6_230412 that addresses the authentication bypass vulnerability.
TP-Link Wireless N Router WR940N - Default-Login
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
service["http.body"] matches "/userRpm/"TRENDnet TEW-827DRU Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tew-827dru"Description
TRENDnet TEW-827DRU login panel was detected.
TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
TRUfusion Enterprise versions 7.10.4.0 and earlier contained a vulnerability that allowed unauthenticated access to the Internal Admin Contact Page, resulting in the disclosure of PII (including partner and contact names).
Impact
Unauthenticated attackers can access the Internal Admin Contact Page, exposing personally identifiable information including partner and contact names without any authorization.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
Hard-Coded Cryptographic key allowing to forge session cookies that can be used to entirely bypass authentication
Impact
Attackers can forge session cookies using hard-coded cryptographic keys to completely bypass authentication, gaining unauthorized access to the system with arbitrary user privileges.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)TRUfusion"Description
Pre-Auth Path Traversal Allowing to Leak Local server files disclosing sensitive clear-text passwords.
Impact
Unauthenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive clear-text passwords, configuration files, and other confidential data.
Remediation
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
TVT NVMS 1000 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)^NVMS-1000" })Description
TVT NVMS-1000 devices allow GET /.. local file inclusion attacks.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the system.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the local file inclusion vulnerability in TVT NVMS 1000 software.
TYPO3 ceselector Extension - Insecure Deserialization
runzero-match
service["http.body"] matches `(?i)content\s*=\s*"TYPO3 CMS"`Description
TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize() without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration.
Impact
Remote unauthenticated attackers can execute arbitrary code on the TYPO3 server, leading to full system compromise.
Remediation
Update to the latest version of TYPO3 with the vulnerability fixed or apply patches that validate and sanitize unserialize input.
Tabby Panel - Detect
Author: s4e-ioAdded: Jan 14, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tabby"})Description
Tabby panel was discovered.
Tableau Services Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)login - tableau services manager"})Description
Tableau Services Manager login panel was detected.
Tactical RMM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tactical RMM - Login"})Description
Tactical RMM login panel was detected.
Tailon Panel - Detect
Author: ritikchaddhaAdded: Dec 3, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tailon"})TamronOS IPTV/VOD - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TamronOS IPTV系统"})Description
TamronOS IPTV/VOD contains a remote command execution in the 'host' parameter of the /api/ping endpoint.
TaskingAI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TaskingAI \\| Console"})Description
TaskingAI is an open-source platform for building and deploying LLM-based agents
and AI applications with a unified API
Tattile Camera < 1.181.5 - Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "2030104257" || service["http.body"] matches "(?i)Tattile camera manager"Description
Tattile Smart+, Vega, and Basic device families firmware <= 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges.
Impact
Attackers can gain administrative access to device configuration and data, leading to unauthorized control and data exposure.
Remediation
Update firmware to a version later than 1.181.5 or the latest available version.
Tautulli Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tautulli"}) || any(each(service["html.titles"]), {# matches "(?i)tautulli - home"})Description
A Python based monitoring and tracking tool for Plex Media Server.
Tautulli Panel - Unauthenticated Access
Author: ritikchaddhaAdded: Nov 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tautulli - home"}) || any(each(service["html.titles"]), {# matches "(?i)tautulli"})TeamCity < 2023.11.4 - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Impact
Unauthenticated attackers can bypass authentication to perform administrative actions on TeamCity servers, potentially compromising build pipelines and source code.
Remediation
Update JetBrains TeamCity to version 2023.11.4 or later.
TeamCity Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)teamcity"})Description
TeamCity login panel was detected.
TeamForge Panel - Detection
Author: lstatroAdded: May 7, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TeamForge :"})Description
TeamForge Login Panel was discovered.
TeamPass 2.1.27.36 - Improper Authentication
runzero-match
service["http.body"] matches "(?i)teampass"Description
TeamPass 2.1.27.36 is susceptible to improper authentication. An attacker can retrieve files from the TeamPass web root, which may include backups or LDAP debug files, and therefore possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can bypass authentication and gain unauthorized access to sensitive information.
Remediation
Upgrade to a patched version of TeamPass or apply the recommended security patches.
TeamPass Panel - Detect
runzero-match
service["http.body"] matches "(?i)teampass"Description
TeamPass panel was detected.
Tekton Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tekton"})Description
Tekton Dashboard panel was detected.
Telecontrol Server Basic Panel - Detect
Author: KazgangapAdded: Oct 15, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Logon - Telecontrol Server Basic"})Description
Telecontrol Server Basic panel was discovered.
Teleport - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1275955539" || service["favicon.ico.image.mmh3"] == "544208100" || service["favicon.ico.image.mmh3"] == "1854879765"Description
Teleport versions prior to 17.5.2 are vulnerable to a remote authentication bypass vulnerability. This issue allows attackers to gain unauthorized access to affected systems.
Impact
Attackers can bypass authentication mechanisms to gain unauthorized access to Teleport systems, potentially compromising protected infrastructure and sensitive resources.
Remediation
Upgrade Teleport to version 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27, or 12.4.35 depending on your version branch.
Teleport Login Panel - Detect
Author: pdteam,mahmoud0x00Added: Jun 17, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "544208100" || service["favicon.ico.image.mmh3"] == "1854879765" || service["favicon.ico.image.mmh3"] == "-1275955539"Description
Detects Teleport web login interface exposed at /web/login and version information from /webapi/ping
Telerik Report Server Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)Telerik Report Server"Description
Telerik Report Server login panel was detected.
Telesquare TLR-2005KSH - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login to TLR-2005KSH"})Description
Telesquare Tlr-2005Ksh is a Sk Telecom Lte router from South Korea's Telesquare company.Telesquare TLR-2005Ksh versions 1.0.0 and 1.1.4 have an unauthorized remote command execution vulnerability. An attacker can exploit this vulnerability to execute system commands without authorization through the Cmd parameter and obtain server permissions.
Impact
Attackers can execute arbitrary commands on the router, leading to complete device compromise.
Remediation
Update Telesquare TLR-2005KSH firmware to a version that patches the RCE vulnerability.
Telesquare TLR-2005KSH Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tlr-2005ksh"Description
Telesquare TLR-2005KSH login panel was detected.
TemboSocial Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TemboSocial Administration"})Description
TemboSocial Admin panel was detected.
Temenos Transact Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)t24 sign in"})Description
Temenos Transact login panel was detected.
Tenable Nessus Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nessus"})Description
Tenable Nessus panel was detected.
Tenda 11N - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tenda 11n"})Description
Tenda 11N with firmware version V5.07.33_cn contains an authentication bypass vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Unauthenticated attackers can bypass authentication by setting an admin cookie to gain full administrative access to Tenda 11N routers, enabling complete device configuration changes and network compromise.
Remediation
Apply the latest firmware update provided by Tenda to fix the authentication bypass vulnerability (CVE-2022-42233).
Tenda 11n Wireless Router - Admin Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tenda 11N Wireless Router Login Screen"})Description
The administrative panel for a Tenda Technology 11n Wireless Router was found.
Tenda Web Master Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tenda Web Master"})Description
Tenda Web Master login panel was detected.
Tenemos T24 Login Panel - Detect
Author: righettodAdded: Feb 6, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)T24 Sign in"})Description
Tenemos T24 products was detected.
TensorBoard Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "TensorBoard"})Description
TensorBoard is TensorFlow's visualization toolkit for machine learning experimentation
Teradek Cube Administrative Console - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Teradek Cube Administrative Console"})TerraMaster TOS < 4.2.30 Server Information Disclosure
runzero-match
service["http.body"] matches "(?i)terramaster"Description
TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure.
Impact
An attacker can exploit this vulnerability to gain sensitive information about the server, potentially leading to further attacks.
Remediation
Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
Terraform Enterprise Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)terraform enterprise"})Description
Terraform Enterprise panel was detected.
The Events Calendar < 6.4.0.1 - Cross-site Scripting
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin < 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction.
Impact
Attackers can execute arbitrary scripts in the context of the affected site, leading to potential session hijacking or defacement.
Remediation
Update to version 6.4.0.1 or later.
The Events Calendar <= 6.15.2 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin <= 6.15.2 contains an information disclosure vulnerability caused by REST endpoint exposure, letting unauthenticated attackers extract data about password-protected vendors or venues, exploit requires no authentication.
Impact
Unauthenticated attackers can access sensitive information about password-protected vendors or venues.
Remediation
Update to the latest version beyond 6.15.2
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-plus-addons-for-elementor-page-builder/"Description
The Plus Addons for Elementor plugin (before version 4.1.7) allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive.
Impact
Unauthenticated attackers can bypass authentication, gain administrator access, and create elevated privilege accounts even when registration is disabled, leading to complete WordPress site takeover.
Remediation
Fixed in 4.1.7
ThemeGrill Demo Importer < 1.6.2 - Database Reset
runzero-match
service["http.body"] matches "(?i)/plugins/themegrill-demo-importer"Description
ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
Impact
Unauthenticated attackers can wipe the entire WordPress database to its default state and gain automatic administrator access, resulting in complete site takeover and data loss.
Remediation
Upgrade to ThemeGrill Demo Importer version 1.6.2 or later.
Themes Coder Ecommerce <= 1.3.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/tc-ecommerce/"Description
The Themes Coder Ecommerce WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive database information or manipulate data.
Remediation
Update Themes Coder Ecommerce plugin to a version newer than 1.3.4.
ThinVNC - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1414548363"Description
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via a specific command, potentially leading to unauthorized access and code execution.
Impact
An attacker can bypass authentication and gain unauthorized access to the ThinVNC server.
Remediation
Apply the vendor-supplied patch or update to the latest version to mitigate the CVE-2022-25226 vulnerability.
Thinfinity Iframe Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential remote code execution.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the vulnerability.
Thinfinity VirtualUI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
Thinfinity VirtualUI panel was detected.
Thinfinity VirtualUI User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinfinity virtualui"})Description
Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
Impact
An attacker can use the gathered usernames for further attacks, such as brute-forcing passwords or launching targeted phishing campaigns.
Remediation
Apply the vendor-supplied patch or upgrade to the latest version of Thinfinity VirtualUI to mitigate the user enumeration vulnerability.
ThingsBoard Panel - Detect
Author: righettodAdded: Oct 8, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ThingsBoard"})Description
ThingsBoard was detected — a Open-source IoT Platform for device management, data collection, processing and visualization.
ThinkPHP 5.0.24 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)thinkphp"})Description
ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain sensitive information.
Remediation
Upgrade to a patched version of ThinkPHP or apply the necessary security patches.
ThinkPHP < 3.2.4 - Remote Code Execution
runzero-match
service["product"] contains "ThinkPHP:ThinkPHP"Description
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality.
Impact
Attackers can execute arbitrary system commands true the server without authentication, potentially leading to full system compromise.
Remediation
Update to ThinkPHP 3.2.4 or later, or apply vendor patches.
Thinkphp Lang - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Thinkphp"})Description
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Impact
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
Remediation
Apply the latest security patches and updates provided by the Thinkphp framework.
Thruk Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)thruk"Description
Thruk Monitoring panel was detected.
Tigase XMPP Server - Exposure
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tigase XMPP Server"})Tiki Wiki CMS GroupWare - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tiki Wiki CMS"})Description
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Impact
Unauthenticated attackers can trigger 50 failed login attempts to reset the admin password to blank, gaining complete administrative access to the Tiki Wiki CMS and all its content.
Remediation
Upgrade to Tiki Wiki CMS version 21.2 or later.
Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)tiki wiki"Description
Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.
Impact
The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.
Remediation
Upgrade Tiki Wiki CMS Groupware to a version that is not affected by the CVE-2010-4239 vulnerability.
Tiki Wiki CMS Groupware Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)tiki wiki"Description
Tiki Wiki CMS Groupware login panel was detected.
TileServer API - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "-1258058404"Description
tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.
Impact
Attackers can inject malicious scripts via the key parameter, potentially compromising user sessions or stealing sensitive information.
Remediation
Update tileserver-gl to a version later than v4.4.10 that patches the XSS vulnerability.
Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/time-clock/"Description
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
Impact
Unauthenticated attackers can execute limited PHP functions on the server through the etimeclockwp_load_function_callback function, potentially exposing sensitive system information through phpinfo and other callable functions.
Remediation
Update Time Clock plugin to a version later than 1.2.2 or Time Clock Pro plugin to a version later than 1.1.4 to address the remote code execution vulnerability.
TimeKeeper - Default Login
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "2134367771"Description
TimeKeeper contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Tiny File Manager - Default Login
runzero-match
service["http.body"] matches "Tiny File Manager"Description
Tiny File Manager contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Tiny File Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Tiny File Manager"})Description
Tiny File Manager panel was detected.
Tiny RSS Panel - Detect
Author: userdehghaniAdded: May 14, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-418614327"Description
Tiny Tiny RSS is a free RSS feed reader
Titan FTP Server 6.03 and 6.0.5.549 - Heap Overflow via Long Commands
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)Titan\s+FTP\s+Server`Description
Titan FTP Server versions 6.03 and 6.05 (builds) contain multiple heap-based buffer overflow vulnerabilities. Remote attackers can cause denial of service (daemon crash) or potentially execute arbitrary code by sending excessively long USER, PASS, or other FTP commands that trigger heap overflows.
Impact
Unauthenticated attackers can send excessively long USER, PASS, or other FTP commands to trigger heap overflows, causing denial of service by crashing the daemon or potentially executing arbitrary code on the server.
Remediation
Update Titan FTP Server to a version newer than 6.05 build 549 that properly validates command length and prevents heap overflow vulnerabilities in FTP command handlers.
Titan FTP Server 6.05 DELE Command - Heap Overflow
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)Titan\s+FTP\s+Server`Description
Titan FTP Server version 6.05 build 550 contains a heap overflow vulnerability when processing long DELE commands. Remote attackers can cause denial of service (daemon crash) or potentially execute arbitrary code by sending excessively long arguments to the DELE command.
Impact
Unauthenticated attackers can send long DELE commands to trigger heap overflow, causing denial of service by crashing the FTP daemon or potentially executing arbitrary code on the server.
Remediation
Update Titan FTP Server to a version newer than 6.05 build 550 that properly validates command length and prevents heap overflow vulnerabilities in the DELE command handler.
Tixeo Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tixeo"})Description
Tixeo login panel was detected.
Tomcat Exposed - Detect
Author: Podalirius,righettodAdded: Jul 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apache tomcat"}) || service["http.body"] matches "(?i)apache tomcat"Description
An Apache Tomcat instance was detected.
Tongda OA 11.7 - Authentication Bypass
Author: HuTa0Added: Jul 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)通达OA"})Description
Tongda OA is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., LTD v11.7 has the interface query online user function, when the user is online, it will return PHPSESSION so that it can log in to the background system.
ToolJet - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "(?i)tooljet"})Description
ToolJet contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
ToolJet Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ToolJet - Dashboard"})Description
ToolJet login panel was detected.
Tools4Ever Self-Service Reset Password Manager - Panel
Author: darsesAdded: Jun 20, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-948009664" || service["favicon.ico.image.mmh3"] == "-916902413"Description
Detects Tools4Ever Self-Service Reset Password Manager login panel.
Topsec TopAppLB - Authentication Bypass
Author: SleepingBag945Added: Sep 15, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TopApp-LB 负载均衡系统"})Description
Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`.
Toshiba TopAccess - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)topaccess"})Toshiba TopAccess Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)topaccess"})Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/total-donations/"Description
Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
Impact
Attackers can modify site options, enabling new user registration as Administrator, leading to site takeover.
Remediation
Update to the latest version of the plugin where this issue is fixed.
Totemomail Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)totemomail"Description
Totemomail login panel was detected.
Traccar Panel - Detect
Author: s4e-ioAdded: Oct 12, 2024
runzero-match
service["http.body"] matches "(?i)Traccar"Description
Traccar panel was discovered.
Traccar(Windows) 6.1- 6.8.1 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)Traccar"Description
Traccar 5.8-6.0 (non-default installs with web.override set) and 6.1-6.8.1 (default installs) contain a local file inclusion vulnerability caused by enabled web override configuration, letting unauthenticated attackers leak arbitrary files including passwords, exploit requires local access.
Impact
Unauthenticated local attackers can read arbitrary files, potentially exposing sensitive information like passwords and configuration data.
Remediation
Upgrade to version 6.9.0 or later.
Traefik Dashboard Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)traefik"})Description
Traefik Dashboard panel was detected.
Traggo Server - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)traggo"Description
traggo/server version 0.3.0 is vulnerable to directory traversal.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
Trassir WebView Default Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "Trassir Webview"})Description
Trassir WebView contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Trend Micro Apex One Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)officescan"})Description
Trend Micro Apex One login panel was detected.
Trilium <0.52.4 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Trilium Notes"})Description
Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected Trilium instance.
Remediation
Upgrade Trilium to version 0.52.4 or later, which includes proper input sanitization to mitigate the XSS vulnerability.
Trinity Audio <= 5.21.0 - Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/trinity-audio"Description
The Trinity Audio Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
Impact
Unauthenticated attackers can extract sensitive configuration data, potentially aiding further attacks.
Remediation
Update to the latest version beyond 5.21.0.
Triofox - Improper Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-177043778"Description
The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely access, view, and potentially interact with the database management interface, risking data disclosure or system compromise.
Impact
Attackers may gain access to sensitive administrative functions of the Triofox database, resulting in unauthorized data access, modification, or potential system compromise.
Remediation
Upgrade to Triofox 12.91.1126.65588 or CentreStack 12.10.595.65696 and later to resolve this vulnerability and restrict unauthenticated access to the administrative database panel.
TrueNAS Panel - Detect
Author: rxeriumAdded: Oct 27, 2023
runzero-match
service["http.body"] matches "(?i)truenas"Description
TrueNAS scale is a free and open-source NAS solution
Tufin SecureTrack Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)securetrack - tufin technologies"})Description
Tufin SecureTrack login panel was detected.
TurboMeeting - Boolean-based SQL Injection
runzero-match
service["http.body"] matches "(?i)TurboMeeting"Description
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract sensitive data including user credentials, meeting information, and potentially compromise the entire TurboMeeting database.
Remediation
Upgrade to the latest patched version of RHUB TurboMeeting or apply vendor-provided security updates.
TurnKey LAMP Panel - Detect
Author: ritikchaddhaAdded: Jun 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TurnKey LAMP"})Description
TurnKey LAMP Control Panel was detected.
TurnKey OpenVPN Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)TurnKey OpenVPN"})Description
TurnKey OpenVPN panel was detected.
Tutor LMS <= 2.1.10 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugins/tutor/"Description
Tutor LMS – eLearning and online course solution plugin for WordPress [all versions up to 2.6.1] contains a time-based SQL Injection caused by insufficient escaping on the question_id parameter in SQL queries, letting authenticated attackers with subscriber or higher access extract sensitive information, exploit requires attacker to be authenticated with subscriber or higher privileges.
Impact
Authenticated attackers can extract sensitive database information through SQL injection, potentially leading to data breach or further exploitation.
Remediation
Update to version 2.6.2 or later to fix the vulnerability.
Tutor LMS <= 2.7.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/tutor/"Description
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries via the rating_filter parameter, potentially extracting sensitive database information including user credentials and course data.
Remediation
Update Tutor LMS plugin to version 2.7.7 or later.
Typebot Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Typebot"})Description
Typebot is an open-source chatbot builder that allows you to create advanced
chatbots visually.
Typo3 Directory Listing
Author: theamanrawatAdded: Jan 21, 2026
runzero-match
service["product"] contains "TYPO3:TYPO3"Description
Detects directory listing enabled on the TYPO3 temp directory. The typo3temp folder contains cached files, compiled assets, and temporary data that may reveal sensitive information about the application structure and configuration.
UFIDA NC - Arbitrary File Read
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友\" \"NC"})Description
UFIDA NC is vulnerable to an arbitrary file read vulnerability in the nc.uap.lfw.file.action.DocServlet component. An unauthenticated remote attacker can exploit this flaw to read sensitive files on the server by sending crafted requests.
Impact
Successful exploitation allows attackers to access sensitive files and information stored on the server.
UFIDA U8 CRM cfillbacksetting.php - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友U8CRM"})Description
UFIDA U8-CRM system /config/fillbacksetting.php contains an SQL injection vulnerability, which allows attackers to manipulate the database through maliciously constructed SQL statements, resulting in data leaks, tampering or destruction, and seriously threatening system security.
UFIDA U8 CRM fillbacksetting.php - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)用友U8CRM"})Description
UFIDA U8-CRM system /config/fillbacksetting.php contains an SQL injection vulnerability, which allows attackers to manipulate the database through maliciously constructed SQL statements, resulting in data leaks, tampering or destruction, and seriously threatening system security.
UISP Fiber Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches `^UISP\s*Fiber\s*-\s*Login`})Description
UISP Fiber login interface was discovered.
UNA CMS <= 14.0.0-RC4 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)Powered by UNA"Description
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.
Impact
Unauthenticated attackers can inject arbitrary PHP objects through the profile_id parameter, allowing remote code execution and complete server compromise.
Remediation
Upgrade to UNA CMS version 14.0.0 or later that properly validates and sanitizes serialized input.
UPS Adapter CS141 SNMP Module Default Login
runzero-match
service["http.body"] matches "CS141"Description
UPS Adapter CS141 SNMP Module default login credentials were discovered.
Ubigeo de Peru < 3.6.4 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ubigeo-peru/"Description
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
Impact
Unauthenticated attackers can exploit SQL injection via AJAX actions to extract usernames and password hashes from the WordPress database.
Remediation
Fixed in version 3.6.4
UiPath Orchestrator Login Panel - Detect
Author: righettodAdded: Apr 21, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UiPath Orchestrator"})Description
UiPath Orchestrator login panel was detected.
Umami Panel - Detect
Author: userdehghaniAdded: May 7, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-130447705"Description
simple, fast, privacy-focused, open-source analytics solution.
Umbraco CMS - Directory Listing Exposure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Umbraco"})Description
Detected directory listing enabled on sensitive Umbraco CMS directories, potentially exposing configuration files, logs, backups, and other sensitive data.
Umbraco Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)umbraco"})Description
Umbraco login panel was detected.
Umbraco Mini Profiler - Exposure
Author: theamanrawatAdded: Jan 20, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Umbraco"})Description
Detected the exposure of the MiniProfiler debugging interface in Umbraco CMS. When exposed, it can reveal sensitive information including SQL queries, execution times, stack traces, and internal application details.
UnRaid <=6.80 - Remote Code Execution
runzero-match
service["http.head.setCookie"] matches `^unraid_` || service["last.http.head.setCookie"] matches `^unraid_`Description
UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.
Impact
Unauthenticated attackers can execute arbitrary code on UnRaid servers, leading to complete system compromise and access to all stored data.
Remediation
Upgrade UnRaid to a version higher than 6.80 to mitigate the vulnerability.
Unauthenticated Remote Code Execution – Bricks <= 1.9.6
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/bricks/"Description
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
Impact
Unauthenticated attackers can execute arbitrary code through the Bricks Builder theme, leading to complete site takeover and potential server compromise.
Remediation
Update Bricks Builder theme to version 1.9.7 or later.
UniFi - NFC Credentials
Author: DhiyaneshDkAdded: Nov 5, 2025
runzero-match
service["http.body"] matches "(?i)UniFi Dream Machine SE"Description
An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access credentials.
UniFi Network Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UniFi Network"})Description
UniFi Network login panel was detected.
UniFi OS - Panel
runzero-match
any(each(service["html.titles"]), {# matches "(?i)UniFi OS"})Description
UniFi OS Panel was discovered
Unibox Panel - Detect
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "176427349"Description
Unibox Administrator panel was detected.
Unitronics PLC - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Unitronics"})Description
Unitronics PLC web interface panel has been detected.
Unity Plastic SCM Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Plastic SCM"})Description
Unity Plastic SCM login panel was detected.
Universal Media Server v13.2.1 - Cross Site Scripting
Author: r3Y3r53Added: Jul 7, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-902890504"Description
Universal Media Server v13.2.1 CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.
Remediation
Fixed in version 13.2.2
Unleash Panel - Detect
Author: userdehghaniAdded: May 12, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-608690655"Description
Open-source feature management solution built for developers.
Unraid Authentication Bypass Vulnerability
runzero-match
service["product"] contains "Unraid:Unraid"Description
Unraid 6.8.0 allows authentication bypass.
Remediation
Apply updates per vendor instructions.
Untangle Administrator Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)untangle administrator login"})Description
Untangle Administrator is a centralized web-based management console that allows administrators to efficiently configure, monitor, and control various network security and filtering features provided by the Untangle NG Firewall, ensuring robust network protection and policy enforcement.
Uptime Kuma - Panel
Author: irshad ahamedAdded: Jul 1, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Uptime Kuma"})Description
Realtime website and application monitoring tool
UrBackup Panel - Detect
Author: DhiyaneshDkAdded: Apr 17, 2024
runzero-match
service["http.body"] matches "(?i)UrBackup - Keeps your data safe"User Control Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)User Control Panel"})Description
User Control Panel was detected.
User Management/Registration & Login v3.0 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Registration and Login System"})Description
User Registration & Login and User Management System v3.0 admin panel has SQL vulnerability. Even though the person who discovered the vulnerability tested it in version 3.0, version 3.2 also contains the same vulnerability. It can be exploited by entering "admin' -- -" as the username parameter in the admin panel.
User Meta WP Plugin < 3.1 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/user-meta/"Description
The User Meta is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0 via the /views/debug.php file. This makes it possible for unauthenticated attackers, with to extract sensitive configuration data.
Impact
Unauthenticated attackers can extract sensitive configuration data from the User Meta plugin.
Remediation
Update User Meta plugin to version 3.1 or later.
User Submitted Posts <= 20251121 - Unauthenticated Open Redirect
Author: Shivam KambojAdded: Feb 5, 2026
runzero-match
service["http.body"] matches "(?i)usp-nonce"Description
The User Submitted Posts plugin for WordPress is vulnerable to Open Redirect in all versions up to and including 20251121. This is due to insufficient validation on the redirect-override POST parameter. Unauthenticated attackers can redirect users to potentially malicious sites by tricking them into submitting a form.
Impact
Attackers can redirect users to malicious sites, facilitating phishing attacks and credential theft.
Remediation
Update to the latest version.
UserPro <= 5.1.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/userpro/"Description
The UserPro plugin for WordPress through 5.1.1 allows authentication bypass via the userpro_fbconnect AJAX action.
Impact
Unauthenticated attackers can bypass authentication by exploiting the Facebook connect AJAX action with arbitrary user IDs, potentially gaining full administrative access to the WordPress site and all user accounts.
Remediation
Update UserPro plugin to a version newer than 5.1.1 that properly validates authentication in the userpro_fbconnect AJAX action.
Usermin 2.100 - Username Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Usermin"})Description
Usermin version 2.100 and below is susceptible to username enumeration via the password change functionality. An attacker can determine valid usernames by analyzing the response messages from the password change endpoint.
Impact
Attackers can enumerate valid usernames by analyzing password change responses, aiding in further attacks.
Remediation
Upgrade to the latest version of Usermin that addresses this vulnerability.
Usermin Panel - Detect
Author: s4e-ioAdded: Oct 17, 2024
runzero-match
any(each(service["html.titles"]), {# contains "Login to Usermin"})Description
Usermin panel was discovered.
V2924 Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)V2924"})Description
V2924 admin login panel was detected.
VICIdial - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "1375401192"Description
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Impact
Unauthenticated attackers can exploit SQL injection to enumerate database records and extract plaintext credentials stored by VICIdial, leading to complete system compromise and unauthorized access to the call center platform.
Remediation
Apply security patches for VICIdial to address the SQL injection vulnerability in VERM_AJAX_functions.php and implement proper credential encryption.
VMware - Local File Inclusion
runzero-match
service["favicon.ico.image.mmh3"] == "-1250474341"Description
VMware Workspace ONE Access, Identity Manager, and Realize Automation are vulnerable to local file inclusion because they contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Impact
The impact of this vulnerability is that an attacker can read sensitive files on the server, which may contain credentials, configuration files, or other sensitive information.
Remediation
To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in file inclusion operations.
VMware Aria Operations Login - Detect
Author: rxeriumAdded: Oct 10, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Aria Operations"})Description
Detects VMware Aria Operations Panel.
VMware Carbon Black EDR Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Carbon Black EDR"})Description
VMware Carbon Black EDR panel was detected.
VMware Cloud Director Availability Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware Cloud Director Availability"})Description
VMware Cloud Director Availability login panel was detected.
VMware Cloud Director Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)welcome to vmware cloud director"})Description
VMware Cloud Director login panel was detected.
VMware FTP Server Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMWARE FTP SERVER"})Description
VMware FTP Server login panel was detected.
VMware HCX Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware HCX"})Description
VMware HCX login panel was detected.
VMware NSX Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)vmw_nsx_logo-black-triangle-500w\\.png"Description
VMware NSX login panel was detected.
VMware NSX SD-WAN Edge - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VeloCloud"})Description
VMware NSX SD-WAN Edge (formerly VeloCloud Edge) before 3.1.2 contains an unauthenticated command injection in the local web UI diagnostic tools (Ping/Traceroute). This template detects it reliably by injecting 'id', 'whoami', and a random marker.
Impact
Successful exploitation allows unauthenticated remote code execution as root.
Remediation
Upgrade to VMware SD-WAN Edge version 3.1.2 or later (diagnostic web UI component removed).
VMware Workspace ONE Access - Server-Side Template Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1250474341"Description
VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
Impact
Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
Remediation
Apply the latest security patches provided by VMware to mitigate this vulnerability.
VMware Workspace ONE UEM Airwatch Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)airwatch"Description
VMware Workspace ONE UEM Airwatch login panel was detected.
VMware Workspace ONE UEM Airwatch Self-Service Portal - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "321909464" || service["http.body"] matches "(?i)Self-Service Portal"Description
VMware Workspace ONE UEM Airwatch Self-Service Portal (SSP) login panel was detected.
VMware vCenter Converter Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vmware vcenter converter standalone"})Description
VMware vCenter Converter panel was detected.
VMware vCenter Server - Out-of-Bounds Write
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VMware VCenter"})Description
vCenter Server contains an out-of-bounds write caused by a vulnerability in the DCERPC protocol implementation. A malicious actor with network access can trigger remote code execution on vCenter Server.
Impact
Unauthenticated attackers with network access can exploit the out-of-bounds write vulnerability in the DCERPC protocol to execute arbitrary code on vCenter Server, potentially compromising the entire VMware virtualization infrastructure.
Remediation
Apply VMware security patches from VMSA-2023-0023 for vCenter Server versions 4.0-5.5 and 7.0-8.0 that fix the DCERPC protocol vulnerability.
VMware vCloud Director Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vmware vcloud director"})Description
VMware vCloud Director panel was detected.
VMware vRealize Log Insight - Improper Access Control to RCE
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
Impact
Successful exploitation allows a remote, unauthenticated attacker to inject and execute malicious code on the target appliance, potentially resulting in complete compromise of the affected system.
Remediation
Update VMware vRealize Log Insight to version 8.10.2 or later, as detailed in the official vendor advisory.
VMware vRealize Log Insight - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Impact
A remote, unauthenticated attacker can inject malicious files leading to remote code execution on the target appliance, resulting in complete compromise of the affected system.
Remediation
Update VMware vRealize Log Insight to version 8.10.2 or later as per the official vendor advisory.
VMware vRealize Log Insight < v8.10.2 - Information Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
Impact
Attackers can access sensitive session and application data, leading to potential information leakage and security breaches."
Remediation
Apply the latest security patches and updates provided by VMware to mitigate this vulnerability.
VSFTPD 2.3.4 - Backdoor Command Execution
runzero-match
service["protocol"] contains "ftp" and service["service.transport"] contains "tcp" and service["banner"] matches `(?i)vsFTPd`Description
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the FTP server.
Remediation
Update to the latest version of VSFTPD, which does not contain the backdoor.
VTScada - Internet Client Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "VTScada Internet Client from Trihedral"})Description
VTScada (by Trihedral Engineering) is a SCADA platform used in water/
wastewater, oil and gas, and utilities. The Internet Client feature exposes
a browser-based view of process data, and is commonly deployed by municipal
water systems across North America.
Vanna - SQL injection
runzero-match
service["http.body"] matches "(?i)'vanna\\.ai'"Description
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
Impact
Unauthenticated attackers can exploit SQL injection to inject malicious training data and write arbitrary files on the victim's filesystem, including PHP backdoors, leading to remote code execution.
Remediation
Update Vanna to version 0.3.5 or later to address the SQL injection vulnerability in the DuckDB integration.
Vanna AI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Vanna Agents Chat"})Description
Vanna AI is a chat interface for text-to-SQL generation using natural language. This template detects the presence of a Vanna AI chat panel.
Vault Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-919788577"Description
Vault login panel was detected.
Vaultwarden Login Panel - Detect
Author: righettodAdded: Jan 14, 2025
runzero-match
service["http.body"] matches "(?i)vaultwarden"Description
Vaultwarden products was detected.
VectorAdmin Panel - Detect
Author: s4e-ioAdded: Mar 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)VectorAdmin - Vector database management made easy\\."})Description
VectorAdmin panel was discovered.
Veeam Backup & Replication - Unauthenticated
runzero-match
service["http.body"] matches "(?i)Veeam Backup"Description
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Impact
Unauthenticated attackers can exploit deserialization vulnerabilities to achieve remote code execution on Veeam Backup & Replication servers.
Remediation
Update Veeam Backup & Replication to a patched version addressing CVE-2024-40711.
Veeam Backup Enterprise Manager Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)veeam backup enterprise manager"}) || service["favicon.ico.image.mmh3"] == "169658321" || service["http.body"] matches "(?i)Veeam"Description
Veeam Backup Enterprise Manager Login
Veeam Backup for Google Cloud Platform Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veeam Backup for GCP"})Description
Veeam Backup for Google Cloud Platform panel was detected.
Veeam Backup for Microsoft Azure Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veeam Backup for Microsoft Azure"})Description
Veeam Backup for Microsoft Azure panel was detected.
Veeam Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-633512412"Description
Veeam login panel was detected.
Vendure Core - SQL Injection
runzero-match
service["http.head.accessControlExposeHeaders"] matches `(?i)vendure-auth-token` || service["last.http.head.accessControlExposeHeaders"] matches `(?i)vendure-auth-token`Description
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.
Remediation
Upgrade @vendure/core to version 3.6.2, 3.5.7, or 2.3.4 or later, which add input validation and parameterized queries for the languageCode parameter.
Veracore Login - Detect
Author: rxeriumAdded: Feb 10, 2025
runzero-match
service["http.body"] matches "(?i)veraCoreScreenHeight"Description
A veracore login panel was detected.
Veritas NetBackup OpsCenter Analytics Login - Detect
Author: rxeriumAdded: Oct 8, 2024
runzero-match
service["http.body"] matches "(?i)Veritas NetBackup OpsCenter Analytics"Description
A Veritas NetBackup OpsCenter Analytics page was detected.
Veriz0wn OSINT - Detect
Author: pussycat0xAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Veriz0wn"})Verizon Router Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Verizon Router"})Description
Verizon router panel was detected.
Versa Concerto API Path Based - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-534530225"Description
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
Impact
Attackers can bypass authentication through URL path manipulation to access restricted API endpoints and retrieve sensitive role information without credentials.
Remediation
Upgrade to the latest Versa Concerto version that properly handles URL decoding and path validation in authentication checks.
Versa Concerto Actuator Endpoint - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-534530225"Description
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
Impact
Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
Remediation
Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
Versa Director Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Versa Director"})Description
Versa Director login panel was detected.
Versa FlexVNF - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Flex VNF Web-UI"})Description
Versa FlexVNF contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Versa FlexVNF Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Flex VNF Web-UI"})Description
Versa FlexVNF panel was detected.
VertaAI ModelDB - Path Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "-2097033750" || any(each(service["html.titles"]), {# matches "(?i)verta ai"})Description
The endpoint "/api/v1/artifact/getArtifact?artifact_path=" is vulnerable to path traversal. The main cause of this vulnerability is due to the lack of validation and sanitization of the artifact_path parameter.
Impact
Attackers can potentially exploit this vulnerability to perform a relative path traversal attack, which can lead to unauthorized access to sensitive local files on the server. As an impact it is known to affect confidentiality.
Remediation
Restrict access to the web application
Vertex Tax Installer Panel - Detect
runzero-match
service["http.body"] matches "(?i)Vertex Tax Installer"Description
Vertex Tax Installer panel was detected.
VictoriaMetrics Panel - Detect
Author: Shivam KambojAdded: Jan 5, 2026
runzero-match
service["http.body"] matches "(?i)VictoriaMetrics"Description
A VictoriaMetrics panel was discovered.
Vidyo Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1970367401"Description
Vidyo admin login panel was detected.
Viessmann Vitogate 300 - Hardcoded Password
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vitogate 300"})Description
A critical vulnerability in Viessmann Vitogate 300 up to 2.1.3.0 allows attackers to authenticate using hardcoded credentials in the Web Management Interface.
Impact
An attacker could potentially gain unauthorized access to the device.
Remediation
Update the device firmware to remove the hardcoded password or change it to a strong, unique password.
Viessmann Vitogate 300 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vitogate 300"})Description
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.
Impact
Unauthenticated attackers can execute arbitrary commands with elevated privileges through shell metacharacters in the ipaddr parameter, potentially compromising the heating control gateway and accessing building management systems.
Remediation
Update Viessmann Vitogate 300 firmware to a version newer than 2.1.3.0 that properly sanitizes the ipaddr parameter and prevents command injection through the JSON API.
Vikunja Login Panel - Detect
Author: matheusalbarelloAdded: Jun 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^Vikunja$"}) || service["http.head.server"] matches "^Vikunja"Description
Vikunja login panel was detected. Vikunja is a self-hosted to-do and project management application.
Vinchin Backup & Recovery Panel - Detect
runzero-match
service["http.body"] matches "(?i)VinChin"Description
Vinchin Backup & Recovery login panel was detected.
Virtua Software Cobranca <12R - Blind SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "876876147"Description
Virtua Cobranca before 12R allows blind SQL injection on the login page.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying system.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Virtua Software Cobranca <12R.
Virtua Software Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "876876147"Description
Virtua Software panel was detected.
Vite - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Impact
Attackers can bypass file access restrictions by adding special query parameters to URLs, potentially reading arbitrary files when the Vite dev server is exposed to the network.
Remediation
Upgrade to Vite version 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 that properly validates query parameters.
Vite - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite is a frontend tooling framework for JavaScript.In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Impact
Remote attackers can access files denied by server.fs.deny, leading to sensitive information disclosure.
Remediation
Update to versions 5.4.21, 6.4.1, 7.0.8, or 7.1.11 or later.
Vite Dev Server - Path Traversal
runzero-match
service["http.body"] matches "(?i)/@vite/client"Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Impact
Attackers can access unauthorized files bypassing filesystem restrictions, potentially exposing sensitive data.
Remediation
Update to versions 7.1.5, 7.0.7, 6.3.6, or 5.4.20 or later.
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
runzero-match
service["http.body"] matches `src="/@vite/client"` && service["service.port"] == "5173"Description
Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments in the URL. This allows an attacker to bypass server.fs.strict and retrieve auto-generated sourcemaps for files located outside the project root, leaking absolute filesystem paths. Only dev servers explicitly exposed to the network using --host or server.host are affected.
Impact
An attacker can trigger auto-generated sourcemap responses for files outside the project directory, leaking absolute filesystem paths and potentially reading .map files containing sensitive source code or configuration data.
Remediation
Upgrade Vite to version 8.0.5, 7.3.2, 6.4.2 or later.
Vite Development Server - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vite App"})Description
Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.
Impact
Attackers can exploit path traversal in the @fs endpoint to access files outside the intended directory when the Vite dev server is exposed to the network, potentially reading sensitive system files.
Remediation
Upgrade to the patched version or avoid exposing the Vite development server to the network (do not use --host flag or configure server.host); if upgrading is not immediately possible, implement access restrictions to the Vite development server
Vite server.fs.deny Bypass - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vite App"})Description
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Impact
Attackers can bypass server.fs.deny restrictions to read arbitrary files smaller than 4kB when the Vite dev server is exposed to the network, potentially exposing sensitive configuration data.
Remediation
Update Vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or later.
VoIPmonitor Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
VoIPmonitor login panel was detected.
Vodafone Vox UI Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Vodafone Vox UI"})Description
Vodafone Vox UI login panel was detected.
Void Aural Rec Monitor 9.0.0.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)aurall"Description
Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Void Aural Rec Monitor 9.0.0.1.
Voilà Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
service["http.body"] matches "(?i)voila-notebooks"Description
Voilà is an open-source tool that turns Jupyter Notebooks into standalone web applications.
It is commonly used to share AI/ML dashboards and interactive data science tools.
VoipMonitor - Pre-Auth SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL injection vulnerability in the VoipMonitor application.
VoipMonitor <24.61 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)voipmonitor"})Description
VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Upgrade VoipMonitor to version 24.61 or later to mitigate this vulnerability.
Vtiger CRM - Default Login
Author: icarotAdded: Nov 17, 2025
runzero-match
service["http.body"] matches "(?i)Powered by vtiger CRM"Description
Detected a Vtiger CRM instance that enabled default admin credentials.
Vtiger CRM v7.2.0 - Directory Listing
runzero-match
service["http.body"] matches "(?i)vtiger CRM"Description
Vtiger CRM v7.2.0 contains a directory traversal vulnerability caused by improper access controls in /libraries and /layout directories, letting attackers display hidden files and list directories, exploit requires no authentication.
Impact
Attackers can access sensitive files and directory structures, potentially leading to information disclosure or further exploitation.
Remediation
Update to the latest version of Vtiger CRM or apply security patches that enforce proper access controls.
Vue PACS - Panel
Author: righettodAdded: Dec 14, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vue pacs"})Description
Vue PACS was detected.
Vue Vben Admin - Default Credentials
runzero-match
service["http.body"] matches "(?i)vben" || service["http.body"] matches "(?i)vue-vben-admin"Description
Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface.
Impact
Attackers can gain unauthorized access to the backend, potentially leading to data theft or system control
Remediation
Remove hardcoded credentials and implement proper authentication mechanisms, update to the latest version if available.
WAGO - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)/wbm/\" html:\"wago"Description
In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
Remediation
Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
WAGO Web based Management - Default Login
Author: biero-el-corridorAdded: May 2, 2025
runzero-match
service["http.body"] matches "(?i)WAGO Ethernet Web-based Management"Description
Identified WAGO Web-Based Management interfaces that were accessible using default credentials (admin:wago).These interfaces are used to configure and monitor WAGO programmable logic controllers (PLCs) and automation systems. Use of factory-default credentials exposed critical OT infrastructure to unauthorized access.
WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Intelligent WAPPLES"})Description
WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the WAPPLES Web Application Firewall.
Remediation
Upgrade to a version of WAPPLES Web Application Firewall that does not contain hardcoded credentials or apply the vendor-provided patch to fix the vulnerability.
WAVLINK - Access Control
runzero-match
service["http.body"] matches "(?i)wavlink"Description
Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK AC1200 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)AC1200"Description
A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information of the manager of router.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WAVLINK Quantum D4G (WL-WN531G3) - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN531G3"Description
WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
WAVLINK WN530H4 M30H4.V5030.190403 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN530H4 M30H4.V5030.190403 contains an information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint. This can allow an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN530H4 live_api.cgi - Command Injection
runzero-match
service["http.body"] matches "(?i)wavlink"Description
A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.
Impact
Unauthenticated attackers can execute arbitrary Linux commands as root on the WAVLINK WN530H4 device, potentially leading to complete system compromise, data theft, or using the device as a pivot point for further attacks.
Remediation
Apply vendor security patches if available or replace the device with a secure alternative. Restrict access to the management interface.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)wn530hg4" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. It contains a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wn530hg4"Description
WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN530HG4 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wn530hg4"Description
Wavlink WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can download log files and configuration data via Exportlogs.sh and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings, potentially leading to further compromise of the network or device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN533A8 - Improper Access Control
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"}) || service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN533A8 M33A8.V5030.190716 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the entire network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN535 G3 - Improper Access Control
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to improper access control. A vulnerability in /cgi-bin/ExportAllSettings.sh allows an attacker to execute arbitrary code via a crafted POST request and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
WAVLINK WN535 G3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in live_check.shtml. An attacker can obtain sensitive router information via execution of the exec cmd function and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as login credentials or network configuration.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN535 G3 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink" || any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in the live_mfg.shtml page. An attacker can obtain sensitive router information via the exec cmd function and possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WAVLINK WN579 X3 M79X3.V5030.180719 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)wavlink"Description
WAVLINK WN579 X3 M79X3.V5030.180719 is susceptible to information disclosure in /cgi-bin/ExportAllSettings.sh. An attacker can obtain sensitive router information via a crafted POST request and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Impact
An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.
Remediation
Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.
WCFM Membership <= 2.10.0 - Broken Access Control
runzero-match
service["http.body"] matches "(?i)wcfmmp_become_vendor_link"Description
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings.
Impact
Unauthenticated attackers can modify membership details, approve or deny memberships, and change renewal info, potentially leading to data tampering and unauthorized access.
Remediation
Update to WCFM Membership version 2.10.1 or later.
WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wc-multivendor-marketplace"Description
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
Impact
Unauthenticated attackers can execute SQL injection through multiple unsanitized parameters, potentially gaining access to all WooCommerce marketplace data including customer and vendor information.
Remediation
Fixed in 3.4.12
WD My Cloud Panel - Detect
Author: DhiyaneshDkAdded: Jun 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-1074357885"WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdirectorykit/"Description
WP Directory Kit plugin for WordPress <= 1.4.9 contains a sensitive information exposure caused by improper access control in wdk_public_action AJAX handler, letting unauthenticated attackers extract email addresses of users with Directory Kit-specific roles.
Impact
Unauthenticated attackers can extract email addresses of users with specific roles, leading to privacy breaches.
Remediation
Update to the latest version beyond 1.4.9.
WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)plugins/wpdirectorykit/"Description
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
An unauthenticated attacker can extract sensitive information from the WordPress database including user credentials, posts, and other data.
Remediation
Update WP Directory Kit plugin to version 1.4.4 or later.
WP Directory Kit <= 1.4.4 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdirectorykit"Description
The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access by exploiting a cryptographically weak token generation mechanism that uses only the first 10 characters of MD5(user_id). For user_id=1 (typically admin), the token is always predictable.
Impact
Unauthenticated attackers can gain administrative access, leading to full site takeover.
Remediation
Update to the latest version beyond 1.4.4.
WP Fastest Cache 1.2.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-fastest-cache/"Description
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute SQL injection to extract the complete WordPress database including user credentials and site data.
Remediation
Fixed in 1.2.2
WP Google Maps < 9.0.48 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)wp-google-maps"Description
WP Google Maps WordPress plugin < 9.0.48 contains a stored XSS vulnerability caused by unsanitized user input in AJAX actions, letting unauthenticated attackers execute scripts via stored payloads.
Impact
Unauthenticated attackers can execute arbitrary scripts in users' browsers, leading to session hijacking or defacement.
Remediation
Update to version 9.0.48 or later.
WP Hotel Booking < 1.10.4 - PHP Object Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Impact
Unauthenticated attackers can exploit PHP object injection to execute arbitrary code, leading to complete server compromise.
Remediation
Upgrade to WP Hotel Booking version 1.10.3 or later.
WP Hotel Booking <= 2.0.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
WP Hotel Booking WordPress plugin before 2.0.8 contains a SQL injection caused by lack of authorization, CSRF checks, and input escaping in a function hooked to admin_init, letting unauthenticated users perform SQL injections, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
Remediation
Update to version 2.0.8 or later.
WP Hotel Booking <= 2.1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-hotel-booking/"Description
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data leakage or database compromise.
Remediation
Update to the latest version of WP Hotel Booking plugin that addresses this vulnerability, or apply security patches provided by the vendor.
WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-popup-builder/"Description
The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Impact
Unauthenticated attackers can execute arbitrary shortcodes through the AJAX action, potentially leading to information disclosure, privilege escalation, or remote code execution depending on available shortcodes in the WordPress installation.
Remediation
Update WP Popup Builder plugin to a version later than 1.3.5 that properly validates values before executing do_shortcode in the wp_ajax_nopriv_shortcode_Api_Add AJAX action.
WP Query Console <= 1.0 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/wp-query-console/"Description
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console- from n/a through 1.0.
Impact
Attackers can exploit vulnerabilities to compromise the system.
Remediation
Update to the latest patched version addressing CVE-2024-50498.
WP Responsive Images <= 1.0 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-responsive-images/"Description
WP Responsive Images plugin for WordPress <= 1.0 contains a path traversal caused by improper sanitization of the 'src' parameter, letting unauthenticated attackers read arbitrary files on the server.
Impact
nauthenticated attackers can read arbitrary files, potentially exposing sensitive information.
Remediation
Update to the latest version of WP Responsive Images plugin.
WP Travel Engine <= 5.7.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-travel-engine/"Description
WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion.
Remediation
Update to the latest version of WP Travel Engine.
WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-health"Description
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
Unauthenticated attackers can exploit local file inclusion through the filename parameter in the umbrella-restore action to read arbitrary server files including /etc/passwd, execute PHP code, and gain complete server compromise.
Remediation
Validate and sanitize user inputs to prevent directory traversal. Use a whitelist approach for file paths and restrict file access to intended directories only.
WP User <= 7.0 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-user/"Description
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the id parameter in wpuser_group_action AJAX endpoint, potentially extracting sensitive database information including user credentials, personal data, and WordPress configuration.
Remediation
Update WP User plugin to a version later than 7.0 that properly sanitizes and parameterizes the id parameter in admin-ajax.php.
WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-stats-manager"Description
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
Impact
Unauthenticated attackers can execute time-based SQL injection through the visitorId parameter to extract the complete WordPress database including user credentials and site statistics.
Remediation
Fixed in version 6.9
WP-Optimize WordPress plugin < 3.2.13 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-optimize"Description
The WP-Optimize WordPress plugin before 3.2.13 and SrbTransLatin WordPress plugin before 2.4.1 are vulnerable to cross-site scripting due to a third-party library that improperly handles HTML character escaping.
Impact
Unauthenticated attackers can inject malicious JavaScript through search parameters due to improper HTML character escaping in a third-party library, enabling theft of WordPress user session cookies.
Remediation
Users are recommended to upgrade WP-Optimize to version 3.2.13 and SrbTransLatin to version 2.4.1 to mitigate the vulnerability.
WP-Recall – Plugin <= 16.26.10 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-recall/"Description
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through time-based blind SQL injection in the databeat parameter, leading to extraction of sensitive database information including user credentials and personal data.
Remediation
Update to version 16.26.12, or a newer patched version
WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WordPress\" \"graphql"})Description
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Impact
An attacker can exploit this vulnerability to post unauthorized comments on WordPress posts, potentially leading to content manipulation and defacement.
Remediation
Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-graphql/"Description
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Impact
An attacker can exploit this vulnerability to enumerate all WordPress users and extract sensitive information including email addresses, usernames, and user roles without authentication.
Remediation
Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
WPMobile.App <= 11.56 - Open Redirect
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpappninja"Description
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Impact
Unauthenticated attackers can redirect users to malicious phishing sites or credential harvesting pages via the redirect parameter.
Remediation
Update WPMobile.App plugin to a version newer than 11.56.
WPS Hide Login <= 1.5.2.2 - Login Page Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wps-hide-login"Description
WPS-Hide-Login plugin before 1.5.3 for WordPress contains an action=confirmaction protection bypass, letting attackers bypass security checks, exploit requires sending crafted requests.
Impact
Attackers can bypass login protection, potentially leading to unauthorized access.
Remediation
Update to version 1.5.3 or later.
WPS Hide Login <= 1.9.15.2 - Login Page Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wps-hide-login"Description
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.
Impact
Attackers can discover hidden WordPress login pages by bypassing the WPS Hide Login plugin's protection mechanism.
Remediation
Update WPS Hide Login plugin to a version newer than 1.9.15.2.
WS-FTP Ad Hoc Transfer Panel - Detect
Author: johnk3rAdded: Nov 14, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ad hoc transfer"}) || any(each(service["html.titles"]), {# matches "(?i)ws_ftp server web transfer"})Description
WS_FTP Ad Hoc panel was detected.
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
Remediation
Upgrade to a patched version of WSO2 Carbon Management Console (5.11 or above) or apply the provided security patch to mitigate this vulnerability.
WSO2 Management Console - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Impact
Attackers can bypass authentication to access internal memory statistics, leading to partial information disclosure.
Remediation
Apply security patches as per WSO2-2025-4115 advisory to enforce proper authentication on Management Console endpoints.
WSO2 Management Console Default Login
runzero-match
any(each(service["html.titles"]), {# matches "WSO2 Management Console"})Description
WSO2 Management Console default admin credentials were discovered.
WSO2 Management Console Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1398055326"Description
WSO2 Management Console login panel was detected.
WS_FTP Server - Insecure Deserialization
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Ad Hoc Transfer"})Description
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Impact
Unauthenticated attackers can exploit .NET deserialization vulnerability in the Ad Hoc Transfer module to execute arbitrary commands on the WS_FTP Server, potentially compromising the entire file transfer infrastructure and accessing all transferred files.
Remediation
Update Progress WS_FTP Server to version 8.7.4 or 8.8.2 or later that properly validates deserialization input in the Ad Hoc Transfer module.
WS_FTP Server Web Transfer - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ws_ftp server web transfer"}) || any(each(service["html.titles"]), {# matches "(?i)ad hoc transfer"})Description
WS_FTP Server Web Transfer panel was detected.
WWBN AVideo 11.6 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)AVideo"Description
A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution.
Impact
Successful exploitation could lead to unauthorized access to sensitive information or account takeover.
Remediation
Sanitize and validate user input to prevent XSS attacks.
Wagtail Login - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wagtail - sign in"})Description
The Wagtail panel has been detected.
Wallix Access Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Wallix Access Manager"})Description
Wallix Access Manager panel was detected.
WampServer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WAMPSERVER Homepage"})Description
WampServer panel was detected.
WatchGuard Fireware AD Helper Component - Credentials Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "Fireware XTM User Authentication"})Description
WatchGuard Fireware Threat Detection and Response (TDR) service contains a credential-disclosure vulnerability in the AD Helper component that allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
Impact
Remote attackers can retrieve cleartext passwords, leading to potential account compromise and further system exploitation.
Remediation
Update to version 5.8.5.10317 or later.
Watcher Panel - Detect
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)/vsaas/v2/static/"Watershed Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Watershed LRS"})Description
Watershed login panel was detected.
Wavlink - Improper Access Control
runzero-match
service["favicon.ico.image.mmh3"] == "-1350437236"Description
Wavlink WL-WN530H4 M30H4.V5030.210121 is susceptible to improper access control in the component /cgi-bin/ExportLogs.sh. An attacker can download configuration data and log files, obtain admin credentials, and potentially execute unauthorized operations.
Impact
The vulnerability can lead to unauthorized access, data leakage, or unauthorized actions on the affected device.
Remediation
Apply the latest firmware update provided by the vendor to fix the access control issue.
Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN530HG4"Description
An access control issue in Wavlink WL-WN530HG4 M30HG4.V5030.201217 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
Wavlink WL-WN533A8 M33A8.V5030.190716 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)WN533A8"Description
An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials.
Impact
Successful exploitation could lead to sensitive information disclosure.
Remediation
Apply the latest firmware updates from Wavlink or implement network segmentation to restrict access to the device administration interface.
Wavlink WN535K2/WN535K3 - OS Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wi-fi app login"})Description
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
Remediation
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
Wazuh - Default Login
Author: theamanrawat,denandz,PulseSecurity.co.nzAdded: Oct 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Wazuh"})Description
Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
Wazuh Login Panel
Author: cyllective,daffainfo,idealphaseAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wazuh"})Description
Wazuh - The Open Source Security Platform
WeChat agentinfo - Information Exposure
Author: SleepingBag945Added: Aug 18, 2023
runzero-match
service["http.body"] matches "(?i)wework_admin\\.normal_layout"Description
There is an information leakage vulnerability in the agentinfo interface of Tencent Enterprise WeChat. An attacker can obtain the Enterprise WeChat Secret through the vulnerability.
WeGIA - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WeGIA"})Description
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/download_remessa.php endpoint. This vulnerability could allow an attacker to gain unauthorized access to local files in the server and sensitive information stored in config.php. config.php contains information that could allow direct access to the database. This issue has been patched in version 3.4.8.
Impact
Attackers can read arbitrary files including sensitive configuration files containing database credentials through path traversal in the download_remessa.php endpoint.
Remediation
Upgrade to WeGIA version 3.4.8 or later, which patches the path traversal vulnerability.
Web File Manager Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web File Manager"})Description
Web File Manager login panel was detected.
Web Transfer Client Login Panel - Detect
Author: righettodAdded: Mar 5, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Web Transfer Client"})Description
Progress Web Transfer Client login panel was detected.
Web Viewer for Samsung DVR - Detect
Author: JustaAcatAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)web viewer for samsung dvr"})WebIQ 2.15.9 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebIQ"})Description
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
Impact
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the Windows system, potentially exposing sensitive configuration files, credentials, database files, and system information.
Remediation
Update WebIQ to a version later than 2.15.9 to address the directory traversal vulnerability.
WebMethod Integration Server Default Login
Author: ChristianPoeschl,OleWagner,usdAGAdded: Feb 20, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-234335289"WebPageTest Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebPageTest"})Description
WebPageTest login panel was detected.
WebShell4 Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)webshell4"Description
WebShell4 login panel was detected.
WebTitan Cloud Panel - Detect
Author: ritikchaddhaAdded: Oct 25, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "1090061843"Description
WebTitan Cloud is a cloud-based web filtering solution that monitors, controls, and protects users and businesses online. It blocks malware, phishing, viruses, ransomware, and malicious sites.
WebcomCo - Panel
Author: DhiyaneshDkAdded: Jun 20, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WebcomCo"})Weblate Public Project - Exposure
Author: ritikchaddhaAdded: Jan 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Weblate"})Description
Weblate instance is publicly accessible. Public exposure of Weblate may lead to unauthorized access to translation projects, potential data leaks, credential exposure, or manipulation of open source localization data. Attackers can view available projects and access sensitive information if proper access controls are not implemented.
Webmin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "Webmin"})Description
Webmin default login credentials were discovered.
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
runzero-match
service["product"] contains "Webmin:Usermin" || service["product"] contains "Webmin:Webmin"Description
Webmin before 1.290 and Usermin before 1.220 contain a path traversal caused by calling the simplify_path function before decoding HTML, letting remote attackers read arbitrary files, exploit requires sending crafted '..%01' sequences.
Impact
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to Webmin 1.290 and Usermin 1.220 or later versions.
Webmin < 1.920 - Authenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Impact
Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.
Remediation
Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.
Webmin <= 1.920 - Unauthenticated Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with root privileges.
Remediation
Upgrade to Webmin version 1.930 or later to mitigate this vulnerability.
Webmin Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webmin"})Description
Webmin admin login panel was detected.
Webmodule Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Webmodule"})Description
Webmodule login panel was detected.
Webnus Inc. Modern Events Calendar - Broken Access Control
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/modern-events-calendar(?:-lite)?/"Description
Webnus Inc. Modern Events Calendar <= 7.29.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers bypass authorization, exploit requires no special privileges.
Impact
Attackers can bypass authorization and access restricted functionality or data, potentially compromising system integrity.
Remediation
Update to the latest version beyond 7.29.0.
Webroot Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Webroot - Login"})Description
Webroot login panel was detected.
Webuzo Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)webuzo - admin panel"})Description
Webuzo admin login panel was detected.
WeiPHP 5.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)weiphp5\\.0" || service["http.body"] matches "(?i)weiphp"Description
WeiPHP 5.0 contains a SQL injection vulnerability via the wp_where function. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Upgrade to a patched version of WeiPHP or apply the vendor-supplied patch to fix the SQL Injection vulnerability.
Weiphp Panel - Detect
runzero-match
service["http.body"] matches "(?i)weiphp" || service["http.body"] matches "(?i)weiphp5\\.0"Description
Weiphp panel was detected.
Wekan Sign Up Page - Exposure
Author: DhiyaneshDKAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)Wekan"Description
Detected exposed Wekan sign-up functionality, indicating that unauthenticated users could access the registration page and potentially create new accounts.
Westermo Industrial Router - Login Panel
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "^lynx - westermo"})Description
Westermo industrial router web interface panel has been detected.
Western Digital MyCloud NAS - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "-1074357885"Description
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \"cgi_get_ipv6\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \"flag\" with the value \"1\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
Impact
An attacker can bypass authentication and gain unauthorized access to the device, potentially leading to data theft or unauthorized control of the NAS.
Remediation
Apply the latest firmware update provided by Western Digital to fix the authentication bypass vulnerability.
Whatsup Gold Login Panel - Detect
Author: rxeriumAdded: Aug 9, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WhatsUp Gold"})Description
Whatsup Gold login panel was detected.
White Star Software ProTop - Directory Traversal
runzero-match
service["http.body"] matches "(?i)<title>ProTop"Description
A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences.
Impact
Unauthenticated attackers can read arbitrary files from the operating system through encoded traversal sequences in the /pt3upd/ endpoint, potentially exposing sensitive configuration and credential files.
Remediation
Upgrade White Star Software ProTop to a version after v4.4.2-2024-11-27.
WhoDB < 0.45.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)whodb"Description
WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.
Impact
Attackers can access any Sqlite3 database on the system, potentially exposing sensitive data.
Remediation
Upgrade to version 0.45.0 or later.
Wifisky Default Login
runzero-match
any(each(service["html.titles"]), {# matches "WIFISKY-7层流控路由器"})Description
Wifisky default admin credentials were discovered.
Wildfly - Default Admin Login
Author: s0obiAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Welcome to WildFly"})Description
Wildfly default admin login credentials were successful.
Wildix Collaboration Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1295577382"Description
Wildix Collaboration login panel was detected.
Windmill Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Windmill"})Description
Windmill panel was detected. Windmill (windmill.dev) is an open-source developer platform for workflows, scripts and internal apps, often self-hosted as a Postgres-backed UI. Exposed instances may reveal scripts, secrets and connected resources, and provide an authenticated path to script execution.
Windmill/Nextcloud Flow < 1.603.3 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches `id="Windmill"` && service["http.body"] matches `svelte-global-loader`Description
Windmill < 1.603.3 contains a path traversal caused by unsanitized filename parameter in get_log_file endpoint, letting unauthenticated attackers read arbitrary files on the server, exploit requires no authentication.
Impact
Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information.
Remediation
Update to version 1.603.3 or later.
Windows Admin Center Panel - Detection
Author: darsesAdded: Jun 21, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-765377534" || any(each(service["html.titles"]), {# matches "(?i)Windows Admin Center"})Description
Detect Windows Admin Center Panel web interface.
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
runzero-match
service["favicon.ico.image.mmh3"] == "963565804" || any(each(service["html.titles"]), {# matches "(?i)Wing FTP Server"})Description
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
Impact
Authenticated attackers can supply an overlong UID cookie value to trigger error responses that disclose the full local filesystem path, aiding in further exploitation attempts.
Remediation
Upgrade Wing FTP Server to version 7.4.4 or later that properly validates UID cookie values.
Wing FTP Server <= 7.4.3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)wing ftp server"}) || service["http.head.server"] matches "wing ftp server" || service["http.body.mmh3"] == "2121146066" || service["favicon.ico.image.mmh3"] == "963565804"Description
Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
Impact
Unauthenticated attackers can inject and execute Lua code through NULL byte handling in the username parameter when anonymous login is enabled, achieving remote code execution with elevated privileges.
Remediation
Upgrade Wing FTP Server to version 7.4.4 or later that properly handles NULL bytes in authentication parameters.
Wiren Board WebUI Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Wiren Board Web UI"})Description
Wiren Board WebUI panel was detected.
WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/woocommerce-ultimate-gift-card"Description
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Impact
Unauthenticated attackers can upload arbitrary files including PHP scripts to the server through insufficient file type validation, enabling remote code execution and complete server compromise.
Remediation
Update WooCommerce Ultimate Gift Card plugin to a version later than 2.6.0 that addresses the arbitrary file upload vulnerability in the mwb_wgm_preview_mail and mwb_wgm_woocommerce_add_cart_item_data functions.
Woodpecker CI Panel - Detect
Author: Shivam KambojAdded: Dec 27, 2025
runzero-match
service["product"] contains "Woodpecker CI:Woodpecker"Description
Woodpecker CI panel was detected. Woodpecker is a community fork of Drone CI, providing a simple yet powerful continuous integration platform.
Woodwing Studio Server Panel - Detect
Author: pdteam,righettodAdded: Dec 13, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)WoodWing Studio Server"})WordPress 12 Step Meeting List Plugin <= 3.14.33 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/12-step-meeting-list/"Description
Code for Recovery 12 Step Meeting List versions up to 3.14.33 contain a reflected cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in users' browsers, exploit requires attacker to craft a malicious URL.
Impact
Attackers can execute malicious scripts in user browsers, potentially stealing cookies, session tokens, or performing actions on behalf of users.
Remediation
Implement proper input sanitization and output encoding, and update to the latest version.
WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts
runzero-match
service["http.body"] matches "(?i)Wordpress" && service["http.body"] matches `(?i)status-draft`Description
WordPress before 5.2.4 contains an information disclosure caused by mishandling of the static query property, letting unauthenticated users view certain content, exploit requires no authentication.
Impact
Unauthenticated users can view restricted content, leading to information disclosure.
Remediation
Update to WordPress 5.2.4 or later.
WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/chatbot/"Description
ChatBot plugin for WordPress up to 4.8.9 contains a sql_injection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary SQL queries, leading to data disclosure and potential database compromise.
Remediation
Update to the latest version of the plugin that addresses this vulnerability, or apply security patches provided by the vendor.
WordPress AI Engine Plugin - Token Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ai-engine/"Description
Unauthenticated sensitive information exposure in AI Engine WordPress plugin <= 3.1.3 exposes bearer tokens via REST API endpoints when No-Auth URL is enabled.
Impact
Unauthenticated attackers can retrieve sensitive bearer tokens from AI Engine WordPress plugin through exposed REST API endpoints, potentially allowing privilege escalation and unauthorized access to AI service credentials.
Remediation
Upgrade to AI Engine version 3.1.4 or later that properly secures REST API endpoints and token handling.
WordPress AMP - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/accelerated-mobile-pages"Description
The WordPress AMP - Accelerated Mobile Pages plugin was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated access to the full application path.
WordPress AddToAny Share Buttons Plugin - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/add-to-any/"Description
The AddToAny Share Buttons plugin for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated access to the full application path.
WordPress Astra - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/themes/astra/"Description
WordPress Astra Theme files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Astra Sites - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/astra-sites/"Description
WordPress Starter Templates plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress BackWPup < 4.0.4 - Backup File Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/backwpup/"Description
BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.
Impact
Unauthenticated attackers can download site backups, potentially leading to data theft or further exploitation.
Remediation
Update to version 4.0.4 or later.
WordPress Backup Migration <= 1.3.6 - Path Traversal
runzero-match
service["http.body"] matches "(?i)backup-migration"Description
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
Impact
Attackers can download backup files with sensitive data, leading to data breaches and privacy violations.
Remediation
Update to the latest version of the plugin, version 1.3.7 or later.
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/burst-statistics/"Description
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in is_mainwp_authenticated() function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrator username.
Impact
Unauthenticated attackers can impersonate administrators, leading to privilege escalation and full control over the application.
Remediation
Update to a version later than 3.4.1.1 or the latest available version.
WordPress CMB2 - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cmb2/"Description
WordPress CMB2 plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/campress/"Description
Campress theme for WordPress up to 1.35 contains a local file inclusion caused by 'campress_woocommerce_get_ajax_products' function, letting unauthenticated attackers include and execute arbitrary PHP files, exploit requires no authentication.
Impact
Attackers can include and execute arbitrary PHP files, leading to remote code execution and potential full server compromise.
Remediation
Update to the latest version beyond 1.35.
WordPress Collapsing Categories <= 3.0.8 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/collapsing-categories/"Description
Collapsing Categories plugin for WordPress <= 3.0.8 contains a sql_injection caused by insufficient escaping of 'taxonomy' parameter in /wp-json/collapsing-categories/v1/get REST API, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'taxonomy' parameter.
Impact
Attackers can execute arbitrary SQL queries, potentially leading to data leakage or database compromise.
Remediation
Update to the latest version of the plugin that addresses this vulnerability or apply security patches provided by the vendor.
WordPress Coming Soon Page - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/responsive-coming-soon"Description
WordPress Coming Soon Page & Maintenance Mode plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Core - Post Author Email Disclosure
runzero-match
service["http.body"] matches "(?i)oembed"Description
WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
Impact
This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WordPress Core <=6.2 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/"Description
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter.
Impact
This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Remediation
Apply the latest security patches and updates from the vendor to address this vulnerability.
WordPress Download Manager - File Password Exposure
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/download-manager/"Description
The WordPress Download Manager plugin contains a vulnerability that allows attackers to obtain passwords for password-protected downloads by sending a specially crafted request to the validate-password API endpoint.
Impact
Unauthenticated attackers can obtain passwords for password-protected downloads by sending crafted requests to the validate-password API endpoint.
Remediation
Update the WordPress Download Manager plugin to the latest version.
WordPress Download Manager < 3.3.07 - Unauthenticated Data Exposure
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/download-manager/"Description
The WordPress Download Manager plugin before version 3.3.07 does not prevent directory listing on web servers that don't use htaccess, allowing unauthorized access to files stored in the download-manager-files directory.
Impact
Unauthenticated attackers can access sensitive files stored in the download-manager-files directory due to directory listing, potentially exposing confidential documents or data.
Remediation
Update the WordPress Download Manager plugin to version 3.3.07 or later.
WordPress Download Manager <= 3.2.59 - Reflected XSS
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/download-manager/"Description
W3 Eden, Inc. Download Manager plugin <= 3.2.59 contains a reflected cross-site scripting caused by insufficient input sanitization, letting attackers execute scripts in the context of the victim's browser, exploit requires attacker to craft a malicious link.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
WordPress Duplicator 1.3.24 & 1.3.26 - Local File Inclusion
runzero-match
service["service.product"] == "WordPress"Description
WordPress Duplicator 1.3.24 & 1.3.26 are vulnerable to local file inclusion vulnerabilities that could allow attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two
versions v1.3.24 and v1.3.26, the vulnerability wasn't
present in versions 1.3.22 and before.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation.
Remediation
Update the WordPress Duplicator plugin to the latest version (1.3.27 or higher) to mitigate the vulnerability.
WordPress End-of-Life - Detect
Author: Shivam KambojAdded: Mar 4, 2026
runzero-match
service["product"] contains "WordPress:WordPress"Description
Detected WordPress versions that have reached End-of-Life (EOL) and no longer receive security updates.
WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
runzero-match
service["http.body"] matches "(?i)wp-event-solution"Description
Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction.
Impact
Attackers can access sensitive files on the server, potentially leading to information disclosure or system compromise.
Remediation
Update to the latest version of Eventin, version 4.0.27 or later.
WordPress Events Calendar 6.8.2.1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
The Events Calendar WordPress plugin 6.8.2.1 contains missing access checks in the REST API, letting unauthenticated users access information about password protected events, exploit requires no authentication.
Impact
Unauthenticated users can access sensitive event information, potentially leading to information disclosure.
Remediation
Update to version 6.8.2.1 or later.
WordPress Events Manager - Full Path Disclosure
Author: DhiyaneshDkAdded: Feb 5, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/events-manager/"Description
WordPress WP Super Cache plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress File Upload <= 4.24.11 - Arbitrary File Read
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-file-upload/"Description
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
Impact
Unauthenticated attackers can read or delete arbitrary files outside the intended directory on WordPress sites running PHP 7.4 or earlier, potentially exposing sensitive configuration files, credentials, and causing system disruption.
Remediation
Update WordPress File Upload plugin to version 4.24.12 or later to address the path traversal vulnerability in wfu_file_downloader.php, or upgrade PHP to version 8.0 or later.
WordPress GamiPress <= 2.5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gamipress/"Description
The GamiPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.5.7 due to insufficient escaping on the user supplied parameter '$qv[$field_id]' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of GamiPress, version 2.5.8 or later.
WordPress Gift Voucher <4.1.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gift-voucher/"Description
WordPress Gift Vouchers plugin before 4.1.8 contains a blind SQL injection vulnerability via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Fixed in version 4.1.8.
WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/tradedoubler-affiliate-tracker/"Description
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Impact
Unauthenticated attackers can exploit local file inclusion to read sensitive files like wp-config.php and potentially execute arbitrary PHP code.
Remediation
Update Grow by Tradedoubler plugin to version 2.0.22 or later to address the local file inclusion vulnerability.
WordPress HTML5 Video Player - SQL Injection
runzero-match
service["http.body"] matches "(?i)html5-video-player"Description
WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
WordPress Header Footer Elementor - Full Path Disclosure
Author: ritikchaddhaAdded: Jan 21, 2026
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/header-footer-elementor/"Description
WordPress Header Footer Elementor plugin (also known as Ultimate Addons for Elementor - Lite) contains PHP files that lack proper ABSPATH protection, allowing direct access that reveals sensitive server path information via PHP error messages.
WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/hummingbird-performance"Description
Hummingbird Performance WordPress plugin <= 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication.
Impact
Unauthenticated attackers can extract sensitive credentials, leading to potential account compromise and further attacks.
Remediation
Update to the latest version beyond 3.18.0.
WordPress JS Archive List <= 6.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/jquery-archive-list-widget/"Description
Miguel Useche JS Archive List contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.
Remediation
Update to the latest version.
WordPress Job Portal < 2.0.6 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-job-portal"Description
The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape the city parameter before using it in a SQL statement,leading to a SQL injection vulnerability that is exploitable by unauthenticated users. This vulnerability can be used to extractsensitive data from the database or potentially compromise the WordPress installation.
Impact
Unauthenticated attackers can execute SQL injection through the city parameter to extract the complete WordPress database including user credentials and job portal data.
Remediation
Update to version 2.0.6 or later
WordPress Kali Forms <= 2.4.9 - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/kali-forms/"Description
Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.
Impact
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 2.4.9.
WordPress List Site Contributors < 1.1.8 - Reflected XSS
Author: m4sh_wackerAdded: Jan 23, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/list-site-contributors/"Description
WordPress List Site Contributors plugin < 1.1.8 contains a reflected XSS caused by insufficient sanitization and escaping of the 'alpha' parameter, letting unauthenticated attackers inject scripts, exploit requires user interaction.
Impact
Unauthenticated attackers can inject scripts that execute in users browsers, potentially stealing data or performing actions on their behalf.
Remediation
Update to a version later than 1.1.8 or the latest available version.
WordPress MStore API <= 4.0.1 - Unauthenticated SQL Injection
Author: Shivam KambojAdded: Feb 6, 2026
runzero-match
service["http.body"] matches "(?i)/mstore-api/"Description
MStore API plugin for WordPress up to version 4.0.1 contains an unauthenticated blind SQL injection caused by insufficient escaping of 'id' parameter in SQL queries, letting attackers execute arbitrary SQL commands without authentication, exploit requires sending crafted requests with malicious 'id' parameter.
Impact
Attackers can extract sensitive database information, potentially leading to data breach and compromise of the website.
Remediation
Update to the latest version of the plugin where the vulnerability is fixed.
WordPress ManageWP Worker - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/worker/"Description
WordPress ManageWP Worker plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Members / Membership & User Role Editor Plugin - Error Log Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/members/"Description
WordPress Members plugin is vulnerable to error log disclosure via direct access to plugin files.
WordPress Members Plugin - Debug/Error Log Disclosure
Author: ritikchaddhaAdded: Dec 25, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/members"Description
The WordPress Members plugin exposes error/debug log files that may contain sensitive information.
WordPress My Calendar <3.4.22 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/my-calendar"Description
WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, which could lead to data theft, database compromise, or further attack vectors.
Remediation
Upgrade to My Calendar plugin version 3.4.22 or later.
WordPress Newsletter - Log File Exposure
Author: pussycat0xAdded: Dec 30, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/newsletter/"Description
The Newsletters plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.5. This makes it possible for unauthenticated attackers to extract potentially sensitive information from log files.
WordPress NextGEN Gallery Pro - Error Log Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/nextgen-gallery-pro"Description
The NextGEN Gallery Pro plugin for WordPress may expose debug/error log files that contain sensitive information including file paths, database queries, and potentially credentials. These log files are accessible without authentication.
WordPress OceanWP - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/oceanwp/"Description
WordPress OceanWP theme is vulnerable to full path disclosure via direct access to theme files.
WordPress PHPMailer < 5.2.18 - Remote Code Execution
runzero-match
service["product"] contains "WordPress:WordPress"Description
WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.
Impact
Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected WordPress website.
Remediation
Upgrade PHPMailer to version 5.2.18 or higher to mitigate this vulnerability.
WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/post-smtp"Description
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
Impact
Unauthenticated attackers can exploit type juggling vulnerabilities in the connect-app REST endpoint to access and modify sensitive email configuration data.
Remediation
Fixed in 2.8.8
WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/paid-memberships-pro/"Description
WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discount_code in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Upgrade to WordPress Paid Memberships Pro version 2.6.7 or later to mitigate this vulnerability.
WordPress Paid Memberships Pro <2.9.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/paid-memberships-pro/"Description
WordPress Paid Memberships Pro plugin before 2.9.8 contains a blind SQL injection vulnerability in the 'code' parameter of the /pmpro/v1/order REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
Remediation
Upgrade to WordPress Paid Memberships Pro version 2.9.8 or later to mitigate this vulnerability.
WordPress Perfect Images (WP Retina 2x) < 6.4.6 - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-retina-2x/"Description
Jordy Meow Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) versions up to 6.4.5 contain a vulnerability that exposes sensitive information to unauthorized actors, letting attackers access confidential data, exploit requires no specific conditions.
Impact
Unauthorized actors can access sensitive information, leading to privacy breaches and potential data misuse.
Remediation
Update to version 6.4.6 or later.
WordPress Plugin GDPR Cookie Consent - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/cookie-law-info/"Description
WordPress GDPR Cookie Consent (cookie-law-info) plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin Google Tag Manager - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/duracelltomi-google-tag-manager/"Description
WordPress Plugin Google Tag Manager files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Imsanity - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/imsanity/"Description
WordPress Imsanity plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin InfiniteWP Client - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/iwp-client/"Description
WordPress InfiniteWP Client plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin LayerSlider 7.9.11-7.10.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/LayerSlider/"Description
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Authenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive data or compromising the database.
Remediation
Update LayerSlider plugin to version 7.10.1 or later.
WordPress Plugin Max Mega Menu (megamenu) - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/megamenu"Description
WordPress Plugin Max Mega Menu plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Newsletter - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/newsletter/"Description
WordPress Plugin Newsletter plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin SG Optimizer - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/sg-cachepress/"Description
WordPress Plugin SG Optimizer Plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin SSL Insecure Content Fixer - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/ssl-insecure-content-fixer/"Description
WordPress SSL Insecure Content Fixer plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin Safe SVG - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/safe-svg/"Description
WordPress Safe SVG plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Plugin Table of Contents Plus - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 19, 2025
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/table-of-contents-plus"Description
The Table of Contents Plus WordPress plugin is vulnerable to Full Path Disclosure. This vulnerability allows attackers to view the full server path by accessing certain files or triggering error conditions, which can aid in further attacks such as directory traversal or local file inclusion.
Impact
An attacker can exploit this vulnerability to gain insights into the server's directory structure, which can be leveraged to perform further attacks such as directory traversal or local file inclusion.
Remediation
Update the Table of Contents Plus plugin to the latest version. Ensure error reporting is disabled in production environments and implement proper error handling that doesn't expose full paths.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can execute time-based blind SQL injection through the IP parameter to extract sensitive database information including user credentials, posts, comments, and WordPress configuration data.
Remediation
Update WP Statistics plugin to version 13.1.6 or later that properly escapes and parameterizes the IP parameter.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can execute time-based SQL injection through the current_page_id parameter to extract the complete WordPress database including user credentials, visitor statistics, and site analytics data.
Remediation
Update wp-statistics plugin to version 13.1.6, or newer.
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Impact
Unauthenticated attackers can exploit time-based blind SQL injection to extract sensitive database contents including user credentials and statistics data.
Remediation
Update wp-statistics plugin to version 13.1.6, or newer.
WordPress Plugin WooCommerce Admin (woocommerce-admin) Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/woocommerce-admin"Description
WordPress Plugin WooCommerce Admin plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin iThemes Security - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/better-wp-security/"Description
WordPress Plugin iThemes Security files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Plugin reCaptcha by BestWebSoft (google-captcha) - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/google-captcha"Description
WordPress ManageWP Worker plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress Pretty Links - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/pretty-link/"Description
WordPress Pretty Links plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution
runzero-match
service["http.body"] matches "/wp-content/plugins/woocommerce-delivery-notes/"Description
Print Invoice & Delivery Notes for WooCommerce plugin for WordPress <= 5.8.0 contains a remote code execution caused by missing capability check, PHP enabled in Dompdf, and missing escape in template.php, letting unauthenticated attackers execute code on the server.
Impact
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Remediation
Update to the latest version beyond 5.8.0.
WordPress Realtyna Organic IDX Plugin <= 4.14.4 - Unauthenticated SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/real-estate-listing-realtyna-wpl(?:-pro)?/"Description
The Realtyna Organic IDX plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.14.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
Remediation
Update to the latest version of the plugin, version 4.14.5 or later.
WordPress SEO Plugin Rank Math - Full Path Disclosure
Author: ritikchaddha,DhiyaneshDKAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/seo-by-rank-math/"Description
WordPress Rank Math SEO plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress SVG Support - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/svg-support/"Description
The WordPress SVG Support plugin was detected to have publicly accessible PHP files without ABSPATH protection, which exposed sensitive server path information. Direct access to vendor/composer files triggered PHP fatal errors that revealed the full WordPress filesystem path.
WordPress Simple Job Board - Unauthorized Data Access
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/simple-job-board"Description
The Simple Job Board plugin for WordPress is vulnerable to unauthorized data access due to insufficient authorization checking in the fetch_quick_job() function in all versions up to and including 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be password protected or private and contain sensitive information.
Impact
Unauthenticated attackers can access password-protected or private posts containing sensitive information without authorization, potentially exposing confidential job postings or internal data.
Remediation
Upgrade to Simple Job Board version 2.10.9 or later.
WordPress Statistics <13.0.8 - Blind SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-statistics/"Description
WordPress Statistic plugin versions prior to version 13.0.8 are affected by an unauthenticated time-based blind SQL injection vulnerability.
Impact
Unauthenticated attackers can extract database contents via time-based blind SQL injection, potentially exposing sensitive WordPress configuration and user data.
Remediation
Update to WordPress Statistics plugin version 13.0.8 or later to mitigate the vulnerability.
WordPress Storefront Theme - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/themes/storefront/"Description
The Storefront theme for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated attackers to obtain the full application path that could aid other attacks when combined with another vulnerability.
WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ti-woocommerce-wishlist/"Description
In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.
Impact
Unauthenticated attackers can execute time-based SQL injection to extract sensitive data from the WordPress database.
Remediation
Update TI WooCommerce Wishlist plugin to a version that patches CVE-2024-43917.
WordPress Table of Contents Plus - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/table-of-contents-plus/"Description
WordPress Table of Contents Plus plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress The Events Calendar - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/the-events-calendar/"Description
WordPress The Events Calendar plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Tourfic Plugin <= 2.11.7 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/tourfic/"Description
The Tourfic plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 2.11.7 due to insufficient input sanitization and output escaping in the 'place' parameter.
Impact
Attackers can execute malicious scripts in users' browsers, potentially stealing cookies, session tokens, or performing actions on behalf of users.
Remediation
Update to Tourfic version 2.11.8 or later.
WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/ultimate-member"Description
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can execute time-based SQL injection through the sorting parameter in the member directory to extract the complete WordPress database including user credentials, member profiles, and sensitive site data.
Remediation
Fixed in 2.8.3
WordPress UpdraftPlus - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/updraftplus"Description
WordPress Plugin UpdraftPlus files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress User Registration & Membership Plugin Detection
Author: omarkurtAdded: Mar 10, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/user-registration/"Description
Detected WordPress User Registration & Membership plugin and its version information.
WordPress Visitor Statistics <=5.7 - SQL Injection
runzero-match
service["http.body"] matches "(?i)wp-stats-manager"Description
WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Update to the latest version of the WordPress Visitor Statistics plugin (>=5.8) to mitigate the SQL Injection vulnerability.
WordPress W3 Total Cache - Cache Files Exposure
Author: pussycat0xAdded: Dec 22, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/w3tc/dbcache/"Description
Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, password hashes, emails, or other database content if the directory is not properly protected.
WordPress WP Clone <= 2.4.2 - Database Backup Exposure
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-clone-by-wp-academy/"Description
Clone WordPress plugin < 2.4.3 contains a buffer overflow caused by storing in-progress backup information in publicly accessible buffer files at a static file path, letting attackers access sensitive backup data, exploit requires no special privileges
Impact
Attackers can access sensitive backup information, potentially leading to data disclosure or manipulation.
Remediation
Update to version 2.4.3 or later.
WordPress WP Mail SMTP - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-mail-smtp/"Description
WordPress WP Mail SMTP plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress WP Maintenance Mode - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-maintenance-mode/"Description
WordPress WP Maintenance Mode plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress WP Migrate DB - Full Path Disclosure
Author: pussycat0xAdded: Dec 23, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-migrate-db/"Description
The WP Migrate DB (WP Migrate Lite - WordPress Migration Made Easy) plugin for WordPress was detected to be vulnerable to Full Path Disclosure, allowing unauthenticated attackers to obtain the full application path that could aid other attacks when combined with another vulnerability.
WordPress WP-Advanced-Search <= 3.3.9 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wp-advanced-search/"Description
The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impact
Unauthenticated attackers can exploit SQL injection through the autocompletion endpoint to extract sensitive database information including user credentials, posts, comments, and configuration data.
Remediation
Update WP-Advanced-Search plugin to a version later than 3.3.9 that properly escapes user supplied parameters and uses prepared SQL statements in autocompletion-PHP5.5.php.
WordPress WP-PageNavi - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 7, 2026
runzero-match
service["http.body"] matches "(?i)/plugins/wp-pagenavi/"Description
WordPress WP-PageNavi plugin files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress WPForms - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 12, 2026
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpforms-lite"Description
WordPress Plugin WPForms files are publicly accessible without ABSPATH protection, exposing sensitive server path information through PHP error messages when accessed directly.
WordPress WPML Multilingual CMS < 4.6.1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/sitepress-multilingual-cms/"Description
The WPML Multilingual CMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions prior to 4.6.1. The plugin does not escape some URL attributes before outputting them to a page, allowing attackers to inject malicious JavaScript which may be executed in the browser of an unsuspecting user.
WordPress Wordfence - Configuration File Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin for WordPress stores configuration files in the /wp-content/wflogs/ directory. These files may be accessible without authentication and can expose sensitive configuration data, firewall rules, attack logs, and internal paths.
WordPress Wordfence - Rules File Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin for WordPress stores configuration files in the /wp-content/wflogs/ directory. These files may be accessible without authentication and can expose sensitive configuration data, firewall rules, attack logs, and internal paths.
WordPress Wordfence - WAF Logs and Data Disclosure
runzero-match
service["http.body"] matches "(?i)/plugins/wordfence"Description
The Wordfence Security plugin creates various log and data files in the wflogs directory. If directory listing is enabled or files are directly accessible, sensitive information about blocked attacks, IP addresses, and firewall configuration may be exposed.
WordPress YITH WooCommerce Wishlist - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/yith-woocommerce-wishlist/"Description
WordPress YITH WooCommerce Wishlist plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress Yoast SEO - Full Path Disclosure
Author: ritikchaddhaAdded: Dec 17, 2025
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wordpress-seo/"Description
WordPress Yoast SEO plugin is vulnerable to full path disclosure via direct access to plugin files.
WordPress wp-links-opml.php - Version Disclosure
Author: princechaddhaAdded: Jan 30, 2026
runzero-match
service["product"] contains "WordPress:WordPress"Description
WordPress wp-links-opml.php file was publicly accessible and expossed the WordPress version in the generator tag.
Wordpress Gift Cards <= 4.3.1 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/gift-voucher/"Description
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.
Impact
Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
Remediation
Update the Gift Cards (Gift Vouchers and Packages) WordPress Plugin to the latest version available.
Wordpress Polls Widget < 1.5.3 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/polls-widget/"Description
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
Impact
Unauthenticated attackers can execute SQL injection to manipulate database contents, potentially gaining unauthorized access to all WordPress data including user credentials.
Remediation
Fixed in 1.5.3
Wordpress WPMobile.App >= 11.42 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpappninja"Description
WPMobile.App versions up to 11.41 contain a reflected cross-site scripting (XSS) caused by improper input neutralization during web page generation, letting attackers execute scripts in the victim's browser, exploit requires attacker to craft malicious input.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
Remediation
Implement proper input sanitization and output encoding, and update to the latest version of WPMobile.App.
Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/backup-backup/"Description
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.
Impact
Unauthenticated attackers can leverage file inclusion via backup-heart.php to achieve arbitrary code execution, potentially compromising the entire WordPress site and server.
Remediation
Upgrade Backup Migration plugin to version 1.3.8 or later.
Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manager\" product:\"wowza streaming engine"})Description
Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
Impact
An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or disclosure of sensitive information.
Remediation
Upgrade to the latest version of Wowza Streaming Engine Manager or apply the necessary patches to fix the directory traversal vulnerability.
Wowza Streaming Engine Manager Panel - Detect
Author: dhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manager"})Description
Wowza Streaming Engine Manager panel was detected.
WpStickyBar <= 2.1.0 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/plugins/wpstickybar-sticky-bar-sticky-header"Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Impact
Unauthenticated attackers can execute time-based SQL injection attacks to extract sensitive database information including user credentials and configuration data.
Remediation
Update WpStickyBar plugin to version 2.1.1 or later to address the SQL injection vulnerability.
X-UI - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "X-UI Login"})Description
X-UI contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
XAMPP PHP info Page - Detect
Author: pussycat0xAdded: Dec 10, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)XAMPP"})Description
XAMPPHPinfo page was detected. The output of the phpinfo() command can reveal sensitive and detailed PHP environment information.
Remediation
Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
XDS-AMR Status Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)XDS-AMR - status"})Description
XDS-AMR Status login panel was detected.
XNAT - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "XNAT"})Description
XNAT contains an admin default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
XNAT Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xnat"})Description
XNAT login panel was detected.
XSpeeder Login - Detect
Author: rxeriumAdded: Dec 27, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)神行者路由"})Description
Detects the presence of XSpeeder router login panels.
XVR Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xvr login"})Description
XVR login panel was detected.
XWiki - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).
Impact
Successful exploitation could lead to unauthorized access to sensitive information or account takeover
Remediation
Apply the latest security patches provided by XWiki to mitigate the vulnerability
XWiki - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser.
Remediation
Update XWiki to the latest version to mitigate the Reflected XSS vulnerability.
XWiki - HQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki is vulnerable to Hibernate Query Language (HQL) injection in the wiki and space search REST API starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0. The vulnerability allows attackers to inject malicious HQL queries through the orderField parameter, potentially leading to data extraction, authentication bypass, or remote code execution depending on database backend and configuration.
Impact
Unauthenticated attackers can inject malicious HQL queries through the orderField parameter, potentially leading to complete database compromise, data extraction, authentication bypass, or remote code execution.
Remediation
Update XWiki to a version that patches this vulnerability. Review and sanitize all user-controlled parameters that are used in database queries, especially those passed to HQL queries.
XWiki - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki 16.7.0 to 16.10.11, 17.4.4, and 17.7.0 using XJetty contains an information disclosure vulnerability caused by exposed context allowing static access to files in webapp/ folder, letting attackers access sensitive files, exploit requires use of XJetty package.
Impact
Attackers can access sensitive files including credentials, leading to information disclosure.
Remediation
Update to versions 16.10.11, 17.4.4, or 17.7.0 or later.
XWiki < 12.10.11, 13.4.4 & 13.9-rc-1 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
An unauthenticated user can retrieve a list of users and their full names through a publicly accessible URL in XWiki. The issue affects versions before 12.10.11, 13.4.4, and 13.9-rc-1.
Impact
Information disclosure could lead to unauthorized access to sensitive data.
Remediation
Upgrade XWiki to the latest version to mitigate CVE-2022-24819.
XWiki < 14.10.14 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki is vulnerable to reflected cross-site scripting (RXSS) via the rev parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation.
Impact
Successful exploitation could lead to cross-site scripting attack.
Remediation
This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14.
XWiki < 14.10.14 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation form. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link.
Impact
Successful exploitation could lead to cross-site scripting attack.
Remediation
This has been patched in XWiki 14.10.12 and 15.5-rc-1 by adding appropriate escaping.
XWiki < 14.10.5 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is vulnerable to reflected XSS via the previewactions template. An attacker can inject JavaScript through the xcontinue parameter.
Impact
Successful exploitation could lead to unauthorized access or data theft.
Remediation
Apply the latest patches provided by XWiki to mitigate the vulnerability.
XWiki < 4.10.15 - Email Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for objcontent:email* using XWiki's regular search interface.
Impact
Successful exploitation could lead to disclosure of the email of all the users.
Remediation
This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled.
XWiki < 4.10.15 - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This can be reproduced by opening <xwiki-server>/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+ where <xwiki-server> is the URL of the XWiki installation. If this displays any results, the wiki is vulnerable.
Impact
Successful exploitation could lead to disclosure of content of all documents of all wikis.
Remediation
This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked.
XWiki < 4.10.15 - Sensitive Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.
Impact
Successful exploitation could lead to disclosure of the password hashes of all users.
Remediation
This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1.
XWiki < 4.10.20 - Remote code execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Impact
Successful exploitation could lead to remote code execution.
Remediation
Apply the vendor-supplied patch or upgrade to a 14.10.20 ,15.5.4, 15.10-rc-1.
XWiki >= 13.10.8 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
Reflected XSS vulnerability in XWiki authenticate endpoints allows execution of arbitrary JavaScript.
Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser.
Remediation
Implement proper input validation and output encoding to prevent XSS attacks in the XWiki application.
XWiki >= 2.5-milestone-2 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki >= 3.4-milestone-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain).
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki >= 6.0-rc-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.6,15.1.
XWiki >= 6.2-milestone-1 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Impact
Successful exploitation could lead to cross-site scripting.
Remediation
This vulnerability has been patched in XWiki 14.10.5,15.1-rc-1.
XWiki DeleteApplication - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
Impact
An attacker can execute arbitrary JavaScript in the victim's browser, leading to potential session hijacking, data theft, or further attacks.
Remediation
Upgrade to XWiki 14.10.14, 15.5.1, 15.8-rc-1 or above. Do not interact with suspiciously crafted links.
XWiki Platform - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform versions >= 4.2-milestone-3 and < 16.4.8, >= 16.5.0-rc-1 and < 16.10.6, and >= 17.0.0-rc-1 and < 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL.
Impact
Attackers can execute malicious JavaScript in victim sessions by crafting URLs with XSS payloads in translationPrefix, extensionId, or extensionVersionConstraint parameters.
Remediation
Upgrade to XWiki Platform version 16.4.8, 16.10.6, or 17.3.0-rc-1 or later that properly sanitizes user input in templates.
XWiki Platform - Information Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API.
Impact
Remote attackers can access sensitive configuration files, potentially exposing critical information.
Remediation
Update to version 16.10.7 or later.
XWiki Platform - Path Traversal
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform 4.2-milestone-2 through 16.10.6 contains a path traversal caused by improper access control in jsx and sx endpoints, letting remote attackers read configuration files, exploit requires no special privileges.
Impact
Remote attackers can read sensitive configuration files, potentially exposing critical system information.
Remediation
Upgrade to version 16.10.7 or later.
XWiki Platform - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade.
XWiki Platform - Remote Code Execution
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
Impact
An attacker can execute arbitrary code on the server, leading to a complete compromise of the XWiki instance.
Remediation
Upgrade to XWiki 15.10.11, 16.4.1, or 16.5.0RC1 to mitigate this vulnerability.
XWiki Platform - SQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
Impact
Authenticated attackers with access to the deleted documents trash feature could inject SQL code, leading to data leakage, database modification, or further compromise of the application.
Remediation
Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters.
XWiki Platform - Unauthorized Document History Access
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki Platform's REST API allows unauthorized users to access document history information. The REST API endpoint exposes the history of any page including modification times, version numbers, author details (username and display name), and version comments, regardless of access rights configuration, even on private wikis.
Impact
An attacker can access document history of any known page
Remediation
Upgrade to XWiki Platform version 15.10.9 or 16.3.0-rc-1 or later. No workarounds are available for earlier versions
XWiki Platform Distribution Flavor Main - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.
XWiki REST API - Attachments Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
Impact
Unauthenticated users can access attachment lists and metadata through the REST API attachments endpoint, potentially exposing sensitive information.
Remediation
Upgrade to the latest XWiki version that implements proper authorization checks for the attachments REST API endpoint.
XWiki REST API - Private Pages Disclosure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's REST API allows unauthenticated users to access information about private pages through the pages endpoint. This could lead to disclosure of sensitive information and page metadata.
Impact
Unauthenticated users can access private page information through the REST API pages endpoint, potentially exposing sensitive metadata and page content.
Remediation
Upgrade to XWiki version that implements proper authorization checks for the REST API pages endpoint.
XWiki REST API Query - SQL Injection
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
Impact
Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potentially leading to complete database compromise and data exfiltration.
Remediation
Upgrade to the latest XWiki version that properly sanitizes HQL query parameters in the REST API.
XWiki XML View - Sensitive Information Exposure
runzero-match
service["http.body"] matches "(?i)data-xwiki-reference"Description
A vulnerability in XWiki's XML view functionality exposes sensitive information such as passwords and email addresses that are stored in custom fields not explicitly named as password or email. This information disclosure occurs when accessing user profiles with the xml.vm template.
Impact
Unauthenticated attackers can access sensitive information including passwords and email addresses stored in custom user profile fields through the XML view functionality.
Remediation
Upgrade XWiki to the latest version that properly protects sensitive custom fields in XML view outputs.
XXL-JOB Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "1691956220"Description
XXL-JOB default admin credentials were discovered.
XXLJOB Admin Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1691956220"Description
XXLJOB admin login panel was detected.
Xeams Admin Console Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xeams admin"})Description
Xeams Admin Console login panel was detected.
Xerox Fuji/VersaLink Login - Panel
runzero-match
service["http.body"] matches "(?i)/XUX-nwave/"Description
Xerox Fuji / VersaLink Login Panel was discovered
Xfinity Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)xfinity"})Description
Xfinity panel was detected.
Xiaomi Wireless Router Admin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)小米路由器"})Description
Xiaomi Wireless router admin panel was detected.
Xibo CMS Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)/xibosignage/xibo-cms"Description
Xibo CMS login panel was detected.
Xinference Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "Xinference"})Description
Xinference (Xorbits Inference) is a powerful and versatile library designed to
serve language, speech recognition, and multimodal models
XploitSPY - Default Login
Author: andrelunaAdded: Oct 8, 2023
runzero-match
service["http.body"] matches "XploitSPY"Description
Default login and password to access administrator panel
Xymon - Exposure
Author: theamanrawatAdded: Jan 19, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Xymon"})Description
Detected the exposure of the Xymon monitoring system interface.
YARPP <= 5.30.10 - Missing Authorization
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/yet-another-related-posts-plugin/"Description
The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.
Impact
Unauthenticated attackers can modify display types in the YARPP plugin without proper authorization.
Remediation
Update YARPP plugin to a version later than 5.30.10 that patches the missing authorization vulnerability.
YPAREO Panel - Detect
Author: righettodAdded: Mar 11, 2026
runzero-match
service["http.body"] matches "(?i)ypareo"Description
YPAREO was detected — an Enterprise Resource Planning system.
Yacht - Default Login
Author: Fur1naAdded: Apr 23, 2025
runzero-match
service["favicon.ico.image.mmh3"] == "-503392394"Description
Yacht is a web interface for managing Docker containers. This template detects instances with default admin credentials (admin@yacht.local:pass), which could allow unauthorized access to the Docker environment, potentially leading to container manipulation, data exposure, or even host system compromise.
YeaLink DM 3.6.0.20 - Remote Command Injection
runzero-match
service["http.body"] contains "sorry but ydmp doesn't work properly without JavaScript enabled"Description
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
Remediation
Update to the latest firmware version provided by the vendor to mitigate this vulnerability.
Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)wp-content/plugins/yellow-pencil-visual-theme-customizer/"Description
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
Impact
Unauthenticated attackers can exploit CSRF to escalate privileges to administrator level, gaining complete control over the WordPress site including content manipulation and user management.
Remediation
Upgrade to Yellow Pencil Visual Theme Customizer version 7.2.1 or later.
Yellowfin Information Collaboration - Detect
Author: DhiyaneshDKAdded: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Yellowfin Information Collaboration"})YesWiki < 4.5.4 - Cross-Site Scripting
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki < 4.5.4 contains a reflected cross-site scripting caused by unsanitized `idformulaire` parameter in `/?BazaR` endpoint, letting attackers steal cookies and hijack sessions, exploit requires user to click malicious link.
Impact
Attackers can steal cookies, hijack user sessions, deface website, or embed malicious content.
Remediation
Update to version 4.5.4 or later.
YesWiki <2022-07-07 - SQL Injection
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki before 2022-07-07 contains a SQL injection vulnerability via the id parameter in the AccueiL URL. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
YesWiki Reflected XSS via File Upload
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4.
Impact
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
Remediation
Update to version 4.5.4 or later.
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
runzero-match
service["http.body"] matches "(?i)yeswiki"Description
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
Impact
Unauthenticated attackers can exploit path traversal through the squelette parameter to read arbitrary files from the YesWiki server, potentially exposing sensitive configuration and data files.
Remediation
This vulnerability is fixed in 4.5.2.
Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1085941792"Description
Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Attackers can inject malicious JavaScript through the langcode parameter in help pages, potentially stealing user credentials, session cookies, or executing unauthorized actions.
Remediation
Upgrade to Yonyou UFIDA ERP-NC version 5.1 or later that properly sanitizes the langcode parameter.
Yonyou YonBIP - Path Traversal
runzero-match
service["http.body"] matches "(?i)YonBIP \\| 数据应用服务"Description
Yonyou YonBIP v3 and before contains a path traversal caused by improper validation in the LoginWithV8 interface of the series data application service system, letting unauthorized attackers access sensitive information.
Impact
Unauthorized attackers can access sensitive system information, potentially leading to data exposure.
Remediation
Update to the latest version beyond v3.
Yopass Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Yopass"})Description
Yopass panel was detected.
YouPHPTube Encoder 2.3 - Command Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-276846707"Description
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
Impact
Unauthenticated attackers can execute arbitrary system commands through command injection, leading to complete server compromise and potential access to all media content.
Remediation
Upgrade to YouPHPTube Encoder version 2.4 or later, or apply vendor-provided security patches.
Youzify < 1.2.0 - Unauthenticated SQLi
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/youzify"Description
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
Impact
Unauthenticated attackers can execute time-based blind SQL injection via AJAX actions to extract database contents, potentially exposing all Youzify media and user data.
Remediation
Fixed in 1.2.0
YunoHost Admin Panel - Detect
Author: s4e-ioAdded: Jan 13, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)YunoHost Admin"})Description
YunoHost Admin panel was discovered.
YzmCMS Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)yzmcms"})Description
YzmCMS login panel was detected.
Z-BlogPHP Admin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zblog"})Description
Z-BlogPHP admin login panel was detected.
Z-BlogPHP Panel - Detect
runzero-match
service["http.body"] matches "(?i)Z-BlogPHP"Description
Z-BlogPHP panel was detected.
ZEROF Web Server 2.0 - SQL Injection
runzero-match
service["http.head.server"] matches "ZEROF Web Server"Description
ZEROF Web Server 2.0 allows SQL Injection via the /HandleEvent endpoint. Attackers can exploit this vulnerability by manipulating the request parameters to execute arbitrary SQL queries.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
Remediation
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in ZEROF Web Server 2.0.
ZITADEL Panel - Detect
Author: ChrisJr404Added: May 6, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ZITADEL"})Description
Detected ZITADEL was an open-source identity infrastructure platform providing OIDC, OAuth 2.0, SAML and machine-user IAM.
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
runzero-match
service["http.body"] matches "(?i)ZKTeco Security"Description
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
Impact
Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
Remediation
Implement proper authentication and access controls for static file resources, and update to the latest version if available.
ZKTeco BioTime v8.5.5 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)biotime"})Description
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
Impact
Unauthenticated attackers can read arbitrary files from the server through path traversal in the iclock API url parameter, potentially exposing employee biometric data, attendance records, and system credentials.
Remediation
Update ZKTeco BioTime to a version newer than 8.5.5 that validates file paths in the iclock API and restricts access to authorized files only.
ZOHO ManageEngine ADAudit/ADManager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adaudit plus"})Description
ZOHO ManageEngine ADAudit/ADManager panel was detected.
ZOHO ManageEngine ADSelfService Plus - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)adselfservice plus"}) || any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
ZOHO ManageEngine ADSelfService panel was detected.
ZOHO ManageEngine APEX IT Help-Desk Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apex it help desk"})Description
ZOHO MangageEngine APEX panel was detected.
ZOHO ManageEngine Analytics Plus Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)apex it help desk"})Description
ZOHO ManageEngine analytics plus panel was detected.
ZOHO ManageEngine AssetExplorer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine assetexplorer"})Description
ZOHO ManageEngine AssetExplorer panel was detected.
ZOHO ManageEngine Desktop Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"})Description
ZOHO ManageEngine desktop panel was detected.
ZOHO ManageEngine Exchange Reporter Plus Panel - Detect
Author: darsesAdded: Jun 9, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ManageEngine - Exchange Reporter Plus"}) || service["favicon.ico.image.mmh3"] == "230963457"Description
ZOHO ManageEngine Exchange Reporter Plus panel was detected.
ZOHO ManageEngine OpManager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opmanager plus"})Description
ZOHO ManageEngine OpManager panel was detected.
ZOHO ManageEngine ServiceDesk Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
ZOHO ManageEngine ServiceDesk panel was detected.
ZOHO ManageEngine SupportCenter Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine supportcenter plus"})Description
ZOHO ManageEngine SupportCenter panel was detected.
ZTE Panel - Detect
runzero-match
service["http.body"] matches "(?i)ZTE Corporation"Description
ZTE panel was detected. ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe. ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.
ZTE Router Panel - Detect
runzero-match
service["http.body"] matches "(?i)ZTE Corporation"Description
Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
ZTE ZXHN-F660T/F660A - Default Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)F660"})Description
ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.
Impact
Attackers with knowledge of common credentials can access ZTE device management interfaces, potentially gaining control over network equipment and configurations.
Remediation
Change default credentials immediately and restrict access to the web management interface to trusted administrators only.
Zabbix - SAML SSO Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix monitoring system.
Remediation
Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
Zabbix - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.
Impact
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the Zabbix application and underlying systems.
Remediation
Apply the latest security patches or upgrade to a patched version of Zabbix to mitigate the SQL Injection vulnerability (CVE-2016-10134).
Zabbix <=4.4 - Authentication Bypass
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix through 4.4 is susceptible to an authentication bypass vulnerability via zabbix.php?action=dashboard.view&dashboardid=1. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Impact
Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the Zabbix application.
Remediation
Upgrade to a patched version of Zabbix (>=4.4) to mitigate this vulnerability.
Zabbix Default Login
runzero-match
service["favicon.ico.image.mmh3"] == "892542951"Description
Zabbix default admin credentials were discovered.
Zabbix Login Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "892542951" || any(each(service["html.titles"]), {# matches "(?i)zabbix-server"})Description
Zabbix login panel was detected.
Zabbix Setup Configuration Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zabbix-server"}) || service["favicon.ico.image.mmh3"] == "892542951"Description
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix setup configuration.
Remediation
Apply the latest security patches or updates provided by Zabbix to fix the authentication bypass vulnerability.
Zammad Helpdesk Panel - Detect
Author: righettodAdded: Aug 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zammad Helpdesk"})Description
Zammad is an open source helpdesk and customer support system that provides ticket management, live chat, and knowledge base functionality. This template detects exposed Zammad installations.
Zebra - Default Login
Author: y0noAdded: Oct 16, 2024
runzero-match
any(each(service["html.titles"]), {# matches "Zebra"}) || service["http.body"] matches "Zebra Technologies"Description
Zebra default login credentials was discovered.
Zebra Printer Detect
Author: gy741Added: Apr 27, 2023
runzero-match
any(each(service["html.titles"]), {# matches "Zebra"}) || service["http.body"] matches "Zebra Technologies"Description
Zebra Printer panel was detected.
ZenML Dashboard Panel - Detect
Author: DhiyaneshDKAdded: Apr 8, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-2028554187"ZenML ZenML Server - Improper Authentication
runzero-match
service["favicon.ico.image.mmh3"] == "-2028554187"Description
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
Impact
Successful exploitation could lead to unauthorized access to sensitive data.
Remediation
Implement proper authentication mechanisms and ensure access controls are correctly configured.
ZeroShell <= 1.0beta11 Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system.
Remediation
Upgrade to a patched version of ZeroShell.
ZeroShell Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
ZeroShell panel was detected.
Zeroshell 3.9.0 - Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to 3.9.5. Be aware this product is no longer supported.
Zeroshell 3.9.3 - Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zeroshell"})Description
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
Remediation
Upgrade to the latest version of Zeroshell or apply security patches provided by the vendor.
ZimaOS - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)ZimaOS"Description
ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
Impact
Attackers can gain authenticated access to system service accounts without valid passwords, potentially compromising the system.
Remediation
Update to a fixed version when available or apply patches to properly validate passwords for system service accounts.
Zimbra - Cross-Site Scripting via ICS Files
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zimbra Collaboration Suite"})Description
Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
Impact
Authenticated users viewing malicious ICS files can have JavaScript executed in their browser context through stored XSS, potentially leading to session hijacking and data exfiltration.
Remediation
Upgrade to Zimbra Collaboration Suite version 9.0.1, 10.0.13, or 10.1.5 or later that properly sanitizes HTML content in ICS files.
Zimbra Collaboration (ZCS) - Cross Site Scripting
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["favicon.ico.image.mmh3"] == "475145467"Description
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
Remediation
Apply the latest security patches or updates provided by Zimbra to fix the XSS vulnerability.
Zimbra Collaboration - Cross-Site Scripting (XSS)
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)zimbra collaboration suite web client" || service["favicon.ico.image.mmh3"] == "475145467"Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload.
Impact
Unauthenticated attackers can execute arbitrary JavaScript via crafted calendar headers in emails, potentially stealing user credentials or session data.
Remediation
Update Zimbra Collaboration to version 9.0.0 P39 or 10.0.7 or later.
Zimbra Collaboration - Local File Inclusion
runzero-match
service["product"] contains "Zimbra:Collaboration"Description
Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint.
Impact
Unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.
Remediation
Update to the latest version of Zimbra Collaboration.
Zimbra Collaboration - Unrestricted File Upload
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Impact
Unauthenticated attackers can upload arbitrary files through amavis via a cpio loophole that extracts to the webapps directory, potentially achieving remote code execution and unauthorized access to other user accounts in Zimbra Collaboration Suite.
Remediation
Install pax package and ensure amavis is configured to use pax instead of cpio. Update to the latest patched version of Zimbra Collaboration Suite.
Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"})Description
A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Impact
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
Remediation
Apply the latest security patches or upgrade to a newer version of Zimbra Collaboration Server to mitigate the LFI vulnerability.
Zimbra Collaboration Suite - Memcached Command Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"})Description
Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
Impact
Successful exploitation allows attackers to overwrite arbitrary cached entries and steal user credentials in cleartext without user interaction. With valid credentials, attackers can perform spear phishing, social engineering, and business email compromise attacks, or maintain persistent access via webshells.
Remediation
Update to Zimbra Collaboration Suite version 8.8.15 Patch 31 or 9.0.0 Patch 24.1 or later. Implement multi-factor authentication to mitigate credential theft impact.
Zimbra Collaboration Suite - SSRF
runzero-match
service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
Impact
Attackers can perform SSRF, potentially leading to internal network access or further exploitation.
Remediation
Update to the latest patched versions: 8.6 patch 13, 8.7.11 patch 10, 8.8.10 patch 7, or 8.8.11 patch 3 or later.
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["favicon.ico.image.mmh3"] == "475145467"Description
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Impact
Unauthenticated attackers can bypass authentication and upload arbitrary files through the mboximport functionality, achieving directory traversal and remote code execution on Zimbra Collaboration Suite servers, potentially compromising email systems and sensitive communications.
Remediation
Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite.
Zimbra Collaboration Suite < 8.8.15 - Improper Encoding
runzero-match
service["favicon.ico.image.mmh3"] == "1624375939" || service["http.body"] matches "(?i)Zimbra Collaboration Suite Web Client"Description
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
Impact
Attackers can inject malicious JavaScript through the Calendar feature that executes in victims' browsers, potentially stealing session tokens and accessing email communications of Zimbra users.
Remediation
Update Zimbra Collaboration Suite to version 8.8.15 patch 30 or later that properly escapes HTML in Calendar feature attributes.
Zimbra Collaboration Suite Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"})Description
Zimbra Collaboration Suite panel was detected. Zimbra Collaboration Suite simplifies the communication environment, connects people over multiple channels, and provides a single place to manage collaboration and communication.
Zimbra Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zimbra collaboration suite"}) || any(each(service["html.titles"]), {# matches "(?i)zimbra web client sign in"})Description
Zimbra panel was detected. Zimbra provides open source server and client software for messaging and collaboration.
Zipkin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)webpackJsonpzipkin-lens"Description
Zipkin login panel was detected.
Zitadel - User Registration Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Zitadel"})Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Impact
Unauthenticated users can bypass the disabled user registration restriction and register accounts.
Remediation
Update Zitadel to version 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, or 2.58.7 or later.
Zoho ManageEngine - Access Control Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Impact
Attackers can bypass access controls on REST API endpoints, potentially leading to unauthorized data access or manipulation.
Remediation
Update to the latest versions of Access Manager Plus, Password Manager Pro, and PAM360 that address this issue.
Zoho ManageEngine - Internal Hostname Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"})Description
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
Impact
An attacker could use the disclosed internal hostnames to plan targeted attacks, gain unauthorized access, or perform reconnaissance on the internal network.
Remediation
Apply the latest security patch or update provided by Zoho ManageEngine to fix the internal hostname disclosure vulnerability.
Zoho ManageEngine - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine"})Description
Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or update provided by Zoho ManageEngine to fix the vulnerability.
Zoho ManageEngine Desktop Central - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central 10"}) || service["http.body"] matches "(?i)manageengine desktop central 10" || any(each(service["html.titles"]), {# matches "(?i)manageengine desktop central"})Description
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
Zoho ManageEngine Network Configuration Manager Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)network configuration manager"})Description
ZOHO ManageEngine Network Configuration Manager was detected.
Zoho ManageEngine OpManager - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)OpManager"})Description
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Impact
Unauthenticated attackers can execute SQL injection attacks to access or modify database contents, add administrator users, or extract sensitive information including credentials.
Remediation
Upgrade to ManageEngine OpManager version 12.3 Build 123196 or later.
Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)opmanager plus"}) || any(each(service["html.titles"]), {# matches "(?i)opmanager"})Description
Zoho ManageEngine OpManager before 12.5.329 contains a remote code execution caused by a general bypass in the deserialization class, letting unauthenticated attackers execute arbitrary code, exploit requires no authentication
Impact
Unauthenticated attackers can execute arbitrary code remotely, leading to full system compromise.
Remediation
Update to version 12.5.329 or later.
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Impact
Attackers can access sensitive functionalities and data without authentication, potentially leading to data disclosure or unauthorized actions.
Remediation
Update to version 11302 or later.
Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)manageengine servicedesk plus"})Description
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or upgrade to a patched version of Zoho ManageEngine ServiceDesk Plus.
ZoneMinder - SQL Injection
runzero-match
service["favicon.ico.image.mmh3"] == "-1218152116"Description
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.
Impact
Unauthenticated attackers can exploit time-based SQL injection to extract sensitive database information from ZoneMinder.
Remediation
Update ZoneMinder to version 1.36.34 or 1.37.61 or later.
ZoneMinder Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)zm - login"Description
ZoneMinder panel was detected.
Zoraxy Login Panel - Detect
Author: righettodAdded: Mar 1, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Login \\| Zoraxy"})Description
Zoraxy products was detected.
Zuul Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-1127895693"Description
ZUUL panel was detected.
ZyXel Router Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)web-based configurator"})Description
ZyXel Router login panel was detected.
ZyXel USG - Hardcoded Credentials
runzero-match
any(each(service["html.titles"]), {# matches "(?i)usg flex 100"})Description
A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network.
Remediation
Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue.
Zyxel - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)/2fa-access\\.cgi"Description
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
Impact
Unauthenticated attackers can bypass web authentication and obtain administrative access to Zyxel devices, potentially gaining complete control over firewalls and network security configurations.
Remediation
Apply security updates provided by Zyxel for affected USG/ZyWALL, USG FLEX, ATP, VPN, and NSG series devices.
Zyxel Firewall Panel - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "-440644339"Description
Zyxel Firewall panel was detected.
Zyxel NAS Firmware 5.21- Remote Code Execution
runzero-match
service["favicon.ico.image.mmh3"] == "943925975"Description
Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
Remediation
Apply the latest firmware update provided by Zyxel to mitigate this vulnerability.
Zyxel VMG1312-B10D - Login Detection
Author: princechaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)vmg1312-b10d"Zyxel VSG1432-B101 - Login Detection
Author: princechaddhaAdded: Apr 27, 2023
runzero-match
service["http.body"] matches "(?i)VSG1432-B101"Zyxel ZyWall UAG/USG - Account Creation Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)zywall"})Description
Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the "Free Time" component. This can lead to unauthorized network access or DoS attacks.
Impact
An attacker can exploit this vulnerability to create unauthorized accounts with administrative privileges.
Remediation
Apply the latest firmware update provided by Zyxel to fix the vulnerability.
aaPanel Linux Panel - Detect
runzero-match
service["http.body"] matches "(?i)aaPanel Linux panel"Description
Detected aaPanel Linux management panel login interface.
airCube Dashboard Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)AirCube Dashboard"})Description
airCube Dashboard login panel was detected.
airCube Login - Detect
runzero-match
service["favicon.ico.image.mmh3"] == "1249285083"Description
airCube login panel was detected.
big-AGI Panel - Detect
Author: rxeriumAdded: May 27, 2026
runzero-match
any(each(service["html.titles"]), {# matches "big-AGI"})Description
big-AGI is a generative AI suite for power users, teams, and developers. It provides
an AI chat interface with support for multiple LLM providers
bloofoxCMS - Default Login
Author: theamanrawatAdded: Aug 7, 2023
runzero-match
service["http.body"] matches "(?i)Powered by bloofoxCMS"Description
bloofoxCMS contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
Author: watchtowr,hadrian.io,DhiyaneshDkAdded: May 4, 2026
runzero-match
any(each(service["html.titles"]), {# matches "(?i)(?:cPanel|WHM) Login"})Description
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Impact
Unauthenticated remote attackers can gain unauthorized access to the control panel, compromising system security.
Remediation
Update to version 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5 or later.
cPanel API Codes Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)cpanel - api codes"}) || any(each(service["html.titles"]), {# matches "(?i)cpanel"})Description
cPanel API Codes panel was detected.
cgit < 1.2.1 - Directory Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)git repository browser"})Description
cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Impact
Unauthenticated attackers can access arbitrary files on the server through path traversal in cgit when HTTP clone functionality is enabled, potentially exposing sensitive repository data, source code, configuration files, and credentials.
Remediation
Upgrade cgit to version 1.2.1 or later to mitigate the vulnerability.
coreBOS Panel - Detect
runzero-match
service["http.body"] matches "(?i)corebos"Description
coreBOS panel was detected.
dbt Docs Panel - Detect
Author: johnk3rAdded: Mar 21, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dbt Docs"})Description
dbt Docs panel was detected.
dotAdmin Login Panel- Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)dotcms"})Description
dotAdmin login panel was detected.
draw.io Flowchart Maker Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)flowchart maker"})Description
draw.io Flowchart Maker panel was detected.
eArcu Panel - Detect
Author: righettodAdded: May 25, 2023
runzero-match
service["http.body"] matches "(?i)'content=\"eArcu'"Description
eArcu was detected.
eMerge E3 1.00-06 - Local File Inclusion
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are vulnerable to local file inclusion.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.
Remediation
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
eMerge E3 1.00-06 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emerge"})Description
Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Remediation
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
eMessage Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)emessage"})Description
eMessage login panel was detected.
eZ Publish Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)eZ Publish"Description
eZ Publish login panel was detected.
eyoucms v.1.6.5 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)eyoucms"})Description
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
Impact
Allows attackers to execute malicious scripts on the victim's browser.
Remediation
Upgrade eyoucms to version 1.6.6 or later to fix the XSS vulnerability.
iClock Automatic Data Master Server Admin Panel - Detect
runzero-match
service["http.body"] matches "(?i)iClock Automatic"Description
An iClock Automatic Data Master Server Admin login panel was detected.
iSAMS Panel - Detect
Author: righettodAdded: May 26, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "-81573405"Description
iSAMS was detected.
iSpy 7.2.2.0 - Authentication Bypass
runzero-match
service["http.body"] matches "(?i)ispy is running"Description
iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system.
Remediation
Upgrade to the latest version of iSpy (7.2.2.1 or higher) which includes a fix for the authentication bypass vulnerability.
iTop - User Enumeration via REST Endpoint
runzero-match
service["http.body"] matches "(?i) itop login"Description
From the webservices/rest.php file, several operations are accessible from an unauthenticated user. One of them is `do_reset_pwd`, allowing to reset a user password. This feature can be abused to perform user enumeration when a non-existent user is provided.
Impact
Attackers can exploit this vulnerability to compromise system security.
Remediation
Apply security patches to address CVE-2024-51739.
iTop Hub Connector - Information Disclosure
runzero-match
service["http.body"] matches "(?i)iTop login"Description
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0.
Impact
Unauthenticated attackers can access sensitive server, database, and iTop configuration information.
Remediation
Update iTop to version 2.7.11, 3.0.5, 3.1.2, or 3.2.0 or later.
iXBus Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)iXBus"})Description
iXBus login panel was detected.
idcCMS V1.60 - Cross-Site Scripting
runzero-match
any(each(service["html.titles"]), {# matches "(?i)idcCMS"})Description
idcCMS V1.60 is vulnerable to reflected cross-site scripting (XSS) via the idName parameter in read.php. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
Impact
Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
Remediation
Update idcCMS to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the idName parameter in read.php.
ipTIME A2004 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ipTIME"})Description
An access control issue exists in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 that allows attackers to obtain sensitive information without authentication. The vulnerability allows unauthenticated access to device settings and configuration information.
Impact
Unauthenticated attackers can access sensitive device settings and configuration information through the hostinfo2.cgi endpoint.
Remediation
Update ipTIME A2004 router to a version later than 12.17.0 that addresses the unauthorized access vulnerability.
ipTIME A2004 - Unauthorized Access
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ipTIME"})Description
An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.
Impact
Unauthenticated attackers can access sensitive device configuration information through the hostinfo.cgi endpoint without authentication.
Remediation
Update ipTIME A2004 router to a version later than 12.17.0 that addresses the unauthorized access vulnerability.
kkFileView Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)kkFileView"})Description
kkFileView panel was detected.
mTheme Unus < 2.3 - Directory Traversal
runzero-match
service["http.body"] matches "(?i)wp-content/themes/mTheme-Unus/"Description
The mTheme-Unus theme for WordPress, prior to version 2.3, contained a directory traversal flaw that let attackers access arbitrary files. This was possible by exploiting the files parameter in css/css.php with .. sequences.
Impact
Attackers can read sensitive files including database credentials and configuration files, potentially leading to full site compromise.
Remediation
Upgrade to 2.3 or later version
macOS Server Panel - Detect
Author: DhiyaneshDkAdded: Oct 8, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)macOS Server"})mantisbt - Anonymous Login
Author: pussycat0xAdded: Jun 21, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "662709064"Description
mantisbt Anonymous login were discovered.
modoboa 2.0.4 - Admin TakeOver
runzero-match
service["http.body"] matches "(?i)modoboa" || service["favicon.ico.image.mmh3"] == "1949005079"Description
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Impact
Unauthenticated attackers can exploit authentication bypass using default credentials to gain administrator access and completely compromise Modoboa email server installations.
Remediation
update to version 2.0.4
myLittleAdmin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)myLittleAdmin"Description
myLittleAdmin login panel was detected.
myLittleBackup Panel - Detect
runzero-match
service["http.body"] matches "(?i)myLittleBackup"Description
myLittleBackup panel was detected.
n8n Panel - Detect
Author: userdehghani,rxeriumAdded: May 13, 2024
runzero-match
service["favicon.ico.image.mmh3"] == "-831756631"Description
The worlds most popular workflow automation platform for technical teams
n8n Webhooks - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)^n8n[.]io\s*-\s*Workflow\s+Automation`})Description
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Impact
Unauthenticated remote attackers can access sensitive files, potentially leading to information disclosure and further system compromise.
Remediation
Update to version 1.121.0 or later.
nMon Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "^nMon"})Description
nMon login interface was discovered.
ngSurvey Login Panel - Detect
Author: righettodAdded: Jun 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ngSurvey enterprise survey software"})Description
ngSurvey products was detected.
nginxWebUI ≤ 3.5.0 - Remote Command Execution
Author: ritikchaddhaAdded: Sep 19, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)nginxwebui"})Description
There is a command execution vulnerability in the nginxWebUI backend. After logging in to the backend, the attacker can execute any command to obtain server permissions.
nginxWebUI ≤ 3.5.0 runCmd - Remote Command Execution
Author: DhiyaneshDkAdded: Jul 27, 2023
runzero-match
service["http.body"] matches "(?i)nginxWebUI"Description
nginxWebUI’s runCmd feature and is caused by incomplete validation of user input. Attackers can exploit the vulnerability by crafting malicious data to execute arbitrary commands on a vulnerable server without authorization.
noVNC Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)noVNC"})Description
noVNC login panel was detected.
nostromo 1.9.6 - Remote Code Execution
runzero-match
service["http.head.server"] matches "(?i)^nostromo"Description
nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
Upgrade to a patched version of nostromo web server (1.9.7 or later) or apply the vendor-supplied patch.
ntopng - Default Login
Author: 0x_AkokoAdded: Mar 24, 2026
runzero-match
service["product"] contains "ntop:ntopng"Description
Detected the ntopng network traffic monitoring tool was found to be using default credentials (admin:admin). An attacker could have gained full administrative access to network traffic data, flow analysis, and system configuration.
openSIS Classic v9.1 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openSIS"})Description
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.
Impact
Attackers can exploit this vulnerability to compromise system security and integrity.
Remediation
Apply the latest security patches and updates to address this vulnerability.
openSIS v9.0 - Path Traversal
runzero-match
any(each(service["html.titles"]), {# matches "(?i)openSIS"})Description
A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
Impact
Unauthenticated attackers can read arbitrary files from the server by manipulating the filename parameter in DownloadWindow.php, potentially exposing student records, staff information, and database credentials.
Remediation
Update openSIS to a version newer than 9.0 that validates file paths in DownloadWindow.php and restricts file access to authorized directories only.
osTicket Installer Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)osticket installer"}) || any(each(service["html.titles"]), {# matches "(?i)osticket"}) || service["http.body"] matches "(?i)powered by osticket"Description
osTicket installer panel was detected.
osTicket Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)powered by osticket" || any(each(service["html.titles"]), {# matches "(?i)osticket"}) || any(each(service["html.titles"]), {# matches "(?i)osticket installer"})Description
osTicket login panel was detected.
ownCloud Guests - User Enumeration
runzero-match
any(each(service["html.titles"]), {# matches "(?i)ownCloud"})Description
ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerability caused by insufficient validation of the token in showPasswordForm at /apps/guests/register/{email}/{token}, letting unauthenticated attackers enumerate valid guest users, exploit requires no authentication.
Impact
Unauthenticated attackers can enumerate valid guest users, potentially aiding further targeted attacks.
Remediation
Update to version 0.12.5 or later.
pCOWeb - Default-Login
Author: ritikchaddhaAdded: Sep 24, 2024
runzero-match
any(each(service["html.titles"]), {# matches "pCOWeb"})pCOWeb Panel - Detect
Author: ritikchaddhaAdded: Sep 23, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pCOWeb"})pREST < 1.5.4 - SQL Injection Via Authentication Bypass
Author: mihail8531,iamnoooob,rootxharsh,pdresearchAdded: Aug 28, 2024
runzero-match
service["http.body"] matches "(?i)authorization token is empty"Description
An authentication bypass vulnerability was introduced by changing the JWT whitelist configuration to use a regex pattern, allowing unauthorized access to any path containing /auth and leading to SQL Injection.
pfSense - Default Admin Credentials
Author: 0x_AkokoAdded: Apr 8, 2026
runzero-match
service["product"] contains "pfSense:pfSense" || service["product"] contains "Netgate:pfSense"Description
Detected pfSense firewall was found using default administrator credentials (admin:pfsense). An attacker could have gained full administrative access to manage firewall rules, routing, and network configuration.
pfSense Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pfsense - login"})Description
pfSense login panel was detected.
pgAdmin < 6.17 - Unauthenticated Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)pgAdmin"})Description
pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication.
Impact
Attackers can execute arbitrary external utilities on the server, potentially leading to remote code execution or system compromise.
Remediation
Update to version 6.17 or later to fix the security issue.
phpCollab Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpcollab"})Description
phpCollab login panel was detected.
phpLDAPadmin <= 1.2.3 - Reflected XSS
runzero-match
service["product"] contains "phpLDAPadmin Project:phpLDAPadmin"Description
phpLDAPadmin <= 1.2.3 contains a reflected cross-site scripting caused by unsanitized input in htdocs/entry_chooser.php via the form, element, rdn, or container parameter, letting attackers execute malicious scripts in victim browsers, exploit requires sending crafted input.
Impact
Attackers can execute malicious scripts in victim browsers, potentially leading to session hijacking or defacement.
Remediation
Update to the latest version of phpLDAPadmin where the vulnerability is fixed.
phpMiniAdmin Login Panel - Detect
runzero-match
service["http.body"] matches "(?i)phpMiniAdmin"Description
phpMiniAdmin login panel was detected.
phpMyAdmin - Default Login
runzero-match
any(each(service["html.titles"]), {# matches "phpMyAdmin"})Description
phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
phpMyAdmin - Full Path Disclosure
Author: DhiyaneshDkAdded: Jan 1, 2026
runzero-match
service["product"] contains "phpMyAdmin:phpMyAdmin"Description
Detected potential Full Path Disclosure (FPD) via directly accessible phpMyAdmin files that may throw PHP errors revealing filesystem paths when error display is enabled.
phpMyAdmin Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpmyadmin"})Description
phpMyAdmin panel was detected.
phpMyFAQ - Configuration Backup Disclosure
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phpMyFAQ"})Description
phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
Impact
Remote attackers can access sensitive configuration files, exposing database credentials and enabling further compromise.
Remediation
Update to version 4.0.16 or later.
phpPgAdmin Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)phppgadmin"})Description
phpPgAdmin login ipanel was detected.
phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
runzero-match
service["http.body"] matches "(?i)phpvms"Description
phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
Impact
Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
Remediation
Update to version 7.0.6 or later.
playSMS <1.4.3 - Remote Code Execution
runzero-match
any(each(service["html.titles"]), {# matches `(?i)playSMS`})Description
PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
Remediation
Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability.
pyLoad Flask Config - Access Control
runzero-match
service["http.body"] matches "(?i)pyload" || any(each(service["html.titles"]), {# matches "(?i)login - pyload"}) || any(each(service["html.titles"]), {# matches "(?i)pyload"})Description
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
Impact
Unauthenticated attackers can access the Flask SECRET_KEY and other sensitive configuration variables, potentially enabling session hijacking or other attacks.
Remediation
Update pyLoad to version 0.5.0b3.dev77 or later.
qBittorrent Web UI Panel - Detect
Author: ritikchaddhaAdded: Oct 9, 2023
runzero-match
any(each(service["html.titles"]), {# matches "(?i)qbittorrent"})qdPM 9.2 - Directory Traversal
runzero-match
service["favicon.ico.image.mmh3"] == "762074255"Description
qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.
Impact
Successful exploitation could allow an attacker to read sensitive files on the server.
Remediation
Upgrade qdPM to a non-vulnerable version to mitigate the directory traversal vulnerability.
qdPM Login Panel
Author: theamanrawatAdded: Jul 7, 2023
runzero-match
service["favicon.ico.image.mmh3"] == "762074255"rConfig - Default Login
Author: theamanrawatAdded: Oct 17, 2023
runzero-match
any(each(service["html.titles"]), {# matches "rConfig"})Description
rConfig contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
rConfig 3.9 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Remediation
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to the latest version of rConfig or apply the provided patch to fix the SQL Injection vulnerability.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to the latest version of rConfig or apply the provided patch to fix the SQL Injection vulnerability.
rConfig 3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade to a patched version of rConfig or apply the necessary security patches provided by the vendor.
rConfig <=3.9.4 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)rconfig"})Description
rConfig 3.9.4 and prior has unauthenticated snippets.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
Remediation
Upgrade rConfig to version >3.9.4 or apply the provided patch to mitigate the SQL Injection vulnerability.
temBoard Panel - Detect
Author: righettodAdded: Dec 19, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)temBoard"})Description
temBoard was detected — a powerful management tool for PostgreSQL.
tshirtecommerce PrestaShop Module - SQL Injection
runzero-match
service["http.body"] matches "(?i)Prestashop"Description
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the tshirtecommerce_design_cart_id parameter, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database. This is due to lack of input sanitization, as shown in the patch where pSQL() is now used.
Impact
Unauthenticated attackers can execute SQL injection through the tshirtecommerce_design_cart_id parameter to extract the complete PrestaShop database including customer data and payment information.
Remediation
Update the tshirtecommerce module to the latest version and apply all security patches.
txAdmin Panel - Detect
Author: s4e-ioAdded: Oct 11, 2024
runzero-match
any(each(service["html.titles"]), {# matches "(?i)txAdmin Login"})Description
txAdmin panel was discovered.
vBulletin 5.0.0-5.5.4 - Remote Command Execution
runzero-match
service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade vBulletin to a version that is not affected by CVE-2019-16759.
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
runzero-match
any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
Remediation
Upgrade vBulletin to a version that is not affected by CVE-2020-17496.
vBulletin <= 4.2.3 - SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vbulletin"}) || any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin"Description
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
Remediation
Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.
vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
runzero-match
service["http.body"] matches "(?i)powered by vbulletin"Description
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
vBulletin SQL Injection
runzero-match
any(each(service["html.titles"]), {# matches "(?i)powered by vbulletin"}) || service["http.body"] matches "(?i)powered by vbulletin" || any(each(service["html.titles"]), {# matches "(?i)vbulletin"})Description
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying system.
Remediation
Apply the latest security patch or upgrade to a non-vulnerable version of vBulletin.
vCenter Server - Improper Access Control
runzero-match
service["product"] contains "VMware:vCenter Server"Description
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.
Impact
Attackers can bypass proxy restrictions and access internal endpoints, potentially leading to information disclosure or further internal network compromise.
Remediation
Apply the latest security patches or updates provided by VMware for vCenter Server.
vRealize Hyperic Login Panel - Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Sign In - Hyperic"})Description
vRealize Hyperic login panel was detected
vRealize Log Insight - Panel Detect
runzero-match
any(each(service["html.titles"]), {# matches "(?i)vrealize log insight"})Description
Detect vRealize Log Insight login panel was detected.
webp_server_go 0.4.0 - Path Traversal
runzero-match
service["http.body"] matches "(?i)Webp"Description
webp_server_go 0.4.0 contains a path traversal caused by insufficient sanitization in file handling, letting attackers read arbitrary files on the server, exploit requires attacker to send crafted requests.
Impact
Unauthenticated attackers can read arbitrary files from the server including /etc/passwd via path traversal using double URL encoding.
Remediation
Upgrade to webp_server_go version 0.4.1 or later that properly sanitizes file paths.
wpDiscuz <= 5.3.5 - SQL Injection
runzero-match
service["http.body"] matches "(?i)/wp-content/plugins/wpdiscuz"Description
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request.
Impact
Unauthenticated attackers can execute arbitrary SQL commands to extract database contents including user credentials, posts, and sensitive WordPress configuration data.
Remediation
Upgrade to wpDiscuz version 5.3.6 or later.
x-amz-meta-s3cmd-attrs Header Username Disclosure
Author: DhiyaneshDKAdded: Jan 19, 2026
runzero-match
service["http.head.xAmzMetaS3cmdAttrs"] != ""Description
Detected exposure of the x-amz-meta-s3cmd-attrs header in S3 objects, which can disclose sensitive information including the username (uname), user ID (uid), group name (gname), and group ID (gid) of the user who uploaded the file using s3cmd.
Remediation
Use s3cmd with --no-preserve flag or set preserve_attrs = False in s3cmd configuration to prevent storing filesystem attributes in S3 object metadata.
zhttpd - Local File Inclusion
runzero-match
service["http.body"] matches "(?i)VMG1312-B10D"Description
zhttpd is vulnerable to unauthenticated local inclusion including privileged files such as /etc/shadow. An attacker can read all files on the system by using this endpoint.
Р7-Office 12.5 - Cross-Site Scripting
Author: 0xpugalAdded: Oct 5, 2025
runzero-match
any(each(service["html.titles"]), {# matches "(?i)Р7-Офис"})Description
A failure to implement proper measures to protect the structure of the web page in the P7-Office corporate server could have allowed a remote attacker to perform a cross-site scripting (XSS) attack.
Remediation
Upgrade to the latest version to mitigate this vulnerability.
In addition to query-based vulnerability reporting, runZero natively detects exposures using an embedded version of the open-source Nuclei vulnerability scanner and it’s YAML-based vulnerability check templates. To maintain fast scan times and minimize network disruption, runZero dynamically selects appropriate templates based on the scan’s configured categories and precise asset and service fingerprinting.
]]>228
Queries
8
Categories
228 of 228 queries in 8 categories
Loading queries…
Google Workspace Account Without MFA
source:googleworkspace isEnforcedIn2Sv:fActive Directory Account Expires Soon
has:accountExpiresTS AND accountExpiresTS:<30daysAuthenticated Web Service Without Encryption
(_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )Cloud Management Services
source:runZero AND foreign_id:"rz-scan-vscan-%-panel" AND attack_surface:cloudExternally Exposed and Risky OT and IoT Assets
(category:=OT OR category:=IoT) AND (risk:high OR risk:critical) AND attack_surface:externalHTTP Directory Indexing Enabled
_asset.protocol:=http AND protocol:=http AND has:html.title AND (html.title:="Index of /%" OR html.title:="HFS /%" OR html.title:="Directory listing%")Interal Multi-Homed Assets
multi_home:t AND attack_surface:internalMulti-Homed Assets
multi_home:tNetwork Time Protocol Service With Skewed Clock
_asset.protocol:ntp and protocol:ntp and has:ntp.skewObsolete SSL Protocol
(_asset.protocol:=tls OR _asset.protocol:=ssl2) AND (protocol:="tls" OR protocol:="ssl2") AND tls.supportedVersionNames:"SSL"Open Wireless Network
auth:openSMB Signing Not Required
(_asset.protocol:=smb1 OR _asset.protocol:=smb2 OR _asset.protocol:=smb3) AND (protocol:=smb1 OR protocol:=smb2 OR protocol:=smb3) AND has:smb.signing AND NOT smb.signing:requiredSMB Version 1 Enabled
_asset.protocol:=smb1 protocol:=smb1SNMP Default Community
_asset.protocol:snmp AND protocol:snmp AND has:snmp.defaultCommunitiesServices Supporting TLS 1.0
_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.0Services Supporting TLS 1.1
_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.1Services Without HSTS
_asset.protocol:=tls AND protocol:=http protocol:=tls NOT has:http.head.strictTransportSecurityWireless Network Using WEP Encryption
enc:wepActive Directory Account Password Does Not Expire
passwordNeverExpires:truePrivate Key Is Widely Shared
source:runzero AND (foreign_id:=rz-ioasm-pubkey-widely-shared OR foreign_id:=rz-ioasm-pubkey-known-private)Certificate With Insecure Public Key
public_key_insecure:trueCertificate With Insecure Signature Algorithm
signature_algorithm_insecure:true is_ca:falseExpired Certificate On TLS Service
_asset.protocol:tls AND tls.notAfterTS:<nowCertificate On TLS Service Expires Soon
_asset.protocol:tls AND tls.notAfterTS:<6weeks AND tls.notAfterTS:>nowCISA BOD 26-02 End-Of-Support Edge Devices
(os_eol_extended:>0 AND os_eol_extended:<=now) AND has_public:t AND NOT (type:Server OR type:Desktop OR type:Laptop)Kaspersky Lab Security Software
edr.name:KasperskyKaspersky Lab Software
vendor:=KasperskyNDAA 2019 Section 889 Equipment
((mac_vendor:="zte corporation" OR mac_vendor:huawei OR mac_vendor:CRRC OR mac_vendor:dahua OR mac_vendor:hikvision OR mac_vendor:hisilicon OR mac_vendor:panda OR mac_vendor:dawning OR mac_vendor:hangzhou OR mac_vendor:hytera OR mac_vendor:inspur OR mac_vendor:"Aero Engine Corporation of China" OR mac_vendor:"Aviation Industry Corporation of China" OR mac_vendor:"China Aerospace" OR mac_vendor:"China Electronics" OR mac_vendor:"China General Nuclear Power" OR mac_vendor:"China Mobile" OR mac_vendor:"China National Nuclear Power" OR mac_vendor:"China North Industries Group" OR mac_vendor:"China Railway" OR mac_vendor:"China Shipbuilding" OR mac_vendor:"China South Industries Group" OR mac_vendor:"China State Shipbuilding" OR mac_vendor:"China Telecommunications" OR mac_vendor:ztec OR mac_vendor:ztek OR mac_vendor:"z-tec" OR mac_vendor:5shanghai OR mac_vendor:"Hella Sonnen" OR mac_vendor:anhui OR mac_vendor:"technology sdn bhd" OR mac_vendor:azteq) OR (hw:="ZTE%" OR hw:huawei OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq))Secure Networks Act Section 2 Equipment
(hw:huawei OR hw:="zte%" OR hw:hytera OR hw:hikvision OR hw:dahua OR hw:"china mobile" OR hw:"china telecom" OR hw:"china unicom" OR hw:"pacific networks corp" OR hw:"comnet (usa) llc" OR hw:zhejiang) OR (mac_vendor:huawei OR mac_vendor:="zte%" OR mac_vendor:hytera OR mac_vendor:hikvision OR mac_vendor:dahua OR mac_vendor:"china mobile" OR mac_vendor:"china telecom" OR mac_vendor:"china unicom" OR mac_vendor:"pacific networks corp" OR mac_vendor:"comnet (usa) llc" OR mac_vendor:"zhejiang")Sangoma FreePBX
((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND ((version:>="2.0.0(%)" AND version:<"3.0.0(%)") OR (version:>="12.0.0(%)" AND version:<"15.0.0(%)"))Accellion File Transfer Appliance
hw:"Accellion File Transfer Appliance"AutomationDirect MB-GATEWAY
hw:="AutomationDirect Modbus Gateway" OR hw:="Automation Direct Modbus Gateway"Cisco Small Business Routers
hw:"Cisco RV0" OR hw:"Cisco RV110W" OR hw:"Cisco RV130" OR hw:"Cisco RV132W" OR hw:"Cisco RV134W" OR hw:"Cisco RV160" OR hw:"Cisco RV215" OR hw:"Cisco RV260" OR hw:"Cisco RV320" OR hw:"Cisco RV325" OR hw:"Cisco RV340" OR hw:"Cisco RV345" Cisco Small Business Switches
hw:"Cisco" and type:"switch" and ( hw:"SRW224G4-K9-" OR hw:"SRW2016-K9-" OR hw:"SG500X-" OR hw:"SF300-" OR hw:"SRW208G-K9-" OR hw:"SG300-" OR hw:"SRW2048-K9-" OR hw:"SLM2048PT-" OR hw:"SRW208-K9-" OR hw:"SF302-" OR hw:"SLM2008PT-" OR hw:"SLM224PT-" OR hw:"SF500-" OR hw:"SLM2008T-" OR hw:"SG500-" OR hw:"SG200-" OR hw:"SF200-" OR hw:"SLM224GT-" OR hw:"SLM2016T-")End-of-Life Operating System
(os_eol_extended:>0 AND os_eol_extended:<now) OR (os_eol_extended:0 AND os_eol:<now)Zyxel CPE Remote Command Execution
hw:"VMG1312-B10A" OR hw:"VMG1312-B10B" OR hw:"VMG1312-B10E" OR hw:"VMG3312-B10A" OR hw:"VMG3313-B10A" OR hw:"VMG3926-B10B" OR hw:"VMG4325-B10A" OR hw:"VMG4380-B10A" OR hw:"VMG8324-B10A" OR hw:"VMG8924-B10A" OR hw:"SBG3300" OR hw:"SBG3500"End-Of-Life Assets
os_eol_expired:tEnd-Of-Life Cloud Assets
os_eol_expired:t AND attack_surface:cloudEnd-Of-Life External Assets
os_eol_expired:t AND attack_surface:externalEnd-Of-Life Internal Assets
os_eol_expired:t AND attack_surface:internalD-Link DNS Family NAS
fp.hw.product:="DNS-320L" OR fp.hw.product:="DNS-325" OR fp.hw.product:="DNS-327L" OR fp.hw.product:="DNS-340L"Edimax IC-7100 IP Camera
hw:"EDIMAX IC-71%Camera"PowerDNS Recursor
vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND version:>=2 AND version:<5.1)Xen Project XCP-ng
os:="Xen Project XCP-ng" AND (os_version:>0 AND os_version:<"8.3")Publicly Exposed Configuration Database Server
service_has_public:t AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)Potential External Access To Internal Asset
source:runzero AND (foreign_id:=rz-query-rz-ioasm-internal-mac OR foreign_id:=rz-query-rz-ioasm-internal-pubkey)Potential External Access To Remote Desktop Service
has_public:t AND service_has_public:f AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )Publicly Exposed Baseboard Management Controller
haspublic:t AND (type:bmc OR protocol:ipmi)Publicly Exposed Remote Desktop Gateway
service_has_public:t AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )Publicly Exposed Remote Desktop Service
service_has_public:t AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )Publicly Exposed SSH Server With Password Authentication
service_has_public:t AND ( _asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password )Publicly Exposed Windows Management Service
service_has_public:t AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )Externally Exposed Database Services
service_has_public:t AND _asset.protocol:"{smb1,smb2,smb3,nfs,zookeeper,etcd2,consul,memcache,redis,mongodb,couchdb,cassandra,elasticsearch,riak,influxdb,mysql,mysqlx,postgresql,mssql,oracledb}" AND protocol:"{smb1,smb2,smb3,nfs,zookeeper,etcd2,consul,memcache,redis,mongodb,couchdb,cassandra,elasticsearch,riak,influxdb,mysql,mysqlx,postgresql,mssql,oracledb}"Externally Exposed IoT Assets
attack_surface:external AND category:=IoTExternally Exposed Management Interfaces
source:runZero AND foreign_id:"rz-scan-vscan-%-panel" AND attack_surface:externalExternally Exposed OT Assets
attack_surface:external AND category:=OTNew Public Assets
attack_surface:external AND first_seen:<7daysPotential External Access To Configuration Database Server
has_public:t AND service_has_public:f AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)Potential External Access To Key-Value Database Server
has_public:t AND service_has_public:f AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)Potential External Access To NoSQL Database Server
has_public:t AND service_has_public:f AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)Potential External Access To Operational Technology Service
has_public:t AND service_has_public:f AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)Potential External Access To Relational Database Server
has_public:t AND service_has_public:f AND (_asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysqlx OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)Potential External Access To Remote Desktop Gateway
has_public:t AND service_has_public:f AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )Potential External Access To SSH Server With Password Authentication
has_public:t AND service_has_public:f AND (_asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password)Potential External Access To Windows Management Service
has_public:t AND service_has_public:f AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )Publicly Exposed Key-Value Database Server
service_has_public:t AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)Publicly Exposed NoSQL Database Server
service_has_public:t AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)Publicly Exposed Operational Technology Service
service_has_public:t AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)Publicly Exposed Relational Database Server
service_has_public:t AND ( _asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysql OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)Cisco Smart Install Service
_asset.protocol:ciscosmi protocol:ciscosmiSun Solaris sadmind RPC Service
_asset.protocol:=rpcbind protocol:=rpcbind rpcbind.programs:"100232-v10-"Unauthenticated Android Debug Bridge
_asset.protocol:=adb AND protocol:=adb AND has:adb.access AND adb.access:="allowed"Unauthenticated Apache ZooKeeper Database
_asset.protocol:zookeeper AND protocol:zookeeper AND zk.access:allowedUnauthenticated CNCF etcd Database
_asset.protocol:etcd2 protocol:etcd2 etcd2.access:allowedUnauthenticated Distributed Ruby Service
_asset.protocol:=drbd AND protocol:=drbdUnauthenticated MongoDB Database
_asset.protocol:=mongodb AND protocol:=mongodb AND mongodb.auth:openZabbix Agent Without ACL
_asset.protocol:=zabbix-agent AND protocol:=zabbix-agent AND NOT zabbix.isLocal:trueUnauthenticated Apache CouchDB Database
_asset.protocol:=couchdb AND protocol:=couchdbUnauthenticated Cassandra Database
_asset.protocol:=cassandra AND protocol:=cassandraUnauthenticated Elastic Search Database
_asset.protocol:elasticsearch AND protocol:elasticsearchUnauthenticated HashiCorp Consul Database
_asset.protocol:consul protocol:consul has:consul.config.datacenterUnauthenticated InfluxDB Database
_asset.protocol:=influxdb AND protocol:=influxdb AND has:influxdb.databasesUnauthenticated Memcached Database
_asset.protocol:memcache AND protocol:memcacheUnauthenticated Redis Database
_asset.protocol:redis AND protocol:redis AND has:redis.redisVersionUnauthenticated Riak Database
(_asset.protocol:riak AND protocol:riak) OR (_asset.protocol:riak-http AND protocol:riak-http)Click Modular Router Shell
_asset.protocol:=click protocol:=clickUnauthenticated MongoDB Database (Limited)
_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:limitedWorld-Readable NFS Export
_asset.protocol:=mountd AND protocol:="mountd" AND nfs.allowed:"%=*"Rapid Response: Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h6") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h7") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h14") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33") OR (os_version:>="10.2.17" AND os_version:<"10.2.18-h6") OR (os_version:>="10.2.14" AND os_version:<"10.2.16-h7") OR (os_version:>="10.2.11" AND os_version:<"10.2.13-h21") OR (os_version:>="10.2.8" AND os_version:<"10.2.10-h36") OR (os_version:>="10.2.0" AND os_version:<"10.2.7-h34"))Rapid Response: Drupal Core SQL Injection (CVE-2026-9082)
vendor:=Drupal AND product:=DrupalRapid Response: Gogs Git Rebase Argument Injection RCE
vendor:=Gogs AND product:=GogsRapid Response: Vercel Next.js SSRF Via WebSocket Upgrades (CVE-2026-44578)
vendor:=Vercel AND product:="Next.js"Adobe Commerce & Magento Session Takeover With Unconfirmed RCE (CVE-2025-54236)
vendor:=Adobe AND product:=Magento AND (version:>0 AND version:<="2.4.9-alpha2")AirPlay Protocol Remote Code Execution (AirBorne)
hw:="apple%" AND protocol:airplay AND ( (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR ((os:="apple tvos" OR os:="apple audioos") AND osversion:>0 AND osversion:<"18.4") OR (os:="apple ios" AND osversion:>0 AND osversion:<"18.4") OR (os:="apple visionos" AND osversion:>0 AND osversion:<"2.4") )Apache 2.4.49 < 2.4.51 Information Disclosure
_asset.protocol:=http product:HTTPD AND version:>=2.4.49 AND version:<2.4.51Apache ActiveMQ Remote Code Execution (CVE-2023-46604)
_asset.protocol:=activemq AND product:ActiveMQ AND ((version:>0 AND version:<5.15.16) OR (version:>=5.16.0 AND version:<5.16.7) OR (version:>=5.17.0 AND version:<5.17.6) OR (version:>=5.18.0 AND version:<5.18.3))Apache Solr Log4Shell Remote Code Execution
vendor:=Apache AND product:Solr AND ((version:>=7.4.0 AND version:<7.7.3) OR (version:>=8.0.0 AND version:<8.11.0))Apache Tomcat 10.1.0-M1 < 10.1.34 Multiple Vulnerabilities
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.34)Apache Tomcat 11.0.0-M1 < 11.0.2 Multiple Vulnerabilities
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.2)Apache Tomcat 9.0.0-M1 < 9.0.98 Multiple Vulnerabilities
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.98)Apple tvOS < 16.2 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<16.2Apple tvOS < 18.6 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<18.6Apple tvOS < 26 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<26Atlassian Confluence 8.0 < 8.5.4 Remote Code Execution
vendor:=Atlassian AND product:Confluence AND (version:>=8.0 AND version:<8.5.4)Atlassian Confluence Cross-Site Scripting (CVE-2024-4367)
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<7.19.25) OR (version:>=7.20.0 AND version:<8.5.11) OR (version:>=8.6.0 AND version:<8.9.3)) Atlassian Confluence Path Traversal (CVE-2019-3396)
vendor:=Atlassian AND product:Confluence AND NOT type:=Mobile AND ( (version:>0 AND version:<6.6.12) OR (version:>=6.7.0 AND version:<6.12.3) OR (version:>=6.13.0 AND version:<6.13.3) OR (version:>=6.14.0 AND version:<6.14.2))Atlassian Confluence Privilege Escalation (CVE-2023-22515)
vendor:=Atlassian AND product:Confluence AND ( (version:>=8.0 AND version:<8.3.3) OR (version:>=8.4.0 AND version:<8.4.3) OR (version:>=8.5.0 AND version:<8.5.2))Atlassian Confluence Remote Code Execution (CVE-2021-26084)
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.13.23) OR (version:>=6.14.0 AND version:<7.4.11) OR (version:>=7.5.0 AND version:<7.11.6) OR (version:>=7.12.0 AND version:<7.12.5)) Atlassian Confluence Remote Code Execution (CVE-2022-26134)
vendor:=Atlassian AND product:Confluence AND ( (version:>=1.3.0 AND version:<7.4.17) OR (version:>=7.13.0 AND version:<7.13.7) OR (version:>=7.14.0 AND version:<7.14.3) OR (version:>=7.15.0 AND version:<7.15.2) OR (version:>=7.16.0 AND version:<7.16.4) OR (version:>=7.17.0 AND version:<7.17.4) OR (version:>=7.18.0 AND version:<7.18.1) OR )Atlassian Confluence Server-Side Request Forgery (CVE-2019-3395)
vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.6.7) OR (version:>=6.7.0 AND version:<6.8.5) OR (version:>=6.9.0 AND version:<6.9.3))Broadcom VMware ESXi Guest Escape
os:"vmware esxi" AND ((os_version:>0 AND os_version:<6) OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))Broadcom VMware ESXi VM Escape
os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))Cacti < 1.2.23 Remote Code Execution
_asset.products:Cacti AND vendor:=Cacti AND product:Cacti AND (version:>0 AND version:<1.2.23)Cisco Secure Firewall Management Center Multiple Vulnerabilities (2026-03)
os:="Cisco FMC%" AND os_version:>0 AND ((os_version:>="6.4.0.13" AND os_version:<="6.4.0.18") OR (os_version:>="7.0.0" AND os_version:<"7.0.9") OR (os_version:>="7.1.0" AND os_version:<"7.2.11") OR (os_version:>="7.3.0" AND os_version:<"7.4.6") OR (os_version:>="7.6.0" AND os_version:<"7.6.5") OR (os_version:>="7.7.0" AND os_version:<"7.7.12") OR (os_version:="10.0.0"))Cisco Small Business RV Series Routers Stack-Based Buffer Overflow Vulnerability (CVE-2022-20700)
((hw:="Cisco RV160%" OR hw:="Cisco RV260%") AND (os_version:>0 AND os_version:<="1.0.01.05")) OR ((hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24"))Cisco Small Business RV Series VPN Routers Remote Code Execution Vulnerability (CVE-2022-20699)
(hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24")Cleo Harmony < 5.8.0.21 Unrestricted File Upload/Download
vendor:=Cleo AND product:harmony AND (version:>0 AND version:<5.8.0.21)Cleo Lexicom < 5.8.0.21 Unrestricted File Upload/Download
vendor:=Cleo AND product:lexicom AND (version:>0 AND version:<5.8.0.21)Cleo VLTrader < 5.8.0.21 Unrestricted File Upload/Download
vendor:=Cleo AND product:vltrader AND (version:>0 AND version:<5.8.0.21)ConnectWise ScreenConnect < 23.9.8 Remote Code Execution
vendor:=ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<23.9.8)Elastic Kibana 8.15.0 < 8.17.3 Remote Code Execution
vendor:=Elastic AND product:kibana AND (version:>8.14 AND version:<8.17.3)Elasticsearch < 1.2 Remote Code Execution
vendor:=Elastic AND (product:=Search OR product:=Elasticsearch) AND ( (version:>0 AND version:<1.2 AND NOT version:"0:%") OR (version:"0:%" AND version:>"0:0" AND version:<"0:1.2"))F5 Big-IP Remote Code Execution (CVE-2021-22986)
os:="F5 Networks BIG-IP" AND ( (osversion:>"12.1" AND osversion:<"12.1.5.3") OR (osversion:>"13.1" AND osversion:<"13.1.3.6") OR (osversion:>"14.1" AND osversion:<"14.1.4") OR (osversion:>"15.1" AND osversion:<"15.1.2.1") OR (osversion:>"16.0" AND osversion:<"16.0.1.1") )Fortinet FortiOS Out-Of-Bound Write Vulnerability (CVE-2024-21762)
os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.14") OR (os_version:>="2.0.0" AND os_version:<"2.0.14") OR (os_version:>="1.2.0" AND os_version:<"1.2.14") OR (os_version:>="1.1.0" AND os_version:<"1.1.7") OR (os_version:>="1.0.0" AND os_version:<"1.0.8"))Fortinet Multiple Products Format String Vulnerability (CVE-2024-23113)
(os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.15"))) OR (os:="Fortinet FortiPAM" AND ((os_version:>="1.0.0" AND os_version:<"1.0.4") OR (os_version:>="1.1.0" AND os_version:<"1.1.3") OR (os_version:="1.2.0")))Fortra GoAnywhere MFT License Servlet Deserialization Vulnerability (CVE-2025-10035)
vendor:=Fortra AND product:="GoAnywhere Managed File Transfer" AND (version:>0 AND version:<7.8.4 AND NOT version:=7.6.3)GitLab Remote Code Execution (CVE-2021-22205)
vendor:=GitLab AND product:gitlab AND ((version:>11.9 AND version:<13.8.7) OR (version:>13.9 AND version:<13.9.5) OR (version:>13.10 AND version:<13.10.2))Grandstream GXP1600 Series VoIP Phone RCE (CVE-2026-2329)
hw:="Grandstream GXP16__" AND (os_version:>0 AND os_version:<"1.0.7.81")HPE OneView Remote Code Execution (CVE-2025-37164)
vendor:="HPE" AND product:="OneView" AND version:>0 AND version:<=10.20HPE iLO 4 Authentication Bypass
os:"iLO 4" and os_version:>0 AND os_version:<2.53HashiCorp Vault Multiple Vulnerabilities - HCSEC-2025-22
vendor:="HashiCorp" AND product:"Vault" AND ( (version:>=1.20.0 AND version:<1.20.2) OR (version:>=1.19.0 AND version:<1.19.8) OR (version:>=1.18.0 AND version:<1.18.13) OR (version:>0 AND version:<1.16.24))IPMI 1.5 Legacy Null Authentication
_asset.protocols:ipmi AND ipmi.passAuth:noneIPMI Cipher Zero Authentication Bypass (CVE-2013-4782)
_asset.protocols:ipmi AND has:ipmi.cipherZeroIPMI RAKP+ Weak Or Default Passwords (CVE-2013-4786)
_asset.protocols:ipmi AND has:ipmi.rakp.crackedLangflow RCE (CVE-2026-33017)
vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.8.2)Microsoft OMI WSMAN Authentication Bypass
_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2026-20963)
vendor:=Microsoft AND ( (product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5535.1001)) OR (product:="SharePoint Server 2019" AND (version:>=16.0.10711.37301 AND version:<16.0.10417.20083)) OR (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19127.20442)) )MikroTik Router OS Directory Traversal Vulnerability (CVE-2018-14847)
os:="MikroTik RouterOS" AND (os_version:>"0" AND os_version:<="6.42")Monsta FTP RCE (CVE-2025-34299)
vendor:="Monsta Limited" AND product:="Monsta FTP" AND version:>0 AND version:<2.11.3Multiple Fortinet Products Authentication Bypass (CVE-2025-59718 and CVE-2025-59719)
os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17"))Multiple Fortinet Products Buffer Overflow
hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:="7.2.0") OR (osversion:>"7.0.0" AND osversion:<"7.0.7") OR (osversion:>="6.4.0" AND osversion:<"6.4.11"))Novi Survey Insecure Deserialization Vulnerability
vendor:="3rd Millennium" AND product:="Novi Survey" AND (version:>"0" AND version:<"8.9.43676") PHP 8.1.0 < 8.1.29 Multiple Vulnerabilities
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.1 AND version:<8.1.29)PHP 8.2.0 < 8.2.20 Multiple Vulnerabilities
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.2 AND version:<8.2.20)PHP 8.3.0 < 8.3.8 Multiple Vulnerabilities
os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.3 AND version:<8.3.8)Palo Alto Networks PAN-OS Authentication Bypass
os:="Palo Alto Networks PAN-OS" AND (osversion:>"11.1.6-h1" AND osversion:<11.2.4-h4) AND (osversion:>"10.2.13-h3" AND osversion:<11.1.6-h1) AND (osversion:>"10.1.14-h9" AND osversion:<"10.2.13-h3") AND (osversion:>"10.1.0" AND osversion:<"10.1.14-h9")Plesk Panel 9.0.X < 9.2.3 Remote Code Execution
not os:Windows AND vendor:=parallels AND product:=plesk AND (version:>9.0.0 AND version:<9.5.4)Redis Multiple Vulnerabilities (2025-10)
vendor:=Redis AND product:=Redis AND (version:>0 AND ( (version:>=6.2 AND version:<6.2.20) OR (version:>=7.2 AND version:<7.2.11) OR (version:>=7.4 AND version:<7.4.6) OR (version:>=8.0 AND version:<8.0.4) OR (version:>=8.2 AND version:<8.2.2)))Rejetto HTTP File Server 2 Remote Code Execution
vendor:=Rejetto AND product:"HTTP File Server" AND version:>0 AND version:<3Rejetto HTTP File Server 2.0 < 2.3M Remote Code Execution
os:Windows AND vendor:=Rejetto AND product:"HTTP File Server" AND version:>=2.0 AND version:<"2.3m" Rockwell Automation ControlLogix Ethernet RCE (CVE-2025-7353)
((_asset.protocol:="cip" OR asset.protocol:="cip-udp") AND protocol:"cip" AND (cip.product:="1756-EN2T/D" OR cip.product:="1756-EN2F/C" OR cip.product:="1756-EN2TR/C" OR cip.product:="1756-EN3TR/B" OR cip.product:="1756-EN2TP/A") AND (cip.revision:>"0" AND (cip.revision:<"12" OR cip.revision:"12.0%"))) OR ((_asset.protocol:="ethernetip" OR asset.protocol:="ethernetip-udp") AND protocol:"ethernetip" AND (ethernetip.product:="1756-EN2T/D" OR ethernetip.product:="1756-EN2F/C" OR ethernetip.product:="1756-EN2TR/C" OR ethernetip.product:="1756-EN3TR/B" OR ethernetip.product:="1756-EN2TP/A") AND (ethernetip.revision:>"0" AND (ethernetip.revision:<"12" OR ethernetip.revision:"12.0%")))Roundcube Webmail Remote Code Execution
vendor:=Roundcube AND product:=Webmail AND ((version:>=1.5 AND version:<1.5.10) OR (version:>=1.6 AND version:<1.6.11))SAP NetWeaver (RMI-P4) Insecure Deserialization (CVE-2025-42944)
vendor:=SAP AND product:"NetWeaver" AND (version:>0 AND version:<=7.50)Sangoma FreePBX RCE (CVE-2025-57819)
((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND (version:>0 AND (version:<"15.0.66(%)" OR version:<"16.0.89(%)" OR version:<"17.0.3(%)"))SolarWinds Web Help Desk Multiple Vulnerabilities (2026-01)
vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.8.2585)SolarWinds Web Help Desk RCE (CVE-2025-26399)
vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.7.2174)SonicWall SMA1000 < 12.4.3 Remote Code Execution
hw:="SonicWall SMA1000" AND (osversion:>0 AND osversion:<12.4.3)SonicWall SSLVPN Authentication Bypass (CVE-2024-53704)
os:SonicOS AND ( (osversion:>"6.0" AND osversion:<"6.5.5.1-6n") OR (osversion:>"7.0" AND osversion:<"7.0.1-5165") OR (osversion:>"7.1" AND osversion:<"7.1.3-7015") OR (hw:TZ80 AND osversion:>"8.0" AND osversion:<"8.0.0-8037"))SonicWall SonicOS Buffer Overflow Vulnerability (CVE-2020-5135)
os:="SonicWall SonicOS" AND (os_version:="7.0.0.0" OR os_version:="6.5.4.7" OR os_version:="6.5.1.12" OR os_version:="6.0.5.3" OR os_version:="6.5.4.v")SonicWall SonicOS Improper Access Control Vulnerability (CVE-2024-40766)
hw:="SonicWall%" AND ((os_version:>0 AND os_version:<"5.9.2.14-13o") OR (os_version:>"6.0" AND os_version:<"6.5.4.15.116n") OR (os_version:>"7.0" AND os_version:<"7.0.1-5035") OR (os_version:>"6.0" AND os_version:<"6.5.2.8-2n" AND (hw:"SM9800" OR hw:"NSsp 12400" OR hw:"NSsp 12800")))Squid Information Disclosure (CVE-2025-62168)
vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<7.2)Squid URN Handling Buffer Overflow (CVE-2025-54574)
vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<6.4)UniFi Network Application Multiple Vulnerabilities (2026-03)
vendor:=Ubiquiti AND product:="UniFi Network" AND version:>0 AND (version:<9.0.118 OR (version:>=10.1.0 AND version:<10.1.89) OR (version:>=10.2.0 AND version:<10.2.97))VMware vCenter Server 7.0 < 7.0 U3t / 8.0 < 8.0 U3d Multiple Vulnerabilities
vendor:=VMware AND (product:"vcenter server" OR product:"cloud foundation") AND ((version:>7.0 AND version:<"7.0.3 build-24322018") OR (version:>8.0 AND version:<"8.0.3 build-24322831"))Valkey Multiple Vulnerabilities (2025-10)
(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ( (version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))Veeam Backup & Replication Multiple Vulnerabilities (2026-03)
vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND ((version:>=12.3 AND version:<12.3.2.4465) OR (version:>=13.0 AND version:<13.0.1.2067))Veeam Backup & Replication RCE Multiple Vulnerabilities (2025-10)
vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33009)
((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel USG20W-VPN" OR os:="Zyxel USG20-VPN" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.36")) OR ((os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.60" AND os_version:<="4.73"))Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33010)
(os:="Zyxel ATP%" AND (os_version:>="4.32" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="4.25" AND os_version:<="5.36")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="4.25" AND os_version:<="5.36")) OR ((os:="Zyxel USG20%" OR os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.50" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex%" AND (os_version:>="4.25" AND os_version:<="4.73" AND not os:="Zyxel USG Flex 50W")) OR (os:="Zyxel VPN%" AND (os_version:>="4.30" AND os_version:<="5.36"))Zyxel Multiple Firewalls OS Command Injection Vulnerability (CVE-2023-28771)
((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.35")) OR ((os:="Zyxel %USG100" OR os:="Zyxel %USG300") AND (os_version:>="4.60" AND os_version:<="4.73"))Zyxel Multiple Firewalls Path Traversal Vulnerability (CVE-2024-11667)
(os:="Zyxel ATP%" AND (os_version:>="5.00" AND os_version:<"5.39")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex%" AND (os_version:>="5.00" AND os_version:<"5.39"))n8n Unauthenticated File Access (CVE-2026-21858)
vendor:=n8n AND product:=n8n AND version:>0 AND (version:>=1.65.0 AND version:<1.121.0) Apache HTTP Server HTTP2 Double Free And Possible RCE (CVE-2026-23918)
vendor:=Apache AND product:=HTTPD AND version:>0 AND version:=2.4.66Apache Tomcat 10.1.0-M1 < 10.1.43 Multiple Vulnerabilities
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.43)Apache Tomcat 10.1.0-M1 < 10.1.44 HTTP/2 MadeYouReset DoS
product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.44)Apache Tomcat 11.0.0-M1 < 11.0.10 Multiple Vulnerabilities
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.10)Apache Tomcat 11.0.0-M1 < 11.0.9 Multiple Vulnerabilities
product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.9)Apache Tomcat 9.0.0-M1 < 9.0.107 Multiple Vulnerabilities
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.107)Apache Tomcat 9.0.0-M1 < 9.0.108 HTTP/2 MadeYouReset DoS
product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.108)Apache Tomcat Partial PUT Deserialization Vulnerability
_asset.products:"Tomcat" AND product:"Tomcat" AND ((version:>=11.0.0 AND version:<11.0.3) OR (version:>=10.1.0 AND version:<10.1.35) OR (version:>=9.0.0 AND version:<9.0.99))Apple Device Ecosystem Multiple Vulnerabilities (Coruna)
(os:="apple ios" OR os:="apple ipados" ) AND ((osversion:>="17.0" AND osversion:<"17.5") OR (osversion:>="16.0" AND osversion:<"16.7.8") OR (osversion:>="15.0" AND osversion:<"15.7.8") OR (osversion:>="13.0" AND osversion:<"14.7"))Apple Device Ecosystem Multiple Vulnerabilities (DarkSword)
(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ( (osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3") )Apple tvOS < 11.4 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<11.4Apple tvOS < 13.3.1 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<13.3.1Apple tvOS < 15.2 Multiple Vulnerabilities
os:"Apple tvOS" AND osversion:>0 AND osversion:<15.2Arcserve Unified Data Protection < 10.2 Heap Overflow Vulnerabilities
vendor:=Arcserve AND product:=UDP AND version:>0 AND version:<10.2Atlassian Confluence 5.2 < 7.19.22 Remote Code Execution
vendor:=Atlassian AND product:Confluence AND (version:>=5.2 AND version:<7.19.22)Cisco ConfD SSH Server Remote Code Execution
vendor:="Cisco" AND product:="ConfD" AND ( (version:>"7.0.0.0" AND version:<"7.7.19.1") OR (version:>"8.0.0.0" AND version:<"8.0.17.1") OR (version:>"8.1.0.0" AND version:<"8.1.16.2") OR (version:>"8.2.0.0" AND version:<"8.2.11.1") OR (version:>"8.3.0.0" AND version:<"8.3.8.1") OR (version:>"8.4.0.0" AND version:<"8.4.4.1"))Cisco IOS XE Arbitrary File Upload
os:="Cisco IOS XE" AND hw:"Catalyst" AND ( (osversion:>="17.7.0" AND osversion:<="17.7.1") OR (osversion:>="17.10.0" AND osversion:<="17.10.1") OR (osversion:>="17.8.0" AND osversion:<="17.8.1") OR (osversion:>="17.9.0" AND osversion:<="17.9.5") OR (osversion:>="17.11.0" AND osversion:<="17.11.1") OR (osversion:>="17.12.0" AND osversion:<="17.2.3") OR (osversion:>="17.13.0" AND osversion:<="17.13.1") OR (osversion:>="17.14.0" AND osversion:<="17.14.1") OR (osversion:>="17.11.0" AND osversion:<="17.11.99") )Commvault Command Center Remote Code Execution
vendor:="Commvault" AND product:="Command Center" AND version:>"11.38.0" AND version:<"11.38.20"ConnectWise ScreenConnect < 25.2.4 ViewState Code Injection
vendor:=ConnectWise AND product:=ScreenConnect AND (version:>0 AND version:<25.2.4)CrowdStrike Falcon LogScale Unauthenticated Path Traversal (CVE-2026-40050)
vendor:="CrowdStrike" AND product:="LogScale" AND version:>0 AND ((version:>=1.224.0 AND version:<=1.234.0) AND NOT ((version:>=1.228.2 AND version:<1.229.0) OR (version:>=1.233.1 AND version:<1.234.0)))Dell EMC Unity, UnityVSA, And Unity XT
os:"EMC Unity" AND osversion:>0 AND osversion:<5.5.0.0.0.5.259DrayTek Vigor2960/Vigor300B Command Injection
(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:>0 AND osversion:<"1.5.1.5"Eclipse Jetty 12.0 < 12.0.25 HTTP/2 MadeYouReset DoS
(vendor:=Eclipse OR vendor:="Mort Bay") AND product:Jetty AND (version:>12 AND version:<12.0.25)Erlang OTP SSH Server Remote Code Execution
_asset.protocols:ssh AND vendor:="Erlang" AND product:="SSH" AND ((version:>=5.2.0 AND version:<5.2.10) OR (version:>4.0.0.0 AND version:<4.15.3.12) OR (version:>5.1.0.0 AND version:<5.1.4.7))Fortinet FortiVoice SQL Injection (CVE-2025-58692)
hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:>"7.2.0" AND osversion:<"7.2.3") OR (osversion:>"7.0.0" AND osversion:<"7.0.8"))IPMI RAKP+ Password Hash Disclosure (CVE-2013-4786)
_asset.protocols:ipmi AND has:ipmi.rakp.hashesISC BIND Multiple Vulnerabilities (2025-10)
vendor:=ISC AND product:=BIND AND (version:>0 AND ( (version:>=9 AND version:<9.11.0) OR (version:>=9.11.0 AND version:<=9.16.50) OR (version:>=9.18.0 AND version:<=9.18.39) OR (version:>=9.20.0 AND version:<=9.20.13) OR (version:>=9.21.0 AND version:<=9.21.12) OR (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))Langflow Authentication Bypass
_asset.protocol:=http AND vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.3.0)Lantronix Xport Authentication Bypass
hw:lantronix AND ((os:="Lantronix XPort%" AND not os:="Lantronix XPort Edge%") OR (lantronix.type:="XE" OR lantronix.type:="SE" OR lantronix.type:="AR" OR lantronix.type:="EH"))MongoDB Pre-Authentication Memory Leak (CVE-2025-14847)
(vendor:=MongoDB AND (product:=MongoDB OR product:="MongoDB MongoDB")) AND (version:>0 AND ( (version:>=3.6.0 AND version:<3.7) OR (version:>=4.0.0 AND version:<4.1) OR (version:>=4.2.0 AND version:<4.3) OR (version:>=4.4.0 AND version:<4.4.30) OR (version:>=5.0.0 AND version:<5.0.32) OR (version:>=6.0.0 AND version:<6.0.27) OR (version:>=7.0.0 AND version:<7.0.28) OR (version:>=8.0.0 AND version:<8.0.17) OR (version:>=8.2.0 AND version:<8.2.3)))Multiple Fortinet Products Unauthenticated RCE (CVE-2025-25249)
os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17") OR (os_version:>="6.4.0" AND os_version:<="6.4.16"))Multiple Vulnerabilities In Microsoft SQL Server (2025-07)
vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.6460.7 AND NOT version:="13.0.6460") OR (version:>=14.0.0 AND version:<14.0.3495.9 AND NOT version:="14.0.3495") OR (version:>=15.0.0 AND version:<15.0.4435.7 AND NOT version:="15.0.4435") OR (version:>=16.0.0 AND version:<16.0.4200.1 AND NOT version:="16.0.4200"))Palo Alto Networks PAN-OS RCE In IKEv2 Processing (CVE-2026-0263)
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h5") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h6") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h13") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33"))PowerDNS Recursor Multiple Vulnerabilities (2025-10)
vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND ( (version:>=5.1 AND version:<5.1.8) OR (version:>=5.2 AND version:<5.2.6) OR (version:>=5.3 AND version:<5.3.1)))SAP NetWeaver Visual Composer Metadata Uploader Arbitrary File Upload
vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)Samsung MagicINFO Path Traversal Vulnerability
vendor:="Samsung" AND product:"MagicINFO Server" AND version:>0 AND version:<"21.1052"Solr 5.0.0 < 8.4.0 Remote Code Execution
vendor:=Apache AND product:Solr AND (version:>=5.0.0 AND version:<8.4.0)SonicWall SonicOS Multiple Vulnerabilities (2026-04)
hw:="SonicWall%" AND os:="SonicWall SonicOS%" AND os_version:>0 AND ((os_version:<"6.5.5.2-28n") OR (os_version:>="7.0" AND os_version:<"7.3.2-7010") OR (os_version:>="8.0" AND os_version:<"8.2.0-8009"))SysAid Help Desk XML Entity Remote Code Execution
vendor:="SysAid" AND product:"Help Desk" AND version:>0 AND version:<24.4.60Trimble Cityworks File Deserialization Vulnerability
vendor:="Trimble" AND product:="Cityworks" AND version:>0 AND version:<"23.10"VMware ESXi OpenSLP Heap Buffer Overflow
os:="VMware ESX%" and port:427 and ( os_version:="1.%" or os_version:="2.%" or os_version:="3.%" or os_version:="4.%" or os_version:="5.%" or os_version:="6.0%" or os_version:="6.5.0 build-4564106" or os_version:="6.5.0 build-4887370" or os_version:="6.5.0 build-5146843" or os_version:="6.5.0 build-5146846" or os_version:="6.5.0 build-5224529" or os_version:="6.5.0 build-5310538" or os_version:="6.5.0 build-5969300" or os_version:="6.5.0 build-5969303" or os_version:="6.5.0 build-6765664" or os_version:="6.5.0 build-7273056" or os_version:="6.5.0 build-7388607" or os_version:="6.5.0 build-7967591" or os_version:="6.5.0 build-8285314" or os_version:="6.5.0 build-8294253" or os_version:="6.5.0 build-8935087" or os_version:="6.5.0 build-9298722" or os_version:="6.5.0 build-10175896" or os_version:="6.5.0 build-10390116" or os_version:="6.5.0 build-10719125" or os_version:="6.5.0 build-10868328" or os_version:="6.5.0 build-10884925" or os_version:="6.5.0 build-11925212" or os_version:="6.5.0 build-13004031" or os_version:="6.5.0 build-13635690" or os_version:="6.5.0 build-13873656" or os_version:="6.5.0 build-13932383" or os_version:="6.5.0 build-14320405" or os_version:="6.5.0 build-14874964" or os_version:="6.5.0 build-14990892" or os_version:="6.5.0 build-15256468" or os_version:="6.5.0 build-15177306" or os_version:="6.5.0 build-15256549" or os_version:="6.5.0 build-16207673" or os_version:="6.5.0 build-16389870" or os_version:="6.5.0 build-16576879" or os_version:="6.5.0 build-16576891" or os_version:="6.5.0 build-16901156" or os_version:="6.5.0 build-17097218" or os_version:="6.5.0 build-17167537" or os_version:="6.7.0 build-8169922" or os_version:="6.7.0 build-8941472" or os_version:="6.7.0 build-9214924" or os_version:="6.7.0 build-9484548" or os_version:="6.7.0 build-10176752" or os_version:="6.7.0 build-10176879" or os_version:="6.7.0 build-10302608" or os_version:="6.7.0 build-10764712" or os_version:="6.7.0 build-11675023" or os_version:="6.7.0 build-13004448" or os_version:="6.7.0 build-12986307" or os_version:="6.7.0 build-13006603" or os_version:="6.7.0 build-13473784" or os_version:="6.7.0 build-13644319" or os_version:="6.7.0 build-13981272" or os_version:="6.7.0 build-14141615" or os_version:="6.7.0 build-14320388" or os_version:="6.7.0 build-15018017" or os_version:="6.7.0 build-15160134" or os_version:="6.7.0 build-15160138" or os_version:="6.7.0 build-15999342" or os_version:="6.7.0 build-15820472" or os_version:="6.7.0 build-16075168" or os_version:="6.7.0 build-16316930" or os_version:="6.7.0 build-16701467" or os_version:="6.7.0 build-16713306" or os_version:="6.7.0 build-16773714" or os_version:="6.7.0 build-17167699" or os_version:="6.7.0 build-17098360" or os_version:="6.7.0 build-17167734" or os_version:="7.0.0%" or os_version:="7.0.1 build-16850804" or os_version:="7.0.1 build-17119627" or os_version:="7.0.1 build-17168206" or os_version:="7.0.1 build-17325020")AirPlay SDK Remote Code Execution (AirBorne)
vendor:=Apple AND product:="AirPlay SDK" AND ((version:>2.0 AND version:<2.7.1) OR (version:>3.0 AND version:<3.6.0.126))Cisco IOS XR Open Port Vulnerability (CVE-2022-20821)
((hw:="Cisco NCS%" OR hw:="Cisco 8201" OR hw:="Cisco 8202" OR hw:="Cisco 8208" OR hw:="Cisco 8212" OR hw:="Cisco 8218") AND tcp_port:=6379)GitLab SAML Authentication Bypass
vendor:=GitLab AND product:gitlab AND ((version:>17.9 AND version:<17.9.2) OR (version:>17.8 AND version:<17.8.5) OR (version:>17.7 AND version:<17.7.7))Juniper Junos OS EX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36847)
hw:="Juniper EX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S4") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S1") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36846)
hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1R1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S5") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S2") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36851)
hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>="21.2" AND os_version:<"21.2R3-S8") OR (os_version:>="21.4" AND os_version:<"21.4R3-S6") OR (os_version:>="22.1" AND os_version:<"22.1R3-S5") OR (os_version:>="22.2" AND os_version:<"22.2R3-S3") OR (os_version:>="22.3" AND os_version:<"22.3R3-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S2") OR (os_version:>="23.2" AND os_version:<"23.2R1-S2"))Microsoft SharePoint Improper Authentication Vulnerability (CVE-2025-49705)
vendor:=Microsoft AND product:="SharePoint Server%" AND ((version:>=16.0.4366.1000 AND version:<16.0.5508.1000) OR (version:>=16.0.10338.12107 AND version:<16.0.10417.20059) OR (version:>=16.0.14326.20620 AND version:<16.0.18526.20424))OpenSSH 9.1p1 Double-Free
_asset.protocol:=ssh AND protocol:=ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")Plex Media Server 1.41.7.X To 1.42.0.X < 1.42.1 Undisclosed Vulnerability (CVE-2025-34158)
vendor:=Plex AND product:"Media Server" AND (version:>0 AND version:<"1.42.1")lighttpd Web Server Out-of-Bounds Memory Read
product:lighttpd (_service.product:=lighttpd:lighttpd:1.4.0% OR _service.product:=lighttpd:lighttpd:1.4.1% OR _service.product:=lighttpd:lighttpd:1.4.2% OR _service.product:=lighttpd:lighttpd:1.4.3% OR _service.product:=lighttpd:lighttpd:1.4.4%)Assets With Active RR Vulnerability
finding_code:rz-finding-rapid-response-assets OR finding_code:rz-finding-rapid-response-servicesExploitable Cloud Assets
vuln_exploitable:t AND attack_surface:cloudExploitable External Assets
vuln_exploitable:t AND attack_surface:externalExploitable Internal Assets
vuln_exploitable:t AND attack_surface:internalExploitable Vulnerabilities
exploitable:trunZero includes a substantial library of pre-built queries. These queries can be used to detect vulnerabilities, trigger alerts, and apply changes to assets, such as tags and ownership. These queries are categorized by use case and risk level. Custom queries can also be configured to report vulnerabilities on matching assets and services.
]]>4
Rapid Responses
3
software
1
assets
4 of 4 rapid responses
Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)
PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.
]]>Comprehensive asset inventory
runZero provides a comprehensive and unified asset inventory by combining active scanning, passive traffic sampling, and integrations with deep fingerprinting and world-class correlation capabilities. Assets are normalized, deduplicated, and tracked as they move across your environment.
]]>Integrate runZero with Thinkst Canary
- Sign in to your runZero console.
- Sign in to your Canary console.
- Go to Global Settings under the gear icon.
- Click on Integrations.
- Toggle the runZero switch.
Accessing runZero data from Canary
After the integration is enabled within the Canary settings, runZero data will be available through any incident. When viewing an incident, click the magnifying glass icon under source IP or reverse IP lookup to open a search in your runZero console.
Requirements
- A Tines account
- runZero Export API and Organization API tokens
There are two ways to integrate runZero and Tines:
- Follow the steps to create a custom story in Tines, or
- Use the runZero sample story to begin with a story outline.
Tines custom story
A Tines story is a collection of actions that work together towards a specific goal, like a playbook. Tines has a Story Library that contains ready-made automated playbooks, or you can create a your own custom story if they don’t have one that matches your needs. That’s what we’ll need to do here.
]]>Setting up the connection between Sumo Logic and runZero requires:
- Creating a Sumo Logic HTTP Source
- Creating a runZero alert template
- Creating a rule in runZero
- Handling runZero data in Sumo Logic
- Creating a Sumo Logic dashboard (optional)
Step 1: Create a Sumo Logic HTTP Source
- After logging in to Sumo Logic, navigate to Manage Data > Collection.
- Click Add Collector select Hosted Collector, provide a name, such as
runZero Collectorand click save. - If prompted to add a data source, click OK. Otherwise, find your Collector in the list and click Add Source.
- Select the HTTP Logs and Metrics source, provide a name, such as
runZero Alerts, and then click save. - Copy the URL provided to use in step 2.
Step 2: Create a runZero alert template
- Create an alert template in runZero and provide the following details:
- Name: Name for template
- Template type: JSON
- Subject line for message: Leave empty
- Body of message: The following JSON example will include the rule name and the search URL in the alert message body
{"rule_name":"{{rule.name}}","search_url":"{{search.url}}","found": "{{search.found}}", "assets_new": "{{scan.assets_new}}"}
- Create an alert channel in runZero and provide the following details:
- Name: Name for alert channel
- Channel type: Webhook
- Webhook URL: The webhook URL you copied from Sumo Logic
Step 3: Create a rule in runZero
Now that you have your alert template and channel created, you will want to identify the triggers to alert on. Some common examples are:
]]>Integrating runZero with Sumo Logic
Setting up the connection between Sumo Logic and runZero has three options with different configuration steps.
Option A: Local script
Option B: AWS Lambda function
]]>Requirements
- A Sumo Logic account
- A runZero account and API key.
runZero integrates with Splunk using a dedicated Splunk Addon, compatible with Splunk 7, Splunk 8, and Splunk Cloud. With this add-on, you’ll be able to pull new or updated hosts into a Splunk index, where you’ll be able to analyze, visualize, and monitor them there.
This add-on uses the Splunk API from the runZero Network Discovery platform. It supports syncing assets into Splunk, with multiple inputs supported, global API key management, and optional search filters for each input. For example, you can track new assets as one input, and SMBv1 enabled assets as another input.
]]>The Service Graph connector for runZero allows you to bring runZero assets into your ServiceNow CMDB as CIs, and optionally periodically update the CIs with fresh information from runZero scans.
The Service Graph Connector fetches and transforms data using ServiceNow IntegrationHub ETL, and passes it through the Identification and Reconciliation Engine (IRE). This allows specific fields and CI class mappings to be fine-tuned from the ServiceNow console. You can also specify a runZero search query to determine which assets get brought in by the connector.
]]>Requirements
- Configuring the SecurityGate.io integration requires a runZero API key.
The SecurityGate.io integration will pull runZero asset data from across all organizations.
Integrate runZero with SecurityGate.io
- Sign in to your SecurityGate.io console.
- Go to My Account under the Hello dropdown menu.
- Click on Integration Manager.
- Select Add New Integration.
- Choose Rumble from the Integration Partner dropdown menu.
- Provide the Account API Key, Server URL, and API Version.
- Click Test Connection. If the test is successful, click OK to save the configuration.
Viewing runZero data in SecurityGate.io
After the integration is enabled within SecurityGate.io, runZero data will be available through the Asset Inventory page.
]]>Requirements
- A Panther account with the required permissions,
- An AWS S3 bucket, and
- Exported .jsonl files from runZero that have been uploaded into your AWS S3 bucket.
Step 1: Adding a custom schema
- Go to Configure > Schemas and select Create New.
- Add a name.
- Upload a sample log to automatically parse the runZero output schema.
Step 2: Adding a custom log source
- Go to Configure > Log Sources and select Create New.
- Complete the Basic Information section.
- Opt to configure S3 prefixes and schemas now and select the custom schema you created.
- Configure the IAM role:
- Opt to configure Using the AWS Console UI.
- Click Launch Console UI.
- Review the stack in AWS, then check the box to approve, and click to deploy the stack.
- When the deployment completes, navigate to the Resources tab and select the LogProcessingRole that was created.
- Copy the ARN from that role into the field on the Panther console.
- Configure an alarm if logs are not processed (optional).
Once completed, any .jsonl files added to the specified AWS S3 bucket will be automatically ingested and processed by Panther.
]]>Follow these steps to perform a basic import.
Step 1: Export runZero asset data
You can export data using the Export button from the runZero inventory or the Export API.
The following are sample commands for the export API that include common export fields but omit the tags field. You must replace the token ETxxx... with your account’s export token from the Inventory export API page.
In addition to being able to enrich your runZero inventory with data from your other IT and security tools, the runZero platform offers egress integrations with several platforms. By leveraging product APIs and export/import functionality, runZero can provide additional asset context in other IT and security tools.
The following integrations are available to send your runZero data into other platforms:
IT service management
Detection and investigation
Vulnerabilities and risk
]]>runZero integrates with Wiz by importing data from the Wiz API. This integration allows you to sync data about your cloud assets, software, and vulnerabilities from Wiz to provide better visibility of your cloud assets and security posture.
Getting started with Wiz
To set up an integration with Wiz, you’ll need to:
- Create a Service Account in Wiz with permissions to read graph resources, read reports, and create reports.
- Configure the Wiz credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Requirements
Before you can set up the Wiz integration:
]]>runZero Platform supports synchronization of VMware vCenter and ESXi virtual machine inventories.
Setting up VMware credentials
Unlike other APIs, the VMware synchronization process is configured as part of your regular runZero Explorer scans. The first step is to set up a set of VMware credentials.
On the Scanning with credentials page, click Add Credential and choose a credential type of VMware vCenter/ESXi Username and Password, and enter the appropriate username and password. The correct username syntax in most cases is user@domain.com. The VMware account used requires at least read-only access.
runZero integrates with Tenable Security Center (previously Tenable.sc) by importing data from the Tenable Security Center API.
Getting started with Tenable Security Center
To set up an integration with Tenable Security Center, you’ll need to:
- Create an API key for a user that has access to view and query vulnerabilities in Tenable Security Center.
- Configure the Tenable Security Center credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Requirements
Before you can set up the Tenable Security Center integration:
]]>runZero integrates with Tenable Nessus using two methods. For all versions of Nessus, runZero can import Nessus files (.nessus) that were exported from your Nessus instance. Exports from Tenable Security Center are also supported. For Nessus Professional users, the runZero integration can pull scan data from the Nessus Professional API.
Getting started with Tenable Nessus
To use the Tenable Nessus integration, you’ll need to:
- Export vulnerability scan results as Nessus files.
- Import the Nessus files through the inventory pages.
Requirements
Before you can set up the Nessus integration:
]]>runZero integrates with Nessus Professional by importing data from the Tenable API.
Getting started with Nessus Professional
To set up an integration with Nessus Professional, you’ll need to:
- Create an Administrator API key in an access group with Can View permission to Manage Assets.
- Configure the Nessus Professional credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Requirements
Before you can set up the Nessus Professional integration:
]]>runZero integrates with Tenable Vulnerability Management (previously Tenable.io) by importing data from the Tenable API.
Getting started with Tenable Vulnerability Management
To set up an integration with Tenable Vulnerability Management, you’ll need to:
- Create an Administrator API key in an access group with
Can Viewpermission toManage Assets. Optionally, this must have the Scan Manager role in order to retrieve agent health data. - Configure the Tenable Vulnerability Management credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Requirements
Before you can set up the Tenable Vulnerability Management integration:
]]>runZero integrates with Tenable Vulnerability Management (previously Tenable.io), Tenable Nessus, and Tenable Security Center to enrich your asset inventory and gain visibility into vulnerabilities detected in your environment. The Tenable Vulnerability Management, Nessus Professional, and Tenable Security Center integrations pull data from the Tenable API, while all versions of Tenable Nessus and Tenable Security Center (previously Tenable.sc) are also supported through Nessus v2 file imports (.nessus).
Note that at this time, only the main Tenable Vulnerability Management cloud API endpoint at https://cloud.tenable.com is supported as an API integration.
runZero integrates with Tanium by importing data from the Tanium Gateway API. This integration allows you to sync data about your endpoints, applications, and vulnerabilities from Tanium to provide better visibility over your network.
Getting started with Tanium
To set up an integration with Tanium, you’ll need to:
- Generate an API token with the necessary permissions.
- Configure the Tanium credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Step 1: Generate an API key in Tanium Dashboard
- Sign in to Tanium and navigate to Administration > Roles.
- Create a role with the necessary permissions:
- Search for the Gateway User role.
- Select it and click the Clone button that appears to create a copy of this role.
- On the Clone Role screen, enable Platform Content Permissions > Sensor > Read and add these Content Sets (via the n+ button beside the green check):
- Base
- Comply
- Comply Reporting
- Core AD Query Content
- Core Content
- Reserved
- Tanium Data Service
- Save the role.
- Navigate to Administration > Personas and click New Persona to create a persona using the role you just created:
- Name the persona.
- Under Manage Roles, search for and apply your new role.
- Under Computer Groups, add the groups you need, or check Unrestricted Management Rights to allow access to all Computer Groups.
- Assign a user or service account which has the permissions granted to the persona.
- Save the persona.
- Navigate to Administration > API Tokens and click New API Token.
- Enter a name and select a TTL.
- Select the persona you just created from the dropdown (you may need to refresh the page for it to appear).
- Enter IP addresses to allow requests from:
- If you will run the integration via an Explorer or CLI, enter the IP addresses or ranges of your host(s);
- Otherwise, enter
0.0.0.0/0.
- Save the API token.
Step 2: Add the Tanium API token to runZero
- Go to the Credentials page in runZero.
- Choose Tanium API Token from the list of credential types.
- Provide a name for the credential, like
Tanium. - Provide the following information:
- Tanium API URL - Your Tanium API Gateway URL. The full URL will be something like
https://<customername>-api.cloud.tanium.com/plugin/products/gateway/graphql. If the path (/plugin/products/gateway/graphql) is omitted, it will be added automatically when the API is called. - Tanium API token - The API token (including the
token-prefix) created in step 1. - Insecure - Enable this option to approve authenticating with untrusted endpoints. When enabled, certificate validation is disabled. Use with caution.
- Tanium API URL - Your Tanium API Gateway URL. The full URL will be something like
- If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Verify and save the credential.
You’re now ready to set up and activate the connection to bring in data from Tanium.
]]>runZero integrates with Shodan by importing data from the Shodan API. This integration allows you to sync data about your externally-facing assets and services from Shodan to provide better visibility of your internet footprint and cyber hygiene.
Getting started
To set up the Shodan integration, you’ll need to:
- Add the Shodan API key in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the Shodan integration to sync your data with runZero.
Requirements
Before you can set up the Shodan integration:
]]>runZero integrates with SentinelOne by importing data from the SentinelOne API. This integration allows you to sync and enrich your asset inventory, import software installed on assets, and import vulnerabilities affecting the installed software. Adding your SentinelOne data to runZero makes it easier to find things like endpoints that are missing required software or identify vulnerable endpoints.
Any IP address reported by SentinelOne will be treated as a secondary address, not a primary address, since these IPs can be stale and may not be associated with a specific network or site.
Getting started
To set up the SentinelOne integration, you’ll need to:
]]>runZero integrates with Rapid7 Nexpose by importing files that were exported from your Nexpose instance.
Getting started with Rapid7 Nexpose
To use the Rapid7 Nexpose integration, you’ll need to:
- Download an XML Export or XML Export 2.0 report from Nexpose.
- Import the Nexpose files through the inventory pages.
Requirements
Before you can set up the Nexpose integration:
- Make sure you have access to the Nexpose portal.
Step 1: Export Nexpose vulnerability scan report
- Sign in to Nexpose with the account being used for the runZero integration.
- Go to the Reports page and select Create a report.
- From the Export tab, select either XML Report or XML Report 2.0.
- Set the scan, asset, asset group, or site scope.
- Click Save & Run the Report.
- When the report completes, save the report to a local file.
Step 2: Import the Nexpose files into runZero
- Go to the Inventory page in runZero.
- Choose Import > Nexpose XML Export (.xml) from the list of import types.
- On the import data page:
- Choose the site you want to add your assets to.
- Set tags to apply to the imported assets (optional).
- Set the severity and risk levels to ingest (optional).
- Set the Fingerprint only toggle to Yes if you want vulnerability records to be ingested for fingerprint analysis but not stored in your runZero vulnerability inventory (optional).
Step 3: View Nexpose assets and vulnerabilities
After a successful sync, you can go to your inventory to view your Nexpose assets. These assets will have a Rapid7 icon listed in the Source column.
]]>runZero integrates with Rapid7 InsightVM by importing data from the InsightVM API.
Both Rapid7 InsightVM Cloud and on-premises InsightVM are supported. For on-premises use you will need to use the InsightVM connector as a scan probe from a runZero Explorer which has network access to the InsightVM deployment.
The Insight Platform API is distinct from the InsightVM API, and is not supported.
Getting started with InsightVM
To set up the InsightVM integration, you’ll need to:
]]>runZero integrates with Rapid7’s InsightVM and Nexpose to enrich your asset inventory and gain visibility into vulnerabilities detected in your environment.
Asset inventory
There is a column on the asset inventory page showing the count of vulnerabilities detected by Rapid7 for each asset. When a single asset is selected, the vulnerabilities table lists all the results related to that asset. The vulnerability count can be impacted by the type of vulnerability scan as well as the import settings selected.
]]>runZero integrates with Palo Alto Prisma Cloud by importing data from the Prisma API. This integration allows you to sync data about your cloud assets and vulnerabilities from Prisma to provide better visibility of your cloud assets and security posture. The supported Prisma cloud sources are AWS, Azure, and GCP.
Getting started with Prisma
To set up an integration with Prisma, you’ll need to:
- Create a Palo Alto Prisma Cloud credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Step 1: Obtain your Prisma API credentials
- Follow the Prisma documentation to create a Prisma cloud user role with sufficient permissions. See user role descriptions for more information.
- Obtain your Prisma Cloud API access key and secret key. These will be used to authenticate against the Prisma Cloud API. Follow the Prisma documentation to configure them properly.
- Identify your API URL. This will be sent to you from Palo Alto in your fulfillment email. See possible URL values.
Step 2: Add the Prisma credential to runZero
- Go to the Credentials page in runZero. Provide a name for the credentials, like
Palo Alto Networks Prisma Cloud. - Choose Prisma Client Secret from the list of credential types.
- Create your Prisma service account via the settings page in the Prisma portal, and then provide the following information:
- Prisma Cloud Access Key - The access key you obtained from the steps above.
- Prisma Cloud Secret Key - The secret key you obtained from the steps above.
- Prisma API URL - The API Endpoint URL used to access the Prisma API.
- If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Save the credential.
You’re now ready to set up and activate the connection to bring in data from Prisma Cloud.
]]>runZero integrates with Palo Alto Networks Firewall using the PAN-OS XML API to provide additional network visibility, enhance network context, and improve reporting.
Getting started
To set up the Palo Alto Networks Firewall integration, you’ll need to:
- Create or obtain API Keys to use with the Palo Alto Networks Firewall XML API.
- Add the Palo Alto Networks Firewall API key in runZero.
- Perform Palo Alto Networks Firewall synchronization
Requirements
- Before you can set up the Palo Alto Networks Firewall integration, make sure you have an API Key for your PAN OS XML.
- Prior to adding a Palo Alto Networks Firewall credential, scan your Palo Alto Networks Firewall with a runZero Explorer if you want to use trusted authentication (optional).
Step 1: Add the Palo Alto Networks Firewall credential to runZero
- Go to the Add credential page in runZero. Provide a name for the credentials, like PAN-OS Firewall.
- Choose Palo Alto Networks Firewall API Key from the list of credential types.
- Provide the following information:
- Palo Alto Networks API key - The API key you want to use with the Palo Alto Networks Firewall integration. Ensure the XML API is enabled by following the steps in this guide: https://docs.paloaltonetworks.com/ngfw/api/api-authentication-and-security/pan-os-api-authentication. Once the XML API is enabled, you can generate the API key by following the steps in this guide: https://docs.paloaltonetworks.com/ngfw/api/api-authentication-and-security/generate-api-key
- Palo Alto Networks insecure - Set this to
Yesif you want to attempt authentication without a verified thumbprint. - Palo Alto Networks thumbprints (optional) - A set of
IP[:port]=SHA256:B64HASHorhostname.domain.tld=SHA256:B64HASHpairs to trust for authentication.- You will need to scan your Palo Alto Networks firewalls with runZero in order to obtain the TLS thumbprint. The PAN API thumbprints service attribute report lists all previously seen thumbprints.
- CIDR allow list - Set which IP addresses this API Key will be sent to in the CIDR allow list.
- If you want all other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Save the credential.
You’re now ready to set up and activate the connection to bring in data from Palo Alto Networks Firewall.
]]>runZero integrates with Qualys VMDR by importing data from the Qualys KnowledgeBase API.
Asset inventory
There is a column on the asset inventory page showing the count of vulnerabilities detected by Qualys for each asset. When a single asset is selected, the vulnerabilities table lists all the results related to that asset. The vulnerability count can be impacted by the type of vulnerability scan as well as the import settings selected.
]]>runZero integrates with NetBox configuration management database (CMDB) using the NetBox REST API to enrich your asset inventory.
NetBox limitations
runZero explicitly supports NetBox version 4. Older versions (3.x) may be compatible, but are not specifically tested or supported.
Since NetBox data entry is free-form, the runZero integration may not be a good fit for your organization, and we strongly recommend testing this integration in a Project first before configuring it for a production Organization.
]]>runZero integrates with Miradore mobile device management (MDM) to deliver greater visibility into your mobile assets. This integration imports data from the Miradore API to enrich your asset inventory. Syncing with Miradore allows you to view information about device hardware, OS version, associated user, and more. This integration imports all enrolled devices.
Getting started
To set up the Miradore integration, you’ll need to:
- Sign in to your Miradore web portal and create a new API key.
- Add the Miradore credential to runZero, which includes the endpoint hostname and API key.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the Miradore integration to sync your data with runZero.
Requirements
Before you can set up the Miradore integration:
]]>runZero integrates with Microsoft Intune to allow you to sync and enrich your asset inventory. Adding your Microsoft Intune data to runZero makes it easier to find unmanaged assets on your network. Data added includes the discovered apps from Intune. Managed apps (those pushed to devices by Intune) are not currently reported.
Getting started
To set up the Microsoft Intune integration, you’ll need to:
-
Configure Microsoft Intune to allow API access from runZero.
]]>
runZero integrates with Microsoft Entra ID (formerly Azure AD) to allow you to sync and enrich your asset inventory, as well as gain visibility into Entra ID users and groups. Adding your Entra ID data to runZero makes it easier to find assets that are not part of your domain.
Note that Entra ID is still referred to as Azure AD within the runZero product.
Getting started
To set up the Entra ID integration, you’ll need to:
]]>runZero integrates with Microsoft Endpoint Configuration Manager (MECM), formerly System Center Configuration Manager (SCCM), by importing data from the MECM MSSQL database. This integration allows you to sync data about your devices from MECM, making it easier to find unmanaged devices in your network.
Getting started with MECM
To set up an integration with MECM, you’ll need to:
- Identify or create a database user with read access to the MECM database.
- Configure the MECM credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Step 1: Identify or create a database user for access to MECM
- Identify an existing database user with read access to the database.
- Alternatively, create a dedicated read-only database user for this integration. More details on creating a new database user can be found in Microsoft’s documentation - Create a database user.
Step 2: Add the MECM database connection string to runZero
- Go to the Credentials page in runZero.
- Choose MECM Database Connection String from the list of credential types.
- Provide a name for the credential, like
MECM. - Provide the database connection string, using one of the following formats:
Server=host,port;Database=database-name;User Id=user-id;Password=password;
When using this format, the values should not contain a semicolon (;). You can use single or double quotes to escape any special characters.sqlserver://username:password@host/instance?database=value¶m=value
- If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Save the credential.
You’re now ready to set up and activate the connection to bring in data from MECM.
]]>runZero integrates with Microsoft Azure to deliver greater visibility into your cloud assets. This integration imports data through each applicable API to enrich your asset inventory:
Syncing with Azure allows you to view information about your asset’s OS profile, storage profile, and more. This integration imports assets that are in a running state.
]]>runZero integrates with Microsoft Active Directory (AD) via LDAP to allow you to sync and enrich your asset inventory, as well as gain visibility into domain users and groups. Adding your AD data to runZero makes it easier to find assets that are not part of your domain.
Getting started
To set up the Active Directory integration, you’ll need to:
- Add the AD credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the Active Directory integration to sync your data with runZero.
Requirements
Before you can set up the LDAP integration, make sure you have credentials for an LDAP account.
]]>runZero integrates with Microsoft 365 Defender to allow you to sync and enrich your asset, software, and vulnerability inventory. Adding your Microsoft 365 Defender data to runZero makes it easier to find assets missing EDR protection.
Getting started
To set up the Microsoft 365 Defender integration, you’ll need to:
- Configure Microsoft 365 Defender to allow API access through runZero.
- Add the Microsoft 365 Defender credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the Microsoft 365 Defender integration to sync your data with runZero.
Requirements
Before you can set up the Microsoft 365 Defender integration:
]]>runZero integrates with Google Workspace to allow you to sync and enrich your asset inventory, as well as gain visibility into users and groups. Adding your Google Workspace data to runZero makes it easier to find unmanaged assets on your network. The Google Workspace integration supports ChromeOS, Mobile, and Endpoint registered asset types.
Requirements
- Verify or create a new Google service account in whichever project is most suitable.
- Create and download a key for the Google service account. Save this JSON file.
- Verify that you have the
Admin SDKandCloud IdentityAPIs enabled for the project. Use the search box in the API Library to find each API and then enable it. - Enable domain-wide delegation in the Google Workspace console
- Add a new API client using the unique numeric ID of service account as the Client ID
- Enable the following OAuth scopes for this API client:
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/cloud-identity.devices.readonly - Optionally, enter each OAuth scope individually:
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.device.mobile.readonlyhttps://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyhttps://www.googleapis.com/auth/cloud-identity.devices.readonly
How to set up the Google Workspace integration
These are the high-level steps to set up the Google Cloud Platform integration:
]]>The Google Cloud Platform (GCP) integration provides visibility into your cloud assets by synchronizing your GCP cloud inventories with runZero. runZero also integrates with other cloud providers, such as Microsoft Azure and Amazon AWS. Similarly to other integrations, you will need to add the Scanning with credentials needed to authenticate to GCP and set up a connector in runZero. runZero will pull in GCP compute instance VMs, pulling in GCP attributes that will be viewable from each asset.
]]>runZero integrates with Dragos to help expand your OT visibility by importing assets and vulnerabilities from the Dragos API.
Getting started with Dragos
To set up an integration with Dragos, you’ll need to:
- Generate a Dragos API ID and API Secret with the following privileges:
- asset:read
- detection:read
- vulnerability:read
- Configure the Dragos credential in runZero.
- Activate the integration to pull your data into runZero.
Step 1: Generate a Dragos API ID and API Secret
- Log into the Dragos console and navigate to Admin, then navigate to Users. Under the user, click the Add New API Key button.
- When the Generate New API Key box appears, name your API ID and API Secret, then click Generate Key.
- Copy the ID and Secret for later.
Step 2: Add the Dragos API ID and API Secret to runZero
- Go to the Credentials page in runZero.
- Choose Dragos API ID & Secret from the list of credential types.
- Provide a name for the credential, like
Dragos. - Provide the following information:
- Dragos API ID - Your Dragos API ID from Step 1.
- Dragos API Secret - Your Dragos API Secret from Step 1.
- Dragos API URL - The URL to your Dragos instance, without any trailing slashes. For example,
https://my.instance.dragos.cloud. - Insecure - Enable this option to approve authenticating with untrusted endpoints. When enabled, certificate validation is disabled. Use with caution.
- If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Verify and save the credential. Note that if the URL provided is an internal IP address, verification is unsupported, but the credential can be saved and the integration will still be usable when run on an Explorer.
You’re now ready to set up and activate the connection to bring in data from Dragos.
]]>This document provides sample usage for common runZero Starlark libraries used in custom integration scripts.
requests
load('requests', 'Session', 'Cookie')
load('json', json_decode='decode')
def requests_example():
session = Session()
session.headers.set('Accept', 'application/json')
session.headers.set('User-Agent', 'Mozilla/5.0')
session.headers.set('User-Agent', None) # remove header
url = 'https://hacker-news.firebaseio.com/v0/topstories.json'
session.cookies.set(url, {"test_cookie": "cookie_value"})
response = session.get(url)
if response and response.status_code == 200:
data = json_decode(response.body)
print("Top story IDs:", data[:5])
else:
print("Failed to fetch stories")
http
load('http', http_post='post', http_get='get', 'url_encode')
def fetch_example():
url = "https://hacker-news.firebaseio.com/v0/topstories.json"
headers = {"Accept": "application/json"}
response = http_get(url, headers=headers)
if response and response.status_code == 200:
print("Top stories retrieved successfully.")
else:
print("Request failed with status:", response.status_code)
net
load('net', 'ip_address')
def parse_ip_list():
ips = ["192.168.1.1", "2607:f8b0:4005:805::200e"]
for ip in ips:
addr = ip_address(ip)
print("IP:", addr, "Version:", addr.version)
json
load('json', json_encode='encode', json_decode='decode')
def test_json_handling():
data = {"name": "runZero", "features": ["scan", "API", "integrations"]}
encoded = json_encode(data)
print("Encoded JSON:", encoded)
decoded = json_decode(encoded)
print("Decoded:", decoded["name"])
time
load('time', 'parse_time')
def parse_example_time():
time_str = "2025-05-01T15:00:00Z"
parsed = parse_time(time_str)
print("Parsed time:", parsed)
# Emit Unix epoch time in seconds for use in certain time fields
epoch = parsed.unix
print("Epoch time:", epoch)
uuid
load('uuid', 'new_uuid')
def create_unique_id():
uid = new_uuid()
print("Generated UUID:", uid)
gzip
load('gzip', gzip_decompress='decompress', gzip_compress='compress')
def gzip_example():
original = "Hello, runZero!".encode("utf-8")
# Compress the data
compressed = gzip_compress(original)
print("Compressed length:", len(compressed))
# Decompress it back
decompressed = gzip_decompress(compressed)
print("Decompressed value:", decompressed.decode("utf-8"))
base64
load('base64', base64_encode='encode', base64_decode='decode')
def b64_example():
username = "xxx"
password = "yyy"
enc = base64_encode(username + ":" + password)
dec = base64_decode(enc)
return (enc, dec)
crypto
load('crypto', 'sha256', 'sha512', 'sha1', 'md5')
def main(*args, **kwargs):
access_key = kwargs['access_key']
access_secret = kwargs['access_secret']
input = "test"
sha256_hash = sha256(input)
if str(sha256_hash) != '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08':
print("sha256_hash [fail]: {}".format(sha256_hash))
else:
print("sha256_hash [pass]: {}".format(sha256_hash))
sha512_hash = sha512(input)
if str(sha512_hash) != 'ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff':
print("sha512_hash [fail]: {}".format(sha512_hash))
else:
print("sha512_hash [pass]: {}".format(sha512_hash))
sha1_hash = sha1(input)
if str(sha1_hash) != 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3':
print("sha1_hash [fail]: {}".format(sha1_hash))
else:
print("sha1_hash [pass]: {}".format(sha1_hash))
md5_hash = md5(input)
if str(md5_hash) != '098f6bcd4621d373cade4e832627b4f6':
print("md5_hash [fail]: {}".format(md5_hash))
else:
print("md5_hash [pass]: {}".format(md5_hash))
return True
flatten (json)
load('flatten_json', 'flatten')
def main(*args, **kwargs):
nested_json = {"foo": "bar", "a": {"b": "c"}}
flattened_json = flatten(nested_json)
return True
To set up the custom integration script, you will need to:
- Write the script.
- Optionally add credentials.
- Create an integration task.
Step 1: Write integration script
The script can be written in Starlark, a Python-like language with some notable differences:
- There is no exception handling (
try/catch) - There is no f-string
f'{var}'formatting -"{}".format(var)is the supported method of string interpolation.
Step 1a: Entrypoint
The script needs an entrypoint, a function that gets called by the runZero service and returns the Inventory Assets discovered by the script.
]]>runZero integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. This integration allows you to sync and enrich your asset inventory, as well as ingesting vulnerability data from Falcon Spotlight and software data from Falcon Discover. Adding your CrowdStrike data to runZero makes it easier to find things like endpoints that are missing an EDR agent.
Getting started
To set up the CrowdStrike integration, you’ll need to:
- Configure CrowdStrike to allow API access through runZero.
- Add the CrowdStrike credentials, which will include the client ID and client secret, and CrowdStrike base API URL in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the CrowdStrike integration to sync your data with runZero.
Requirements
Before you can set up the CrowdStrike integration:
]]>runZero integrates with Cisco Meraki Dashboard by importing data from the Cisco Meraki Dashboard API. This integration allows you to sync data about your devices and network clients from Meraki to provide better visibility of your network.
Getting started with Meraki
To set up an integration with Meraki, you’ll need to:
- Generate an API key for your Cisco Meraki Dashboard administrator account.
- Configure the Meraki credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Requirements
Before you can set up the Meraki integration:
]]>runZero supports importing assets from the Censys Search API and the Censys Internet Dataset.
- Importing assets from the Censys Search API
- Importing assets from the Censys Universal Internet Dataset
Censys Search API
To get started with the Censys Search API, you will need to register for a Censys Search account. Once you have done so, you can find your API credentials in the My Account section.
In runZero, go to the Credentials page, and click Add Credential. Select Censys Search API Key as the credential type, and enter your API ID and API secret.
]]>As part of a discovery scan, runZero will automatically enrich scanned assets with data from the AWS EC2 API when available. runZero assets will be updated with internal IP addresses, external IP addresses, hostnames, MAC addresses, and tags, along with other EC2-specific attributes, such as the account ID and instance type.
No additional configuration is needed in runZero to get this data enrichment. However, you may need to modify the permissions associated with the instance’s IAM role.
]]>runZero integrates with Amazon Web Services (AWS) to provide better visibility across your cloud environment. This integration imports data from each applicable API to add detailed information to your asset inventory:
Syncing with AWS allows you to quickly identify the number of EC2 instances, elastic load balancers, relational database services, FSx file systems, and VPCs you have running, as well as their region, account, and more.
]]>The runZero platform offers integrations with several sources of asset data, allowing users to enrich their asset inventory and identify assets and subnets that are not effectively managed or protected. By leveraging product APIs and export/import functionality, runZero can pull data from many IT and security tools to extend visibility across your organization’s network.
Supported integrations
Cloud and virtualization
Endpoint protection
- CrowdStrike Falcon
- Microsoft 365 Defender
- Microsoft Intune
- Miradore MDM
- SentinelOne
- Tanium API Gateway
Endpoint management
Asset and identity management
- Google Workspace
- Microsoft Active Directory
- Microsoft Entra ID (formerly Azure AD)
Vulnerabilities and risk
Network management
Custom integrations
]]>Yes. IoT and OT equipment is often sensitive to high packet rates or malformed traffic, and past experiences with aggressive scanners have led many teams to put a “don’t scan” rule in place for these networks. runZero was purpose-built to operate safely in these environments, so most organizations can confidently include their IoT and OT assets in their active inventory.
runZero discovers assets using a lightweight active scan engine called the Explorer. The Explorer can be deployed almost anywhere on your network — no SPAN or TAP ports to configure, and no agents to install on individual devices. Because discovery is performed actively from a single point on the network, you don’t have to modify the environment you’re trying to inventory.
]]>What TCP ports does runZero scan?
runZero scans the following TCP ports by default:
7 13 17 21 22 23 25 37 53 80 88 102 110 111 113 135 137 139 143 179 264 389 427 443 444 445 464 465 502 512 513 514 515 523 535 541 554 587 593 631 636 749 750 789 873 902 992 993 995 1080 1081 1099 1153 1200 1217 1433 1434 1494 1502 1521 1522 1525 1718 1720 1723 1883 1911 1935 1962 2000 2049 2121 2181 2222 2323 2375 2376 2379 2404 2443 2455 2483 2484 2525 2598 2775 2888 2947 3000 3023 3050 3080 3260 3268 3269 3306 3389 3390 3690 3868 3888 3999 4000 4001 4190 4222 4369 4545 4567 4712 4786 4840 4843 4911 4949 5000 5005 5006 5007 5037 5060 5061 5094 5222 5223 5269 5353 5355 5432 5433 5555 5666 5671 5672 5800 5900 5901 5902 5903 5930 5938 5984 5985 5986 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6015 6106 6222 6333 6334 6379 6432 6443 6481 6514 6556 6568 6650 6651 6667 6668 6669 6697 7000 7001 7070 7473 7474 7519 7676 7687 7734 7878 8000 8001 8002 8003 8004 8080 8081 8082 8086 8098 8161 8181 8193 8200 8222 8291 8443 8453 8500 8554 8728 8787 8788 8883 8888 8889 8983 9000 9001 9042 9050 9080 9090 9092 9093 9094 9100 9101 9102 9150 9160 9200 9418 9443 9595 9999 10000 10001 10050 10051 11211 11222 11740 13400 16379 18000 18245 19000 19530 20000 20256 20547 22222 25565 26379 27017 27018 27019 28017 33060 44818 48050 48898 50000 50001 54921 54922 54923 60000 61616 61617 62078
]]>328 of 328 protocols
Loading protocols…
acop — Atlas Copco Open ProtocolAtlas Copco Open Protocol is a tightening-controller protocol used by Power Focus and Power MACS controllers on manufacturing assembly lines. Negotiates the protocol revision and queries controller identity, returning the supplier code, controller name, controller serial and software version, tool software version, and cell and channel identifiers.
Port: 4545
acpp — Apple AirPort Configuration ProtocolApple AirPort Configuration Protocol is the management protocol used by AirPort Utility to provision Apple AirPort base stations and Time Capsules. Connects to the ACPP listener and records the raw banner returned by the device.
activemq — Apache ActiveMQ OpenWireApache ActiveMQ OpenWire is the native binary wire protocol used by JMS clients to talk to ActiveMQ message brokers. Performs an OpenWire handshake and returns the broker version, host JVM and OS, and negotiated wire-format options.
Ports: 8161, 61616, 61617
adb — Android Debug BridgeAndroid Debug Bridge is a developer protocol used to debug, install, and control Android devices over the network (typically on rooted phones, TVs, and IoT devices). Probes for an open ADB endpoint and returns the device's access state and ADB banner.
Ports: 5037, 5555
ads — Beckhoff ADS/AMSBeckhoff ADS/AMS is the Automation Device Specification / Automation Message Specification protocol used to communicate with TwinCAT runtimes on Beckhoff PLCs and industrial PCs. Issues a ReadDeviceInfo request and returns the device name, AMS NetID, and TwinCAT runtime version.
Port: 48898
airplay — Apple AirPlayAirPlay is Apple's wireless streaming protocol used by iOS, macOS, and Apple TV devices to mirror displays and stream audio/video. Detected from the _airplay._tcp and _raop._tcp mDNS records and HTTP banners advertised by AirPlay receivers.
ajp — Apache JServ Protocol (AJP)Apache JServ Protocol (AJP) is a binary protocol used by reverse-proxy front-ends (Apache httpd mod_proxy_ajp, nginx, IIS) to bridge HTTP requests to a back-end Tomcat or JBoss application server, typically on TCP/8009. runZero attributes services as AJP from external integration data (Shodan) and from banner / port hints; no active AJP probe is sent.
amqp — AMQP 0-9-1AMQP 0-9-1 is the Advanced Message Queuing Protocol used by RabbitMQ and other brokers for message-oriented middleware. Exchanges the protocol-header preamble and returns the negotiated AMQP version, broker product and version, runtime platform, cluster name, advertised SASL mechanisms, and TLS requirement.
Ports: 5671, 5672
anydeskAnyDesk is a proprietary TLS-wrapped remote-desktop protocol used by the AnyDesk client and host software on Windows, macOS, Linux, Android, and iOS endpoints. Performs a TLS handshake on the AnyDesk listener and inspects the peer certificate to fingerprint the service, returning the certificate subject, issuer, and a self-signed flag.
Ports: 6568, 7070
ard — Apple Remote DesktopApple Remote Desktop is a discovery protocol used by macOS systems to advertise themselves to Apple Remote Desktop administrators on UDP/3283. runZero sends the ARD discovery request, validates the response type, and returns the advertised hostname and Apple machine model from the reply.
Port: 3283
arp — Address Resolution ProtocolAddress Resolution Protocol is a Layer-2 protocol used to resolve IPv4 addresses to Ethernet MAC addresses on the local broadcast segment. runZero sends ARP requests for each target on the local network to discover live hosts, captures the MAC address from each reply for asset attribution and OUI-based vendor identification, and passively records ARP traffic observed during the scan.
atg — Automatic Tank GaugeAutomatic Tank Gauge is a Veeder-Root serial protocol tunneled over TCP (commonly port 10001) used by ATG consoles such as the TLS-3xx and TLS-4xx series found in fuel-station forecourts. Issues the I20100 in-tank inventory and I90200 system-revision commands and returns the station name, console software and module revisions, tank count, and per-tank product names.
Port: 10001
backupexec — Veritas Backup Exec AgentVeritas Backup Exec Agent is the host-side service used by the Backup Exec server to coordinate jobs with protected hosts. Identifies the agent from its TCP banner and tags the asset as Veritas Backup Exec.
Port: 6106
bacnet — BACnet/IPBACnet/IP is a building-automation protocol used for HVAC, lighting, access control, and other building systems. Issues Who-Is and ReadProperty requests and returns the device instance, vendor, model, firmware, and a summary of objects and routing devices behind the gateway.
Ports: 46808, 47808, 47809, 47810, 47811, 47812, 47813, 47814, 47815, 47816, 47817, 47818, 47819, 47820, 47821, 47822, 47823, 47824, 48808
banner — Generic TCP BannerGeneric TCP Banner is a fallback collector used when no protocol-specific matcher fires. Reads the first response bytes and returns the raw banner text for downstream fingerprinting.
bedrock — Minecraft BedrockMinecraft Bedrock is the game-server query and discovery protocol used by Minecraft Bedrock Edition clients. Sends an Unconnected Ping and returns the server uptime, GUID, and the raw advertisement payload (MOTD and version fields).
Port: 19132
bgp — Border Gateway ProtocolBorder Gateway Protocol is the inter-domain routing protocol used between autonomous systems on the Internet and inside large networks. Attempts an OPEN exchange and returns the BGP version, advertised AS number, BGP identifier, and supported capabilities.
Port: 179
bitdefender-app — Bitdefender EndpointBitdefender Endpoint is a proprietary check-in channel exposed by Bitdefender, NETGEAR Armor, and ThreatTrack mobile-security and VPN agents on Android and iOS endpoints. runZero passively matches the agent's JSON app_id payload from observed banners and reports the Bitdefender vendor along with the application identifier and software version of each detected product.
Port: 7519
bjnp — Canon BJNPCanon BJNP is a vendor-specific printing and scanning protocol used by Canon's network drivers. Sends a BJNP discovery probe and returns the device type (printer or scanner), MAC address, and IPv4/IPv6 address advertised in the reply.
Ports: 8611, 8612
brother — Brother Network DiscoveryBrother Network Discovery is a UDP-based broadcast protocol used by Brother printers and multi-function devices to announce themselves and respond to driver/management discovery probes. runZero parses the response to recover the printer model, firmware revision, and serial number.
brother-scanner — Brother Network DiscoveryBrother Network Discovery is the scanner protocol used by Brother network devices. Identifies the service from its +OK 200 / -NG 401 reply and tags the asset as a Brother scanner.
Ports: 54921, 54922, 54923
bsap-ip — Emerson BSAP/IPEmerson BSAP/IP is the Bristol Standard Asynchronous Protocol over IP used by Emerson ControlWave and Bristol RTUs in oil & gas SCADA. Queries node identification and, when enabled, walks the BSAP local-address hierarchy to enumerate child RTUs, returning RTU identity, firmware, and topology summaries.
Ports: 1234, 1235
c12.22 — ANSI C12.22ANSI C12.22 is the metering-network transport used by electric-utility advanced-metering-infrastructure head-ends and relays. Issues an EPSEM Identification request and returns the device serial number, ED class, and C12.22 standard version.
Port: 1153
c37118 — IEEE C37.118 SynchrophasorIEEE C37.118 Synchrophasor is the streaming protocol used by Phasor Measurement Units and Phasor Data Concentrators on the electric grid. Requests CFG-2 and header frames and returns PMU/PDC identification, station and channel naming, and reporting rate.
Port: 4712
cacti — Cacti Network Monitoring Web UICacti Network Monitoring Web UI is the open-source RRDtool-based network graphing and monitoring console deployed by network and IT operations teams. The HTTP extractor matches the Cacti login page title, parses the embedded versionInfo string, and returns the cacti.version attribute and Cacti software identification.
cassandra — Apache Cassandra CQLApache Cassandra CQL is the native client protocol used to query the Cassandra wide-column store. Performs a STARTUP/OPTIONS exchange and returns the cluster name, CQL version, and Cassandra release.
Ports: 9042, 9160
cdp — Cisco Discovery ProtocolCisco Discovery Protocol is a Layer-2 announcement protocol used by Cisco devices to advertise themselves to neighbors. Passively decodes CDP frames and returns the device ID, software version, platform, capabilities, native VLAN, and management addresses advertised by the neighbor.
cephCeph is a cluster-internal messenger protocol used by Ceph distributed storage daemons (mon, mgr, osd, mds) to communicate. runZero identifies Ceph services from the "ceph v" banner returned on connection and tags the asset as a Ceph storage node.
chargen — Character GeneratorCharacter Generator is a legacy diagnostic service (RFC 864) that emits a stream of printable characters. Records the response banner to confirm the service.
checkmk — Checkmk AgentCheckmk Agent is the host-side metric exporter used by the Checkmk server to collect host metrics. Reads the agent banner and returns the agent version, build date, host operating system, architecture, and configured hostname.
Port: 6556
chromecast — Google ChromecastChromecast is the Google Cast device discovery and control protocol used by Chromecast, Google TV, Google Nest Hub, and Cast-enabled speakers. Detected via the _googlecast._tcp mDNS record and the device's HTTP /setup/eureka_info endpoint, which exposes the device name, model, build, and timezone.
cip — Common Industrial ProtocolCommon Industrial Protocol is an industrial automation protocol used by Rockwell/Allen-Bradley and other vendors for PLC and I/O communication. Issues the List Identity and Get Attributes All requests and returns vendor, product code, revision, serial, product name, and device-type information for the controller and any backplane modules.
Port: 44818
cisco-phone — Cisco IP Phone Web InterfaceCisco IP Phone Web Interface is the embedded HTTP server exposed by Cisco SPA, 7900-series, 8800-series, and Unified IP Phones. runZero attributes services as cisco-phone from Recog banner matches and uses the response to recover the model, firmware version, MAC address, and call-manager configuration.
ciscosmi — Cisco Smart InstallCisco Smart Install is a zero-touch deployment protocol commonly abused for unauthenticated configuration access. Sends the Smart Install probe, tags the asset as Cisco IOS, and records the raw response payload.
Port: 4786
citrix — Citrix ICA BrowserCitrix ICA Browser is a UDP/1604 service used by Citrix XenApp and Virtual Apps and Desktops clients to locate published applications and server farms. runZero sends an ICA Browser request and parses the reply to return the server-farm name and the list of advertised published applications.
Port: 1604
citrixica — Citrix ICACitrix ICA is the remote-presentation protocol used to deliver published apps and desktops from Citrix Virtual Apps and Desktops. Detects the ICA banner signature on the listener, tags the asset as Citrix Virtual Apps, and records the response banner and a short hex prefix.
Ports: 1494, 2598
cldap — Connectionless LDAPConnectionless LDAP is a UDP-based directory protocol used to query directory servers without setting up a TCP connection. Issues a rootDSE search and returns the LDAP attributes parsed from the reply (vendor name and version, supported controls, extensions, capabilities, and SASL mechanisms).
Port: 389
click — Click Modular RouterClick Modular Router is the control socket exposed by hosts running the Click software router. Identifies the service from the Click::ControlSocket banner and tags the asset accordingly.
Port: 7734
coapCoAP is the Constrained Application Protocol (RFC 7252) used by constrained devices and IoT deployments for resource-oriented messaging. Issues a GET on /.well-known/core and returns the CoAP version, message type, response code, options, content format, and the resource list or payload from the reply.
Ports: 5683, 5684
cockpit — Cockpit Linux Web ConsoleCockpit Linux Web Console is the web-based Linux server-management console shipped with Red Hat, Fedora, CentOS Stream, and Debian, typically served over TLS on TCP/9090. The HTTP extractor matches the embedded environment JSON in the login page and returns the host name, OS pretty name, and OS variant identifiers.
codesys — CODESYS V3 RuntimeCODESYS V3 Runtime is the IEC 61131-3 controller runtime used by many OEMs (WAGO, Beckhoff, Schneider, Eaton, ...). Issues the runtime identification request and returns the runtime vendor, product, version, and target identification.
Ports: 1200, 1217, 2455, 11740
codesys2 — CODESYS V2 RuntimeCODESYS V2 Runtime is the older 3S CODESYS V2 controller runtime used by industrial controllers from many OEMs. Performs the V2 login probe and returns the runtime version and target identification.
Ports: 1200, 2455
cognex — Cognex In-SightCognex In-Sight is an operator-access service exposed by Cognex In-Sight industrial machine-vision cameras for configuration and monitoring on factory networks. runZero identifies In-Sight cameras from the proprietary banner returned on connection and tags the asset as a Cognex vision system.
common-socket-connection — Raritan Common Socket ConnectionRaritan Common Socket Connection is a proprietary management transport used by Raritan KVM-over-IP switches, Dominion serial consoles, and rack PDUs, typically on TCP/5000. runZero identifies CSC services from the Raritan banner returned on connection and tags the asset as a Raritan management device.
companion-link — Apple CompanionLinkApple CompanionLink is a discovery and pairing service used by Apple devices (iOS, macOS, tvOS, HomePod) to negotiate AirPlay, HomeKit, and Continuity sessions with paired peers, advertised via _companion-link._tcp on Bonjour. runZero attributes the service from the mDNS / port hint and reports the asset as Apple CompanionLink.
comtrol — Comtrol Device DiscoveryComtrol Device Discovery is the broadcast protocol used by Comtrol/Pepperl+Fuchs RocketLinx switches and DeviceMaster serial servers to advertise their presence on the network. runZero parses the response to recover the model name, hardware/firmware revision, MAC address, IP configuration, and serial number.
confluence — Atlassian ConfluenceAtlassian Confluence is a wiki and team-collaboration server available in Server, Data Center, and Cloud editions. The HTTP probe fetches Confluence login, dashboard, and version endpoints and returns the product name, edition, and build number.
consul — HashiCorp ConsulConsul is HashiCorp's service-mesh and key/value store. Detected on the Consul HTTP API (TCP/8500), where the /v1/status/leader and /v1/agent/self endpoints disclose the datacenter, node name, build version, and Raft leader of the cluster.
Port: 8500
couchdb — Apache CouchDBCouchDB is the Apache document-oriented database fronted by an HTTP/JSON API. Detected from the welcome document at /, which discloses the CouchDB version, vendor name, UUID, and -- on misconfigured deployments -- whether the admin party is enabled.
Port: 5984
crestron — Crestron DiscoveryCrestron Discovery is a vendor protocol used to locate Crestron control processors and AV equipment. Sends the discovery probe and returns the device hostname, model, and firmware version.
Port: 41794
crimsonv3 — Red Lion Crimson 3Red Lion Crimson 3 is a configuration and runtime protocol used to read data from Red Lion Graphite, DA-series, and other industrial HMIs and gateways. Reads the manufacturer (register 0x012b) and model (register 0x012a) registers and returns those strings.
Port: 789
crowd — Atlassian CrowdAtlassian Crowd is a centralized SSO and identity-management product. runZero attributes services as Crowd from Recog matches against the application's HTTP banners and login pages, recovering the product version and build information.
cspv4 — Allen-Bradley CSPv4 / PCCCAllen-Bradley CSPv4 / PCCC is a legacy controller protocol used by SLC 5/05 and MicroLogix PLCs for register access. Issues a PCCC identify request and returns the controller family, processor type, and series/revision string.
Port: 2222
cups — Common Unix Printing SystemCUPS is the Common Unix Printing System administrative web interface. runZero matches the CUPS HTTP banner and the IPP server header, returning the cupsd version and host operating system.
Port: 631
dahua-dhip — Dahua DHIPDahua DHIP is a proprietary discovery and management protocol used by Dahua and OEM-rebranded IP cameras and NVRs (Amcrest, Lorex, and similar). Sends the single-byte DHIP discovery probe and returns the device serial, machine name, vendor, firmware version, MAC, and IPv4/IPv6 configuration.
Port: 37810
daytimeDaytime is a legacy diagnostic service (RFC 867) that returns the current date and time. Records the response banner, parses the timestamp, and infers an OS hint from the format.
Port: 13
db2 — IBM Db2IBM Db2 is a relational database protocol used by Db2 LUW and Db2 for z/OS clients. Performs a DRDA EXCSAT/ACCSEC exchange and returns the server product identifier, version, and platform.
Ports: 523, 50000, 50001, 60000
dcerpc — DCE/RPC Endpoint MapperDCE/RPC Endpoint Mapper is the RPC locator used to enumerate RPC services on Windows hosts. Queries the endpoint mapper and returns a summary of registered RPC interfaces, their UUIDs, versions, and bindings.
Ports: 135, 593
dhcpDHCP is the Dynamic Host Configuration Protocol used to lease IPv4 addresses and network configuration. Sends a DHCPDISCOVER and returns the offered server identifier, lease parameters, and any vendor-class identification revealed by the response.
Ports: 67, 68
diameter — Diameter (TCP)Diameter (TCP) is an authentication, authorization, and accounting protocol over TCP; the successor to RADIUS, widely used in mobile-core networks. Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
diametersctp — Diameter (SCTP)Diameter (SCTP) is the Diameter (RFC 6733) AAA protocol carried over SCTP, used between mobile-core elements (Diameter Edge Agent, DRA, HSS, PCRF, MME). Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
digi — Digi ADDPDigi ADDP is the Advanced Device Discovery Protocol used by Digi International serial servers, cellular gateways (TransPort, IX, EX), and embedded modules to advertise themselves on the local network. runZero sends DIGI, DVKT, and DGDP discovery requests on UDP/2362 and parses the TLV reply to return the device MAC, IP, model, firmware version, and hardware revision.
Port: 2362
dnp3DNP3 is Distributed Network Protocol 3 (IEEE 1815) used in electric, water, and oil & gas SCADA between control centers (masters) and RTUs/IEDs (outstations). Performs an unsolicited link-layer test and an Object Group 0 read and returns the outstation address, vendor, model, firmware, and device-attributes summary.
Port: 20000
dnsDNS is the Domain Name System used to resolve hostnames to addresses and other resource records. Issues version.bind, hostname.bind, and recursion-test queries and returns the resolver software identification, recursion availability, and observed CHAOS-class metadata.
Ports: 53, 5353, 5355
docker — Docker Engine APIDocker Engine API is the HTTP control plane exposed by dockerd. runZero queries /version and /info on unauthenticated daemons (typically TCP/2375 or 2376) to recover the engine version, API version, kernel version, operating system, architecture, and container runtime.
Ports: 2375, 2376
doip — Diagnostics over IPDiagnostics over IP is an automotive diagnostics protocol used to reach in-vehicle ECUs (UDS/KWP) over Ethernet. Issues a Vehicle Identification Request and (when enabled) Entity Status, returning VIN, EID/GID, logical addresses, and reachable ECU summaries behind the gateway.
Port: 13400
dotnet-remoting — .NET Remoting.NET Remoting is a Microsoft RPC framework used by legacy .NET Framework applications for cross-process and cross-host RPC. Identifies the service from the .NET Remoting binary-protocol prefix in the connection banner and saves the raw banner.
Port: 9090
drbdDRBD is the Distributed Replicated Block Device protocol used to replicate block devices between Linux nodes for high availability. Identifies the service from the connection-error banner observed on TCP/8787 and saves the raw banner.
Port: 8787
drobo-nasd — Drobo NASdDrobo NASd is the management daemon used by Drobo Dashboard to administer Drobo storage appliances. Identifies the daemon from the DRINASD banner returned on TCP/5000 and saves the raw banner.
Port: 5000
dtlsDTLS is Datagram Transport Layer Security (RFC 6347/9147), the UDP/SCTP variant of TLS, used by WebRTC, CoAP, OpenVPN, EAP-TTLS, and other datagram services. Performs a DTLS ClientHello and returns the negotiated version, cipher suite, and any presented certificate metadata.
Ports: 443, 3391, 4433, 5246, 5349, 5684, 12346, 12366, 12386, 12406, 12426
echoEcho is a legacy diagnostic service (RFC 862) that echoes received bytes. Records the response to confirm the service and to detect amplification-capable hosts.
Port: 7
eero-ebid — eero EBIDeero EBID is a proprietary discovery protocol used by Amazon eero mesh Wi-Fi access points to advertise the extender beacon identifier between mesh nodes on the local segment. runZero attributes the service from the EBID hint and applies eero-specific fingerprinting to identify the asset as an eero mesh extender.
eerogw — eero Gatewayeero Gateway is a proprietary discovery protocol used by Amazon eero mesh gateways to advertise themselves to companion mobile applications on the local network. runZero attributes the service from the eero gateway hint and applies eero-specific fingerprinting to identify the asset as an eero gateway node.
elasticsearchElasticsearch is the Elastic search/analytics engine. runZero queries the root HTTP endpoint to recover the cluster name, node name, Elasticsearch version, Lucene version, and build hash.
Port: 9200
epm — DCE/RPC Endpoint Mapper ServiceEPM is the surface name used by runZero for services attributed to the Microsoft DCE/RPC Endpoint Mapper following Recog/banner-based fingerprinting. The lower-level wire protocol is decoded as dcerpc; this label captures hosts where only fingerprint evidence (banners, version strings) was available.
Port: 135
epmd — Erlang Port Mapper DaemonEPMD is the Erlang Port Mapper Daemon used by Erlang and Elixir distributed nodes (including RabbitMQ and CouchDB) to advertise registered node names and the dynamic ports they listen on. runZero issues the NAMES_REQ to enumerate registered nodes and their listening ports.
Port: 4369
epo — Trellix/McAfee ePolicy Orchestrator (ePO)Trellix/McAfee ePolicy Orchestrator (ePO) is the central management console for Trellix (formerly McAfee) endpoint-security agents. The HTTP probe fetches the ePO login page and returns the product name, build number, and version metadata exposed in the page markup.
erlangdp — Erlang DistributionErlang Distribution is the inter-node messaging protocol used between Erlang and Elixir nodes. Queries EPMD for registered node names and (when nodes are discovered) performs a distribution handshake on the first node, returning the EPMD names list, node name and hostname, distribution version, supported flags, and handshake status.
Port: 4369
erldp — Erlang Distribution ProtocolErlang Distribution Protocol is the distribution protocol used between Erlang and Elixir VM nodes for inter-node messaging (also commonly referred to as ErlDP). runZero matches the Erlang distribution handshake on the wire and reports the protocol alongside the active erlangdp scanner so port-scan results are tagged consistently with EPMD-discovered nodes.
etcd — etcd v3 APIetcd is the distributed key-value store used by Kubernetes and other CoreOS-derived projects. Detected via the v3 HTTP/gRPC API (typically TCP/2379), where /version reports the etcd-server and etcd-cluster versions.
Port: 2379
etcd2 — etcd v2 APIetcd2 is the legacy v2 HTTP API exposed by older etcd deployments. Detected via /v2/stats/self and /version, which expose the cluster name, member ID, and etcd version on unauthenticated installations.
Ports: 2379, 4001
ethercatEtherCAT (Ethernet for Control Automation Technology, IEC 61158) fieldbus used for high-speed motion control and distributed I/O on machine-control and CNC segments. Queries master and slave registers and returns the master vendor identification and a summary of slaves discovered on the segment.
Port: 34980
fgfm — FortiGate to FortiManagerFGFM is the proprietary TLS-wrapped management protocol used by Fortinet FortiGate firewalls to register with and receive configuration from a FortiManager. Detected by the FGFM TLS server certificate and banner; runZero records the device serial number and model where exposed.
Port: 541
fingerFinger is a legacy user-information service (RFC 1288) historically exposed on TCP/79, today seen mostly on Cisco IOS devices and embedded printers. runZero reads the Finger banner returned on connection and extracts the printer model (HP JetDirect-style) or Cisco IOS identification, and reports the service for legacy-protocol exposure tracking.
fins — Omron FINSOmron FINS is the Factory Interface Network Service used by Omron CJ, CS, NJ, and NX PLCs and related automation devices on factory floors. runZero records FINS-derived asset attributes (controller model, firmware) emitted by the active omronfins scanner and uses the FINS protocol identifier when categorizing assets and assigning OT asset functions.
Port: 9600
firebird — Firebird SQLFirebird SQL is the relational database wire protocol used by the Firebird open-source database engine. Performs the Firebird connection handshake and returns the server architecture, protocol version, and Firebird release.
Port: 3050
focas — Fanuc FOCASFanuc FOCAS is an Ethernet protocol used to monitor and control Fanuc CNC machine tools and robots (Open CNC API Specification, FOCAS2/Ethernet). Issues the system-info call and returns the CNC series, version, machine number, and (when enabled) per-path machining data.
Port: 8193
fortigate-to-fortimanagerFortiGate-to-FortiManager is the Fortinet FGFM management protocol used by FortiManager to manage FortiGate firewalls. Inspects the FGFM TLS handshake and returns the FortiGate model, firmware, and serial number embedded in the certificate.
Port: 541
fox — Tridium Niagara FoxTridium Niagara Fox is the building-automation control protocol used by Niagara Framework JACE controllers and supervisors. Sends the Fox hello and returns the Fox version, station name, host ID, host name, OS name and version, JVM name and version, brand identifier, and authentication agent.
Ports: 1911, 4911
ftpFTP is the standardized file-transfer protocol (RFC 959). Reads the FTP greeting and issues SYST/HELP/AUTH probes, returning the server software, system type, supported features, and TLS-availability indicators.
Ports: 21, 2121, 9090
gangliaGanglia is a distributed monitoring system commonly deployed on HPC clusters and Linux server farms. runZero identifies Ganglia services from the GANGLIA_XML document returned by gmond/gmetad and captures the banner so cluster identification and host metrics are available for inventory.
gesrtp — GE SRTPGE SRTP is the Service Request Transport Protocol used to communicate with GE/Emerson PACSystems, Series 90, and RX3i/RX7i PLCs. Issues a controller-identification request and returns the model, firmware, sweep state, and slot configuration.
Port: 18245
giop — GIOP / CORBA IIOPGIOP / CORBA IIOP is the OMG General Inter-ORB Protocol (the wire format under CORBA IIOP). Identifies the service from the GIOP magic in the connection banner.
Port: 535
git — Git Smart ProtocolGit Smart Protocol is the native transport used by git:// servers for clones, fetches, and pushes. Sends an upload-pack advertisement request and returns the advertised refs summary, server capabilities, and HEAD reference.
Port: 9418
git-http — Git Smart HTTP ServiceGit Smart HTTP Service is the Git smart-HTTP transport (git-upload-pack and git-receive-pack endpoints) used by GitLab, Gitea, Bitbucket, cgit, and bare git-http servers for clones, fetches, and pushes. The HTTP extractor matches the _gitlab_session cookie and parses the manifest body, returning the git-http protocol attribution and the GitLab manifest hash.
googlewifi — Google Wifi / Nest WifiGoogle Wifi is the local management API exposed by Google Wifi and Nest Wifi mesh access points. Detected via mDNS (_googlecast._tcp) and the local HTTP setup endpoints, which reveal the device's hardware model, build version, and mesh role.
gpsdGPSD is the GPS daemon JSON-over-TCP protocol used to share location and timing data from connected GNSS receivers. Sends a ?WATCH request and identifies the service from the GPSD banner returned in the response.
Port: 2947
gtpc — GTP-CGTP-C is the GPRS Tunneling Protocol control plane that carries signaling between mobile-core nodes (SGSN/GGSN, MME/SGW/PGW). Sends an Echo Request and returns the GTP version, restart counter, and supported features.
Ports: 2123, 2152
gtpprime — GTP'GTP' is the GTP charging variant used to ship CDRs from mobile network elements to a Charging Gateway. Sends an Echo Request and returns the GTP' version and node identification.
Port: 3386
gtpu — GTP-UGTP-U is the GPRS Tunneling Protocol user plane that encapsulates subscriber traffic between mobile-core nodes and base stations. Sends an Echo Request and returns the GTP-U version and observed extension-header support.
Port: 2152
gvcp — GigE Vision ControlGigE Vision Control is the AIA GVCP protocol used to discover, configure, and trigger industrial machine-vision cameras over Ethernet. Sends a Discovery_Cmd and returns the camera manufacturer, model, serial, firmware, MAC, and supported GVCP version.
Port: 3956
gvsp — GigE Vision StreamingGigE Vision Streaming is the AIA GVSP protocol used to transport image and chunk data from machine-vision cameras to host applications. Passively classifies stream packets and returns the streaming state, packet format, and block identifier.
Port: 20202
h323 — H.323H.323 is the ITU-T multimedia conferencing/VoIP signaling protocol. Sends a Setup probe and returns the gatekeeper/endpoint identification and supported codec/feature summary.
Port: 1720
hartip — HART-IPHART-IP is an industrial protocol used to tunnel HART process-instrument traffic over TCP/UDP through gateways and multiplexers. Issues HART command 0 and returns the gateway identification, and (when enabled) walks sub-device indices via Cmd 84 to enumerate connected field instruments.
Port: 5094
hicp — HMS HICP/SHICPHMS HICP/SHICP is the HMS Industrial Networks discovery protocol used to discover and configure Anybus and Netbiter industrial gateways. Sends the HICP discovery probe and returns the device hostname, MAC, IP configuration, and firmware revision.
Port: 3250
hiddiscoveryd — HID DiscoveryDHID DiscoveryD is the discovery service used to locate HID VertX/Edge access-control panels and readers. Sends the discovery probe and returns the device model, firmware, and primary network configuration.
Port: 4070
hikvision — Hikvision IP Camera/NVR WebHikvision IP Camera/NVR Web is the HTTP management interface for Hikvision (and OEM) IP cameras and recorders. Identifies the product family from the WWW-Authenticate realm and pins the firmware version using either the embedded ?version= query strings on the login page assets, or the Last-Modified header on /doc/page/login.asp combined with a known build-date table.
hostmeta — Web Host MetadataWeb Host Metadata is the document defined by RFC 6415 and exposed at /.well-known/host-meta or host-meta.json, commonly used by federated-identity, WebFinger, and ActivityPub deployments. runZero sets the hostmeta protocol on the asset when the active HTTP probe successfully retrieves the document and surfaces the discovered links for inventory.
hsms — SEMI HSMS / SECS-GEMSEMI HSMS / SECS-GEM is the High-Speed SECS Message Services transport that carries SECS-II/GEM messages for semiconductor fab equipment (SEMI E37). Performs the HSMS Select handshake and an S1F1 Are-You-There, returning the equipment model identifier, software revision, and (when enabled) Equipment Constant subsystem summary.
Port: 5000
httpHTTP is the Hypertext Transfer Protocol used by the World Wide Web and most modern APIs. Issues HEAD/GET probes and runs HTTP-specific extractors, returning server software, response codes and headers, page titles and generators, favicons, and any application fingerprints recognized by extractor rules.
Ports: 80, 3000, 4567, 5000, 5985, 8000, 8001, 8080, 8081, 8082, 8200, 8443, 8888, 9001, 9080, 9090, 9100
http2 — HTTP/2HTTP/2 is a binary, multiplexed framing protocol for HTTP (RFC 7540), negotiated via TLS ALPN or the HTTP/2 cleartext upgrade. runZero negotiates HTTP/2 when offered and feeds the response into the standard HTTP analyzer so headers, server identification, and TLS attributes are captured.
httpsHTTPS is HTTP carried over TLS, the dominant transport for web applications, REST APIs, and management UIs. Implemented in runZero as the standard HTTP scanner over a TLS connection; the protocol is reported as https (rather than http) whenever the connection negotiates TLS or the port hint is flagged as TLS-only, and the full TLS handshake metadata (certificate, ciphers, fingerprints) is recorded alongside the HTTP response.
iax2IAX2 is the Inter-Asterisk eXchange version 2 VoIP signaling and media protocol used between Asterisk PBXes. Sends a POKE and returns the responder's IAX2 version and PBX identification.
Port: 4569
icmp — ICMP Echo (Ping)ICMP Echo (Ping) is the IPv4/IPv6 ICMP Echo Request/Reply exchange (RFC 792, RFC 4443) issued by the host-discovery probe to confirm host liveness, capture round-trip times, and observe TTL/Hop-Limit and IP TOS fields.
ics-trace — ICS Passive TraceICS Passive Trace is a synthetic protocol used internally to record evidence from passive analysis of ICS/OT traffic when active OT probing is disabled. runZero attributes the asset under ics-trace and emits the protocol identifiers and attributes observed in the passive trace.
identIdent is the Identification Protocol (RFC 1413), a legacy user-identity lookup service. Sends an ident query against the connecting socket and returns the operating-system field and any user-identity string disclosed by the response.
Port: 113
idrac — Dell iDRACiDRAC is the Dell Integrated Dell Remote Access Controller out-of-band management interface. runZero attributes services as iDRAC from the SSH/HTTPS banners, redfish endpoints, and TLS certificates issued for the controller, recovering the firmware version and service tag.
iec104 — IEC 60870-5-104IEC 60870-5-104 is a SCADA telecontrol protocol used between control centers and RTUs/substation gateways, primarily in electric power and rail. Sends TESTFR (and, when enabled, STARTDT/General Interrogation) and returns the common ASDU address, originator address, and any device-identity ASDUs received.
Port: 2404
iec61850-goose — IEC 61850 GOOSEIEC 61850 GOOSE is the Generic Object Oriented Substation Event Layer-2 multicast protocol (EtherType 0x88B8) used by substation IEDs for peer-to-peer trip and status signaling. runZero passively decodes GOOSE frames, attributes the publisher MAC as an IEC 61850 IED, and records the GoCB reference and dataset.
iec61850-mms — IEC 61850 MMSIEC 61850 MMS is the Manufacturing Message Specification mapping used by substation Intelligent Electronic Devices for monitoring, control, and reporting. Opens an MMS session and (when enabled) issues Identify, returning the IED vendor, model, firmware, and logical-device summary.
Port: 102
iec61850-sv — IEC 61850 Sampled ValuesIEC 61850 Sampled Values is the Layer-2 multicast protocol (EtherType 0x88BA) used by substation merging units to publish synchronized current and voltage measurements to protection and control IEDs. runZero passively decodes SV frames, attributes the publisher MAC as a merging unit, and records the SvCB reference and dataset.
igel — IGEL DiscoveryIGEL Discovery is the discovery protocol used by IGEL OS thin clients to advertise themselves to the IGEL Universal Management Suite (UMS), deployed in VDI and remote-desktop environments. Sends the IGEL discovery probe and returns the endpoint hostname, hardware model, IGEL OS version, MAC, and the UMS-server registration state.
Port: 30005
igel-discovery — IGEL UMS DiscoveryIGEL UMS Discovery is the UDP broadcast used by IGEL OS thin clients to locate their Universal Management Suite server. Distinct from the igel management protocol decoded over TCP, this entry captures discovery-only sightings on UDP/30005.
Port: 30005
iis — Microsoft Internet Information Services (IIS)Microsoft Internet Information Services (IIS) is the HTTP server bundled with Windows Server, commonly hosting ASP.NET, Outlook Web Access, and SharePoint. The HTTP fingerprinter inspects Server and X-Powered-By headers and default landing pages and returns the IIS version and ASP.NET version hints.
ikeIKE is the Internet Key Exchange protocol used to negotiate IPsec security associations. Sends IKEv1/IKEv2 SA proposals and vendor-ID probes and returns the negotiated proposal summary, supported transforms, and any vendor-ID strings that disclose the gateway implementation.
Ports: 500, 4500
ikev2IKEv2 is the Internet Key Exchange version 2 protocol (RFC 7296) used by IPsec VPN gateways on UDP/500 and UDP/4500. runZero sends an IKE_SA_INIT request and parses the responder SPI, accepted transform set, and any vendor-ID payloads that disclose the gateway implementation.
Ports: 500, 4500
imapIMAP is the Internet Message Access Protocol used by mail clients to read messages from a server. Reads the IMAP greeting and runs CAPABILITY and ID commands, returning the server software, supported authentication mechanisms, and STARTTLS availability.
Ports: 143, 993
infinispan — Infinispan Hot RodInfinispan Hot Rod is a binary client/server protocol used by Red Hat Data Grid and JBoss-family caches. Performs the Hot Rod ping and returns the server version, topology identifier, and supported protocol version.
Port: 11222
influxdbInfluxDB is the time-series database from InfluxData. runZero queries /ping and /health on the HTTP API to recover the server build, X-Influxdb-Version header, and on permissive deployments the list of available databases.
Port: 8086
intermapperInterMapper is the probe interface exposed by Fortra (formerly HelpSystems) InterMapper network-monitoring agents installed on monitored servers and appliances to report status to a central InterMapper server. Reads the InterMapper service banner and returns the product name and agent version.
Port: 8181
ipmiIPMI is the Intelligent Platform Management Interface used for out-of-band server management on BMCs (iLO, iDRAC, IMM). Performs an IPMI 2.0 RMCP+ Get Channel Authentication Capabilities exchange and, when credentials are configured, returns supported cipher suites, authentication algorithms, and the BMC vendor/firmware identification.
Port: 623
ippIPP is the Internet Printing Protocol used by CUPS, AirPrint, and most modern network printers. Issues Get-Printer-Attributes and returns the printer make/model, location, firmware, supported document formats, and feature attributes.
Port: 631
ipp-browse — IPP BrowseIPP Browse is the legacy CUPS browse protocol used by macOS and Linux print servers to advertise IPP print queues to the local segment via UDP/631 broadcasts. runZero passively decodes browse packets and active responses and returns the advertised queue URI, printer name, and CUPS server identification, attributing the asset as a print server.
Port: 631
ippbrowse — IPP BrowseIPP Browse is the legacy CUPS browse protocol used by Unix print servers to advertise IPP print queues via UDP/631 broadcasts. Passively decodes browse packets and returns the advertised queue URI, printer name, and CUPS server identification.
Port: 631
ipsecIPsec is the IP Security suite used to authenticate and encrypt IP packets, typically for site-to-site and remote-access VPNs. Sends ESP/AH and IKE liveness probes and returns the gateway responsiveness, NAT-T support, and any IKE-vendor strings disclosed.
Ports: 500, 4500
ircIRC is the Internet Relay Chat protocol, a text-based group messaging protocol. Reads the IRC server greeting and runs a NICK/USER probe, returning the server software, version, and 005-numeric capability summary.
Ports: 6667, 6668, 6669, 6697, 7000, 7001
iscsiiSCSI is the Internet Small Computer Systems Interface protocol used to expose block storage over IP. Sends a SendTargets request and returns the iSCSI Target Name list, target portals, and authentication-method summary.
Port: 3260
iua — IUA (SCTP)IUA (SCTP) is the ISDN User Adaptation Layer (RFC 4233) carried over SCTP, used to backhaul ISDN signaling in SIGTRAN networks. Verifies the SCTP association and IUA payload protocol identifier and returns endpoint identification.
Port: 9900
jabberJabber is the legacy product name for XMPP, still used by Cisco Jabber, ejabberd, Openfire, and similar chat/presence servers. runZero identifies Jabber services from the <stream:stream> or jabber.org-namespaced response returned on connection and tags the asset alongside the active xmpp scanner results.
java-object — Java Object SerializationJava Object Serialization is the binary stream format produced by java.io.ObjectOutputStream, often indicating exposed RMI, JMX, or JBoss endpoints when seen on the wire. Inspects the magic header and returns the serialization-protocol version and any class-name hints disclosed in the stream.
java-rmi — Java RMIJava RMI is the Remote Method Invocation protocol used by Java applications. Performs the JRMP handshake and a registry list, returning the RMI-registry version and the names and stub classes of bound objects.
Port: 1099
jdbc-hsqldb — HyperSQL JDBCHyperSQL JDBC is the JDBC database server protocol used by the HyperSQL (HSQLDB) engine. Identifies the service from the 'HSQLDB JDBC Network Listener' banner returned on connection.
Port: 9001
jdwp — Java Debug Wire ProtocolJava Debug Wire Protocol is the unauthenticated JVM debugging transport used by IDEs and debuggers to control a JVM. Performs the JDWP handshake and Version command, returning the JDK version, JVM vendor, and process description.
Ports: 3999, 5000, 5005, 8000, 8453, 8787, 8788, 9001, 18000
jetdirect — HP JetDirectHP JetDirect is the raw printing protocol on TCP/9100 (PJL banner port). Sends a PJL INFO ID/STATUS probe and returns the printer make/model, firmware, page count, and PJL device-attribute summary.
Ports: 9100, 9101, 9102
jira — Atlassian JiraAtlassian Jira is an issue-tracking and project-management server available in Server, Data Center, and Cloud editions. The HTTP probe fetches Jira login, dashboard, and REST endpoints and returns the product name, edition, and build number.
Ports: 80, 443, 8080
jms — JMS / JMX-RMI Port MapperJMS / JMX-RMI Port Mapper is the OpenMQ/GlassFish imqbroker port-mapper service that publishes the names, transports, and ports of bound JMS and JMX-RMI endpoints (default TCP/7676). Queries the port mapper and returns the broker version and the bound endpoint names, transports, and ports.
Port: 7676
kafka — Apache KafkaApache Kafka is a distributed event-streaming wire protocol. Sends an ApiVersions request and returns the broker identifier, supported API versions, and (when an unauthenticated MetadataRequest is permitted) cluster and topic-name summaries.
Ports: 9092, 9093, 9094
kasa — TP-Link KasaTP-Link Kasa is the smart-home control protocol used by Kasa plugs, bulbs, and switches. Sends the obfuscated SYS_INFO query and returns the device alias, model, firmware, hardware version, and MAC.
Port: 9999
kerberosKerberos is the network authentication protocol used by Active Directory and many enterprise services. Sends an AS-REQ for a benign principal and returns the realm, KDC error code, and supported encryption types.
Ports: 88, 464, 749, 750
knxnet — KNXnet/IPKNXnet/IP is the IP-tunneling encapsulation used to tunnel and route KNX building-automation telegrams (lighting, HVAC, shading). Sends a SEARCH_REQUEST and returns the device serial, MAC, KNX individual address, supported services, and friendly name.
Port: 3671
l2t — L2TP (UDP 1701)L2TP (UDP 1701) is the Layer 2 Tunneling Protocol on UDP/1701, used by VPN concentrators and remote-access gateways (often paired with IPsec) to tunnel PPP sessions. Sends an L2TP SCCRQ and returns the host name, vendor name, and firmware revision AVPs disclosed by the responder.
Ports: 1701, 2228
l2tpL2TP is the Layer 2 Tunneling Protocol used to carry PPP sessions, commonly with IPsec for VPN. Sends an SCCRQ and returns the host name, vendor name, and firmware revision AVPs.
Port: 1701
landesk — Ivanti / LANDesk AgentIvanti / LANDesk Agent is the endpoint-management agent for Ivanti (formerly LANDesk). Reads the agent banner and returns the agent version and bound management server.
Port: 9595
langflowLangflow is an open-source visual builder for LLM-powered applications. runZero attributes services as Langflow from Recog matches against the application's HTTP responses and OpenAPI document, recovering the application version.
lantronix — Lantronix DiscoveryLantronix Discovery is the discovery protocol used to locate Lantronix serial-to-Ethernet device servers. Sends the discovery probe and returns the device model, firmware, MAC, and configured serial-port settings.
Port: 30718
ldapLDAP is the Lightweight Directory Access Protocol (RFC 4511) used by Active Directory, OpenLDAP, 389 Directory Server, and other directory services for authentication and identity lookups. Queries the rootDSE and returns the supported LDAP versions, naming contexts, supported controls, and any forest or domain identifiers exposed.
Ports: 389, 636, 3268, 3269
lexmark — Lexmark DiscoveryLexmark Discovery is the printer/MFP network discovery protocol used by Lexmark devices. Sends the discovery probe and returns the device model, serial, firmware, and printer/MFP capabilities.
Port: 10000
librechatLibreChat is an open-source self-hosted LLM chat front-end. runZero attributes services as LibreChat from Recog matches against the web UI banners and configuration endpoints.
Ports: 443, 3080
lldp — Link Layer Discovery ProtocolLink Layer Discovery Protocol is the IEEE 802.1AB Layer-2 discovery protocol used by switches, routers, IP phones, and hypervisors to advertise themselves to neighbors. runZero passively decodes LLDP frames seen during the scan and returns the chassis ID, port ID, system name, system description, capabilities, and management addresses of each neighbor.
llmnrLLMNR is Link-Local Multicast Name Resolution (RFC 4795) used by Windows hosts to resolve single-label names on the local link when DNS is unavailable. Sends an LLMNR query and returns the responding hostname and the IP version of the answering host.
Port: 5355
lockdownd — Apple lockdowndApple lockdownd pairing service exposed on TCP/62078 by iPhone, iPad, and iPod touch devices and used by iTunes, Finder, Apple Configurator, and MDM tooling. Reads the lockdownd query response and returns the device class, product type, iOS or iPadOS version, serial number, and unique device identifier (UDID).
Port: 62078
lpdLPD is the standardized BSD line-printer protocol (RFC 1179). Sends a Receive-Job command and returns the raw printer banner from the daemon for downstream make and model fingerprinting.
Port: 515
lsv2 — Heidenhain LSV/2Heidenhain LSV/2 is a control protocol used by Heidenhain TNC CNC controls (TNC 640, iTNC 530, TNC 320). Queries control identification and returns the NC software type, version, and (when enabled) NC software-options bitmask.
Ports: 8000, 8001, 8002, 8003, 8004, 19000
lwm2m — OMA LwM2MOMA LwM2M is the OMA Lightweight M2M device-management protocol layered on CoAP and used to manage constrained IoT endpoints, sensors, and cellular modules. Sends a CoAP GET for /.well-known/core and returns whether the LwM2M registration directory and bootstrap-server resources are advertised along with a server-implementation hint.
Ports: 5683, 5783
m2pa — M2PA (SCTP)M2PA (SCTP) is the MTP2 Peer Adaptation Layer (RFC 4165) over SCTP used in SIGTRAN to carry SS7 MTP2 between signaling gateways. Establishes an SCTP association, verifies the M2PA payload protocol identifier, and returns the M2PA message class, message type, link state, and any error code or info string in the reply.
Port: 3565
m2ua — M2UA (SCTP)M2UA (SCTP) is the MTP2 User Adaptation Layer (RFC 3331) over SCTP used in SIGTRAN deployments. Establishes an SCTP association, verifies the M2UA payload protocol identifier, and returns the M2UA message class, message type, and any error code or info string in the reply.
Port: 2904
m3ua — M3UA (SCTP)M3UA (SCTP) is the MTP3 User Adaptation Layer (RFC 4666) over SCTP, the most common SS7-over-IP transport. Establishes an SCTP association, verifies the M3UA payload protocol identifier, and returns the M3UA message class, message type, and any error code or info string in the reply.
Port: 2905
managesieveManageSieve is a protocol used by mail clients to manage Sieve mail-filter scripts on the server. Reads the capabilities response and returns the implementation name, version, supported SASL mechanisms, and STARTTLS availability.
Ports: 2000, 4190
matterMatter is the Connectivity Standards Alliance smart-home application protocol used by Matter-certified devices over Wi-Fi and Thread. runZero identifies Matter devices from _matter._tcp mDNS records, parses the VP and DT TXT fields, and resolves them against the bundled Matter vendor table to return the vendor name, product name, and device type.
mbus-tcp — M-Bus over TCPM-Bus over TCP is the EN 13757 Meter-Bus protocol tunneled over TCP, used by gateways aggregating utility meters (heat, water, gas, electric). Sends REQ_UD2 to the gateway and (when enabled) walks primary addresses 1-250 to enumerate connected meters, returning meter manufacturer, identification, version, and medium.
Ports: 8888, 8889
mcp — Model Context ProtocolModel Context Protocol (MCP) is Anthropic's JSON-RPC protocol used by AI agents to connect to external tools and data sources. runZero attributes services as MCP from Recog matches against the server's HTTP/SSE handshake and the initialize response, which exposes the server name, version, and advertised capabilities.
mdnsmDNS is Multicast DNS used by Bonjour, Avahi, and other zero-configuration networking stacks. Sends a service-enumeration query and returns the advertised service types, instance names, ports, hostnames, and TXT-record metadata.
Port: 5353
megaco — Megaco / H.248Megaco / H.248 is a media gateway control protocol (RFC 3525) used between softswitches and media gateways in carrier and enterprise VoIP networks. Sends a ServiceChange probe and returns the media-gateway identifier (MID) and the negotiated H.248 protocol version.
Ports: 2944, 2945
melsecq — Mitsubishi MELSEC-QMitsubishi MELSEC-Q is a protocol used to communicate with Mitsubishi MELSEC PLCs. Issues a CPU model-name read using SLMP 3E (and, when enabled, 4E) and returns the CPU model name and CPU type code along with the matching MELSEC product CPE.
Ports: 5006, 5007
memcache — Memcached (text)Memcached (text) is the ASCII text wire protocol exposed by the Memcached distributed in-memory key-value cache and compatible servers. Issues a text VERSION/STATS request and returns the daemon version, current connections, and items and bytes held in cache.
Port: 11211
memcachedMemcached is a high-performance in-memory key/value cache. runZero issues the version, stats, and stats settings commands to recover the daemon version, uptime, current connections, item count, and configured memory limits. Misconfigured UDP-exposed servers are also flagged as DDoS-amplification reflectors.
Port: 11211
meshcop — Thread Mesh CommissioningThread Mesh Commissioning is the Mesh Commissioning Protocol used by Thread border routers (Apple HomePod, Google Nest Hub, eero, Nordic OTBR) to advertise commissioning endpoints to companion mobile apps. runZero attributes the asset as a Thread border router from the meshcop hint and surfaces the advertised network name, extended PAN ID, and vendor identification.
mgcpMGCP is the Media Gateway Control Protocol (RFC 3435) used between call agents and media gateways in VoIP networks. Sends an AUEP probe and returns the response code along with any endpoint identifiers and packages disclosed in the reply.
Ports: 2427, 2727
mikrotik-bandwidth — MikroTik Bandwidth Test ServerMikroTik Bandwidth Test Server is the proprietary throughput-testing service exposed by MikroTik RouterOS devices. runZero detects the listener via its banner; presence indicates the device is reachable for line-rate tests, which can be abused for amplification.
Port: 2000
mikrotikwinbox — MikroTik WinboxMikroTik Winbox is the protocol used by the Winbox utility to administer RouterOS devices. Sends the index-request and returns the RouterOS architecture, version, and bootloader identification.
Ports: 2000, 8291, 8728
milvus — Milvus Vector DatabaseMilvus is an open-source vector database used by retrieval-augmented LLM applications. runZero attributes services as Milvus from Recog matches against the gRPC and HTTP endpoints and the management UI banners.
Port: 19530
minecraft — Minecraft JavaMinecraft Java is the server query/list-ping protocol used by Minecraft Java Edition. Sends a status-request and returns the server MOTD, version, protocol number, current and maximum player counts, and any sample player names disclosed.
Port: 25565
mms — ISO 9506 MMS (IEC 61850)ISO 9506 MMS (IEC 61850) is the Manufacturing Message Specification over RFC 1006/COTP, the application protocol used by IEC 61850 substation Intelligent Electronic Devices (IEDs). The probe issues an A-ASSOCIATE plus MMS Initiate-Request and parses the Initiate-Response for vendor identity, negotiated MMS version, and supported services.
Port: 102
modbus — Modbus/TCPModbus/TCP is a protocol used to read and write registers on PLCs, RTUs, drives, and meters. Issues a Read Device Identification (function 43/MEI 14) and returns the vendor, product code, revision, vendor URL, product name, and (when configured) extended identification objects.
Port: 502
mongodb — MongoDB Wire ProtocolMongoDB Wire Protocol is the document-database wire protocol used by MongoDB drivers. Sends an unauthenticated isMaster/hello and returns the server version, build environment, replica-set role, and observed authentication requirements.
Ports: 27017, 27018, 27019, 28017
mountd — NFS mountdNFS mountd is the companion daemon to NFS that authorizes mount requests and enumerates exports, registered through rpcbind on Unix file servers and NAS appliances. runZero locates mountd through rpcbind, sends an EXPORT (procedure 5) call for each advertised version, and returns the exported directory list and per-export host or netgroup access lists.
mqttMQTT is a lightweight publish/subscribe messaging protocol used by IoT devices and brokers. Sends a CONNECT and returns the broker's CONNACK response code, supported MQTT version, and any properties advertised by the broker.
Ports: 1883, 8883
mssql — Microsoft SQL Server (TDS)Microsoft SQL Server (TDS) is the Tabular Data Stream protocol used by Microsoft SQL Server and Sybase ASE database engines for client-server query traffic. Sends a TDS PRELOGIN and returns the server version, encryption requirement, and named-instance identification.
Ports: 1433, 1434
mssql-replica — Microsoft SQL Server ReplicaMicrosoft SQL Server Replica is the Always-On availability-group and database-mirroring endpoint that exchanges replica traffic on TCP/5022 separately from the user TDS endpoint on TCP/1433. runZero hints TCP/5022 as mssql-replica during the MSSQL probe and tags the asset as a SQL Server replica endpoint when the standard TDS handshake is not offered.
mtconnectMTConnect is a protocol used by CNC machine tools, robots, and additive-manufacturing systems to publish device state over an HTTP/XML REST API. Issues a GET /probe and returns the agent version, instance ID, sender host, and per-device manufacturer, model, serial number, and UUID.
Ports: 5000, 7878
muninMunin is the protocol used by the Munin master to poll plugins on hosts. Reads the node banner and returns the node hostname, Munin version, and configured plugin list summary.
Port: 4949
mysql — MySQL / MariaDBMySQL / MariaDB is the binary client-server wire protocol used by MySQL, MariaDB, and Percona Server database engines. Reads the server-greeting packet and (when credentials are configured) authenticates, returning the server version, capability flags, supported authentication plugins, and TLS availability.
Ports: 3306, 33060
mysqlx — MySQL X ProtocolMySQL X Protocol is a Protocol-Buffer-based wire protocol exposed by MySQL Server (default TCP/33060) for MySQL Shell and X DevAPI document-store and CRUD clients. Sends a CapabilitiesGet message and returns the supported X-Protocol capabilities and TLS requirements.
Port: 33060
natpmp — NAT-PMPNAT-PMP is a protocol used by clients to request port forwards from a NAT gateway (RFC 6886). Sends a public-address request and returns the gateway's external IPv4 address, response code, and seconds-since-epoch counter.
Port: 5351
natsNATS is a lightweight publish/subscribe and request/reply messaging system. Reads the NATS INFO message and returns the server identifier, version, host, port, and authorization/TLS requirements.
Ports: 4222, 6222, 8222
ndmpNDMP is the Network Data Management Protocol used by enterprise backup software to coordinate backups of NAS devices. Opens a CONNECT_OPEN session and returns the NDMP protocol version reported by the server along with the connection status and any reason text.
Port: 10000
neo4j — Neo4j BoltNeo4j Bolt is the graph-database wire protocol used by Neo4j drivers and clients. Performs the Bolt handshake and returns the negotiated Bolt version and server release.
Ports: 7473, 7474, 7687
netbios — NetBIOS Session ServiceNetBIOS Session Service is the TCP/139 transport used by the legacy NetBIOS-over-TCP framing of SMB. runZero records the session-service banner alongside the NetBIOS name and workstation/server resource records reported by the host. The application-layer SMB protocol is decoded separately.
Port: 137
netbios-dgm — NetBIOS Datagram ServiceNetBIOS Datagram Service is the UDP/138 broadcast/datagram side of NetBIOS-over-TCP. runZero observes datagrams to recover the NetBIOS computer and workgroup names announced by Windows hosts and SMB servers.
Port: 138
netbios-ns — NetBIOS Name ServiceNetBIOS Name Service is a protocol used for legacy Windows name registration and resolution. Sends a NetBIOS node-status query and returns the registered names, node type, and any associated MAC address.
Ports: 137, 138
netisNetis is an identifier for Netis and Netcore SOHO routers, including the well-known UDP/53413 administrative backdoor exposed by historical firmware. runZero attributes the service from the netis-specific hint and tags the asset as a Netis router so the historical backdoor exposure is surfaced in inventory and reports.
netop-remote-control — Netop Remote ControlNetop Remote Control is a commercial remote-administration product from Netop (formerly Danware), commonly deployed in classroom, kiosk, and retail environments. runZero attributes the asset from the Netop host banner observed on the standard service port and tags the service as remote-access for inventory and exposure reporting.
nfsNFS is the Network File System used to share files across Unix-like systems (Sun RPC program 100003). Issues a NFS NULL ping and a MOUNT EXPORT call (via portmap) and returns the supported NFS versions and the list of exported filesystems and allowed clients.
Port: 2049
nrpe — Nagios NRPENagios NRPE is the protocol used by Nagios/Icinga to run checks on remote hosts. Sends a _NRPE_CHECK probe and returns the NRPE protocol version and any version banner disclosed.
Port: 5666
ntpNTP is the Network Time Protocol used to synchronize clocks across networks (RFC 5905). Sends mode-3 client and mode-6 control queries and returns the stratum, reference identifier, refid clock source, and (when enabled) implementation/version strings disclosed by mode-6 readvar.
Port: 123
omronfins — Omron FINSOmron FINS is the Factory Interface Network Service protocol used to communicate with Omron CJ/CS/NJ/NX PLCs and related automation devices. Issues a Controller Data Read (0501) and returns the controller model and firmware version along with the FINS handshake banner.
Port: 9600
opcda — OPC Classic (OPC DA)OPC Classic (OPC DA) is the OLE for Process Control data-access standard layered over Microsoft DCOM, widely deployed in legacy SCADA, HMI, and historian gateways. runZero detects OPC DA servers when the DCERPC scanner observes the OPCEnum interface UUID advertised by the endpoint mapper.
opcua — OPC UAOPC UA is a vendor-neutral industrial information-model and data-access standard. Performs a GetEndpoints request and returns the application URI, product URI, server-certificate metadata, and per-endpoint security policies and identity tokens.
Ports: 4840, 4843, 48050
openvpnOpenVPN is the tunnel control-channel protocol used by OpenVPN Community Edition and OpenVPN Access Server VPN gateways. Sends a P_CONTROL_HARD_RESET_CLIENT_V2 packet and returns the local and remote OpenVPN session identifiers from the server's hard-reset reply.
Port: 1194
oracle — Oracle TNSOracle TNS is the Transparent Network Substrate listener protocol used by Oracle Database servers. Sends a TNS Connect carrying a VERSION command and returns the listener version, instance name, and supported services.
Ports: 1521, 1522, 1525, 2483, 2484
oracledb — Oracle Database (TNS)Oracle Database (TNS) is a lightweight Oracle Net listener probe used to identify Oracle Database servers without negotiating a session. Sends a minimal TNS Connect, parses the Refuse/Accept/Resend reply, and returns the packet type, VSNNUM, error code, and disclosed listener version.
Ports: 1521, 1522, 1525
orion — SolarWinds Orion PlatformSolarWinds Orion Platform is a Windows-based network-management suite that bundles NPM, NCM, NTA, IPAM, SAM, UDT, and related modules. The HTTP extractor matches the Orion footer in the web console, parses the platform release and component list, and returns orion.version, orion.components, and SolarWinds Orion software identification.
panasonictv — Panasonic TVPanasonic TV is the network control service exposed by Panasonic Viera and similar consumer smart TVs for remote-control companion apps. runZero identifies these televisions from the proprietary control-protocol banner returned on connection, applies Panasonic TV fingerprinting, and attributes the asset as a Panasonic television.
panxmlapi — Palo Alto Networks PAN-OS XML APIPalo Alto Networks PAN-OS XML API is the authenticated management API (system info, ARP/MAC/neighbor caches, interfaces) issued against Palo Alto Networks firewalls and Panorama. Used by the runZero scanner with a user-supplied API key to enumerate adjacent assets and device facts.
pca — Symantec pcAnywhereSymantec pcAnywhere is a remote-access protocol. Sends the pcAnywhere status probe and returns the host name, status, and capability flags disclosed in the response.
Port: 5632
pcworx — Phoenix Contact PCWorxPhoenix Contact PCWorx is a runtime protocol used to program and interact with ILC-series and other Phoenix Contact controllers. Queries controller identification and returns the PLC type, model number, and firmware version, date, and time.
Port: 1962
pega — Pega PlatformPega Platform is a low-code business process management and CRM application server from Pegasystems used for enterprise workflow automation. The HTTP extractor matches Pega in the page title or body, parses the version span, and returns the pega.version attribute and Pegasystems Pega software identification.
pfcpPFCP is the Packet Forwarding Control Protocol used in 5G/LTE mobile cores between control-plane and user-plane functions. Sends a PFCP Heartbeat Request and returns the recovery time stamp and supported feature flags.
Port: 8805
pop3POP3 is the Post Office Protocol version 3 used by mail clients to retrieve messages from a server. Reads the POP3 greeting and runs CAPA, returning the server software banner, supported capabilities, and STARTTLS availability.
Ports: 110, 995
postgres — PostgreSQLPostgreSQL is the frontend/backend wire protocol used by PostgreSQL database servers and compatible engines such as Amazon RDS/Aurora and CockroachDB. Performs an SSLRequest followed by a StartupMessage and returns the server version, supported authentication mechanisms, advertised server parameters, and TLS availability.
Ports: 5432, 5433, 6432
postgresqlPostgreSQL is the open-source object-relational database. runZero negotiates the PostgreSQL frontend/backend protocol to obtain the server version, advertised authentication methods, and TLS support. The shorter "postgres" identifier is the default protocol name; this entry covers detections that reported the long form.
Port: 5432
powerlink — Ethernet POWERLINKEthernet POWERLINK is a real-time industrial Ethernet protocol from the EPSG, used for deterministic motion control and I/O between managing nodes and controlled nodes on machine tools, packaging lines, and robotics cells. Passively decodes POWERLINK frames and returns the node identifier, vendor identifier, product code, and revision.
pptpPPTP is the Microsoft Point-to-Point Tunneling Protocol legacy VPN. Sends a Start-Control-Connection-Request and returns the protocol version, vendor, firmware revision, and host name.
Port: 1723
printerid — Printer IdentificationPrinter Identification is a vendor-specific service exposed on TCP/9200 by HP, Lexmark, and other network printers and MFPs. runZero parses the model string returned by the device, records it as printerid.model, and uses the value as a synthetic fingerprint to identify the printer make and model during asset categorization.
proconos — Phoenix Contact ProConOSPhoenix Contact ProConOS is the PLC runtime protocol from KW-Software/Phoenix Contact, used by ILC, RFC, and OEM-rebadged controllers running the ProConOS or ProConOS eCLR runtime. Issues a runtime identification query and returns the ladder-logic runtime version, PLC type, project name, boot project, and project source-code identifier.
Port: 20547
profinetPROFINET is an industrial Ethernet protocol used for cyclic and acyclic real-time communication with PROFINET I/O devices and PLCs. Performs a Read Identification request and returns the device vendor, order number, serial, software/hardware revision, and (when enabled) discovered slot/subslot module list.
Ports: 34962, 34963, 34964
profinet-dcp — PROFINET DCPPROFINET DCP is the Discovery and basic Configuration Protocol used at Layer 2 to identify and assign names/IPs to PROFINET stations. Passively decodes DCP Identify announcements and returns the station name, vendor and device identifiers, and device role.
prosoft — ProSoft Discovery ServiceProSoft Discovery Service is the UDP discovery protocol used by ProSoft Technology industrial gateways and radios. runZero parses the response to recover the device model, firmware revision, MAC address, and IP configuration.
Port: 1718
psdisco — PlayStation DiscoveryPlayStation Discovery is the Sony PlayStation 4/5 console-discovery service (HTTP/1.1-style SRCH messages on UDP/987 and UDP/9302) used by Remote Play and second-screen companion apps. Sends a SRCH probe and decodes the response, returning the host id, host name, host type, system version, discovery-protocol version, and running-app title metadata.
Ports: 987, 9302
pulsar — Apache PulsarApache Pulsar is the binary client/broker protocol used by Pulsar messaging brokers and Pulsar Functions deployments for pub/sub messaging and event streaming. Sends a CONNECT command and returns the broker server version, protocol version, and authentication-method requirements.
Ports: 6650, 6651
qdrant — Qdrant Vector DatabaseQdrant is an open-source vector search database used by retrieval-augmented LLM applications. runZero attributes services as Qdrant from Recog matches against the HTTP API root and the /metrics endpoint, which expose the server version.
Ports: 6333, 6334
qotd — Quote of the DayQuote of the Day is the RFC 865 diagnostic service historically exposed by Unix inetd hosts and frequently abused for UDP amplification. Passively decodes QOTD replies in TCP and UDP captures and returns the protocol tag along with the truncated quote text or banner observed in the response.
Port: 17
qualys — Qualys Cloud Agent / Scanner ApplianceQualys Cloud Agent / Scanner Appliance is the web management interface exposed by Qualys vulnerability-management components, including the on-premises Scanner Appliance and Cloud Agent UI. The HTTP fingerprinter inspects these pages and returns the product name, appliance role, and any version identifiers disclosed.
quicQUIC is the IETF transport (RFC 9000), an encrypted UDP-based transport that carries HTTP/3 and is increasingly used by CDNs, web servers, and SaaS endpoints. runZero attributes the service as QUIC when the long-header Initial packet is observed on a probed UDP port and tags the asset for web / TLS exposure tracking.
radiusRADIUS is an AAA protocol used in Wi-Fi, VPN, and network-access control. Sends an Access-Request with an invalid principal and returns the response code, any Reply-Message and NAS-Identifier, and the list of attributes present in the reply.
Ports: 1645, 1646, 1812, 1813
raritan-csc — Raritan CommandCenterRaritan CommandCenter is the Common Socket Connection (CSC) management protocol used by Raritan CommandCenter Secure Gateway appliances and adjacent Raritan KVM/serial console managers. Passively detects the <CSC/> banner emitted on connection and tags the asset as a Raritan CommandCenter device.
rdpRDP is the Microsoft Remote Desktop Protocol used by Windows Remote Desktop Services. Performs an X.224 Connection-Request and returns the supported security protocols, NLA requirement, and (when TLS is offered) certificate-derived hostname/version metadata.
Ports: 3389, 3390
redisRedis is an in-memory data-structure store and message broker. Issues PING/INFO/AUTH probes and returns the Redis version, role, mode, and authentication or protected-mode requirements.
Ports: 6379, 16379, 26379
rexecrexec is the BSD Remote Execution protocol (legacy, transmits credentials in cleartext). Detects an rexec listener and returns the responsiveness and any host-identification banner observed.
Port: 512
riak — Riak Protocol BuffersRiak is a distributed NoSQL key/value store from Basho. This entry covers the Protocol Buffers transport on TCP/8087 used by the native Riak clients; the HTTP API is reported separately as riak-http.
Port: 8098
riak-http — Riak HTTP APIRiak HTTP API is the REST interface exposed by Basho Riak nodes (typically TCP/8098). runZero queries /stats and /riak/ to recover the node name, ring size, and Riak version.
Port: 8098
ripRIP is a distance-vector IGP. Sends a RIP Request and returns the RIP version and any advertised routes disclosed by the responder.
Port: 520
rloginrlogin is the legacy BSD remote-login protocol (RFC 1282) superseded by SSH. runZero records the banner and any login prompt returned by the server, and flags the service as a clear-text credential exposure.
Port: 513
roomalert — AVTECH Room AlertAVTECH Room Alert is an environmental monitoring appliance. Reads the device banner and returns the model, OS version, MAC address, and IP address.
Port: 9999
rpcbind — ONC RPC / rpcbindONC RPC / rpcbind is the portmap service used to discover Sun RPC programs (NFS, NIS, ...). Queries the portmap dump and returns the registered program list with versions, protocols, and ports.
Port: 111
rsync — rsync (SSH-tunneled)rsync is the rsync daemon wire protocol exposed on TCP/873 by file mirrors, backup servers, and software-distribution archives. Reads the server greeting, performs the version handshake, and returns the protocol version, raw banner, and module list when the server permits enumeration.
Port: 873
rsyncd — rsync daemonrsync daemon is the standalone rsync service (rsync://) listening on TCP/873. Reads the daemon greeting and lists modules, returning the rsync version, available module names, and module comments.
Port: 873
rtmpRTMP is the Adobe Real-Time Messaging Protocol used to stream audio, video, and data between Flash players and media servers. Performs the RTMP handshake and returns the protocol version byte echoed by the server.
Port: 1935
rtps — OMG RTPS / DDSOMG RTPS / DDS is the Real-Time Publish-Subscribe wire protocol from the Object Management Group; underlies DDS in robotics, ROS 2, and industrial IoT. Sends an SPDP participant announcement and returns the participant GUID, vendor identifier and name, and protocol version.
Ports: 7400, 7401, 7410, 7411
rtspRTSP is a streaming-control protocol used by IP cameras, NVRs, and media servers to control streams. Issues an OPTIONS request and returns the server software, supported methods, and any session-description metadata disclosed by DESCRIBE.
Ports: 554, 8554
s7comm — Siemens S7CommSiemens S7Comm is the protocol used to program and exchange data with SIMATIC S7-300, S7-400, S7-1200, and S7-1500 PLCs. Issues SZL identification reads and returns the module name, plant identification, copyright, serial, module type, hardware/firmware version, and (when enabled) backplane rack/slot module list.
Port: 102
sadp — Hikvision SADPHikvision SADP is the Search Active Devices Protocol used to discover Hikvision and OEM IP cameras and NVRs. Sends a SADP Inquiry and returns the device serial, model, firmware, MAC, IP configuration, and activation state.
Port: 37020
sccp — Cisco SCCP / SkinnyCisco SCCP / Skinny is a call-control protocol used by Cisco IP phones registering with CallManager/Unified Communications Manager. Sends a Register message and returns the call-manager response and station identification.
Ports: 2000, 2443
sctptun — SCTP TunnelSCTP Tunnel is runZero's identifier for SCTP-over-UDP encapsulation (RFC 6951) used to traverse middleboxes that block native SCTP. It is reported when an SCTP INIT is observed inside a UDP/9899 datagram.
Port: 9899
securemote — Check Point SecuRemoteCheck Point SecuRemote is a Check Point VPN topology discovery service. Sends the topology query and returns the gateway hostname and server identifier disclosed in the response.
Port: 264
sentinel — Redis SentinelRedis Sentinel is the high-availability supervisor for Redis. runZero issues SENTINEL ping and SENTINEL master to recover the sentinel version, monitored master name, and quorum configuration on unauthenticated instances.
Port: 26379
sercos-iii — SERCOS IIISERCOS III is a real-time industrial Ethernet protocol used for drives, servos, and I/O in machine tools and packaging machinery. Passively decodes SERCOS III frames and returns the slave count, cycle time, and vendor and device codes.
servicetag — Sun Service TagSun Service Tag is a discovery service used to inventory Sun/Oracle hardware and software. Sends the discovery probe and returns the registered product instance, instance URN, and version.
Port: 6481
sgsap — SGsAP (SCTP)SGsAP (SCTP) is the SGs interface (3GPP TS 29.118) over SCTP between MME and MSC for SMS over SGs and CSFB. Verifies the SCTP association and SGsAP payload protocol identifier and returns endpoint identification.
Port: 29118
sipSIP is a signaling protocol used to establish voice, video, and messaging sessions. Sends an OPTIONS request and returns the response code, server/user-agent strings, allowed methods, and any contact and via metadata disclosed.
Ports: 5060, 5061
slpSLP is the Service Location Protocol used to discover services on a LAN (RFC 2608); commonly exposed by VMware ESXi and printers. Sends an attribute and service-type request and returns the SLP version, advertised services, and per-service attribute summary.
Port: 427
smb — SMB / CIFSSMB / CIFS is the file-sharing and IPC protocol used by Windows and Samba. Negotiates SMB1/2/3 and reads tree/share metadata, returning the dialect, signing/encryption requirements, server OS, NetBIOS/computer name, domain, and (when permitted) the list of shares.
Ports: 139, 445
smb1 — SMBv1SMBv1 is the legacy Server Message Block dialect (CIFS / NT LM 0.12) deprecated by Microsoft and disabled by default since Windows 10 1709 / Server 2019. runZero flags this dialect specifically because it is required by the EternalBlue and related exploits and should be disabled wherever possible.
Ports: 139, 445
smb2 — SMBv2SMBv2 is the Server Message Block dialect family introduced in Windows Vista / Server 2008 (dialects 2.0.2 and 2.1). runZero records the negotiated dialect, signing requirements, server GUID, and operating-system version reported during NEGOTIATE_PROTOCOL and SESSION_SETUP.
Port: 445
smb3 — SMBv3SMBv3 is the Server Message Block protocol family introduced in Windows 8 / Server 2012 (dialects 3.0, 3.0.2, 3.1.1). runZero records the negotiated dialect, signing and encryption capabilities, and any pre-auth integrity hash advertised by the server.
Port: 445
smppSMPP is the Short Message Peer-to-Peer protocol used between SMS clients and SMSCs. Sends a bind_transceiver probe and returns the SMSC system identifier and SMPP version.
Port: 2775
smtpSMTP is the Simple Mail Transfer Protocol used to transfer email between servers and from clients to relays. Reads the SMTP greeting and runs EHLO, returning the server software, supported extensions, STARTTLS availability, and supported authentication mechanisms.
Ports: 25, 465, 587, 2525
snmpSNMP is the Simple Network Management Protocol used to monitor and configure network devices and servers. Walks system.* and selected enterprise OIDs over SNMPv1/v2c (and SNMPv3 when configured) and returns sysDescr, sysObjectID, sysName, location, contact, and a vendor/device-type fingerprint derived from the response.
Ports: 161, 162, 10161, 10162
snppSNPP is the Simple Network Paging Protocol (RFC 1861) used to deliver pages to paging gateways. Reads the SNPP greeting and returns the gateway banner.
Port: 444
socks — SOCKS ProxySOCKS is a generic proxy protocol with two incompatible versions (SOCKS4 and SOCKS5). This entry captures sightings where only the SOCKS family was identified; the version-specific decoders socks4 and socks5 record the negotiated authentication methods and supported commands.
Port: 1080
socks4SOCKS4 is a proxy protocol (SOCKS version 4) used by client applications and proxy servers (Squid, Dante, SSH dynamic forwarding) to relay TCP connections through an intermediary. Sends a CONNECT request to a benign target and returns the proxy responsiveness and the SOCKS reply status code observed.
Ports: 1080, 1081
socks5SOCKS5 is a proxy protocol (SOCKS version 5, RFC 1928) used by client applications, Tor (9050/9150), and proxy servers such as Dante, 3proxy, and Squid to relay TCP and UDP through an intermediary. Sends a method-selection request and returns the SOCKS version, supported authentication methods, and proxy reachability.
Ports: 1080, 1081, 9050, 9150
solr — Apache SolrApache Solr is the Lucene-based enterprise search platform. runZero attributes services as Solr from the X-Solr-Version response header, the admin-UI banners, and the /solr/admin/info/system JSON, which exposes the Solr and Lucene versions, JVM details, and host operating system.
Port: 8983
some-ip — AUTOSAR SOME/IPAUTOSAR SOME/IP is the Scalable service-Oriented MiddlewarE over IP used between automotive ECUs on in-vehicle Ethernet for service discovery and RPC. Sends a SOME/IP-SD FindService and returns the advertised service IDs and service count.
Ports: 30490, 30491
sonarqubeSonarQube is the static analysis and code-quality platform from SonarSource. runZero attributes services as SonarQube from the application's HTTP banners and the /api/system/status endpoint, recovering the server version and edition.
Port: 9000
sonicwall-sgms — SonicWall GMS AgentSonicWall GMS Agent is the Global Management System agent used to manage SonicWall firewalls. Identifies the agent from its TCP banner.
Port: 3023
spiceSPICE is the Simple Protocol for Independent Computing Environments, used to access KVM virtual machines and virtual desktops. Identifies SPICE servers from the link-handshake banner.
Port: 5930
splunk — Splunk Enterprise / Universal Forwarder Web UISplunk Enterprise / Universal Forwarder Web UI is the HTTP-served management interface for Splunk's SIEM and log-collection platform. The HTTP extractor inspects splunkd and Splunk Web responses and returns the product edition and version.
spotify-connect — Spotify ConnectSpotify Connect is the device-discovery and remote-control protocol used by Spotify clients to find playback endpoints (smart speakers, AV receivers, set-top boxes). Detected via the _spotify-connect._tcp mDNS record and the /zc HTTP endpoint exposed by the device.
ssdpSSDP is the Simple Service Discovery Protocol used by UPnP devices to advertise services. Sends an M-SEARCH and returns the advertised service types, USN, server string, and Location URLs of the responding devices.
Port: 1900
sshSSH is the Secure Shell remote-access and tunneling protocol. Reads the SSH banner, runs a KEX-init exchange, and (when credentials are configured) authenticates, returning the server software string, supported KEX/host-key/cipher/MAC algorithms, host keys and fingerprints, and accepted authentication methods.
Ports: 22, 2222, 22222
sstpSSTP is the Microsoft Secure Socket Tunneling Protocol, a PPP-over-HTTPS remote-access VPN used by Windows RRAS, MikroTik RouterOS, and SoftEther. Sends an SSTP_DUPLEX_POST handshake over TLS and returns the listener responsiveness, HTTP Server header, and inferred vendor (Microsoft, MikroTik, SoftEther).
Port: 443
steam — Steam Server DiscoverySteam Server Discovery is the Valve Steam Remote Play / In-Home Streaming LAN broadcast protocol. Sends a CMsgRemoteClientBroadcastDiscovery and returns the hostname, client/instance/device IDs, client version, OS type, public IP, and Steam Deck / VR / Remote Play status.
Port: 27036
stunSTUN is the Session Traversal Utilities for NAT protocol (RFC 5389) used for NAT discovery in WebRTC and VoIP. Sends a binding request and returns the SOFTWARE attribute and the observed XOR-MAPPED-ADDRESS reported by the server.
Ports: 3478, 3479, 5349, 5350
sua — SUA (SCTP)SUA (SCTP) is the SCCP User Adaptation Layer (RFC 3868) over SCTP, used to carry SS7 SCCP signaling over IP. Verifies the SCTP association and SUA payload protocol identifier and returns endpoint identification.
Ports: 2904, 14001
subversion — Apache SubversionSubversion is the Apache version-control system. This entry covers detections produced by integration data and Recog banners; runZero's active svn decoder negotiates the svnserve protocol on TCP/3690 to recover the repository UUID, root URL, and supported capabilities.
Port: 3690
sunrpc — Sun RPC PortmapperSun RPC Portmapper (also known as rpcbind) is the legacy ONC RPC service registry. This entry covers Recog-only matches against banners that did not return a structured rpcbind dump; the active rpcbind decoder enumerates registered programs and their dynamic ports.
Port: 111
svn — SubversionSubversion is the Apache Subversion svn:// version-control protocol. Reads the SVN greeting and returns the minimum and maximum supported protocol versions, supported capabilities, and offered authentication mechanisms.
Port: 3690
sybase — Sybase / SAP ASE (TDS 5.0)Sybase / SAP ASE (TDS 5.0) is the Tabular Data Stream 5.0 wire protocol used by Sybase ASE and SAP Adaptive Server Enterprise. Sends a TDS prelogin probe and returns the server version reported in the prelogin response.
Port: 5000
syslogSyslog is a standard event-logging protocol used to forward log messages between hosts and collectors. Identifies syslog listeners over UDP/TCP and decodes RFC 3164/5424 messages to report the priority, facility, severity, version, hostname, and application name.
Ports: 514, 6514
tcpmuxTCPMUX is the TCP Port Service Multiplexer (RFC 1078), a legacy diagnostic service. Queries the registered service list and returns the disclosed names.
teamviewerTeamViewer is the proprietary binary protocol used by the TeamViewer remote-access client to reach the TeamViewer cloud over TCP/5938. Sends a TeamViewer ping/hello probe and identifies the service from the response magic and command byte.
Port: 5938
telnetTelnet is a remote-terminal protocol (RFC 854) that transmits credentials in cleartext. Reads the negotiation banner and any login prompts, returning the device hostname, OS or product banner, and supported telnet options.
Ports: 23, 992, 2323
tenable-agent-id — Tenable Agent IdentifierTenable Agent Identifier is the synthetic protocol runZero uses to track the unique agent UUID reported by Tenable Nessus and Tenable.io agents observed via integrations. It is not a network protocol and has no associated wire-level scan.
tftpTFTP is the Trivial File Transfer Protocol (RFC 1350) used for boot images, firmware, and config transfer. Sends a benign read request and returns the responsiveness and any error-code metadata that discloses the server implementation.
Port: 69
thinprintThinPrint is the Cortado virtual-printing protocol used by Citrix, VMware Horizon, and Microsoft RDS deployments to redirect print jobs from session hosts to client-side printers. Detected from the TPAutoConnect listener banner on TCP/4000.
Port: 4000
timeTime is the legacy 32-bit time-of-day service (RFC 868). Reads the response to confirm the service and detect amplification-capable hosts.
Port: 37
tls — TLS / SSLTLS / SSL is the Transport Layer Security encrypted-transport substrate used by HTTPS and most modern Internet protocols. Performs a TLS handshake and returns the negotiated version and cipher suite, supported versions and extensions, and the full server-certificate chain with subject, issuer, SANs, validity, and key metadata.
Ports: 443, 5986, 6443, 8443, 9443
tristation — Triconex TriStationTriconex TriStation is the proprietary engineering protocol used to program and configure Tricon and Trident Safety Instrumented Systems controllers. Passively decodes TriStation frames and returns the controller identification observed.
Port: 1502
turnTURN is the Traversal Using Relays around NAT protocol (RFC 5766) used as a media relay for WebRTC and VoIP. Sends an Allocate request and returns the SOFTWARE attribute, mapped and relayed addresses, allocation lifetime, requested transport, and any error code.
Ports: 3478, 3479, 5349, 5350
ubnt — Ubiquiti DiscoveryUbiquiti Discovery is a device-discovery protocol used by UISP/UNMS and the Ubiquiti Discovery Tool. Sends the discovery probe and returns the device hostname, model, firmware, MAC, and IP configuration.
Port: 10001
unitronics — Unitronics PCOMUnitronics PCOM is the proprietary protocol used to communicate with Unitronics Vision and Samba/UniStream PLC+HMI controllers. Queries the controller identification and returns the model and OS version.
Port: 20256
upnp — Universal Plug and PlayUPnP is the device-control protocol layered on top of SSDP. runZero fetches the device-description XML referenced in the SSDP LOCATION header to recover the friendly name, manufacturer, model, serial number, UPnP UUID, and the list of advertised services.
uscan — Apple Image Capture (uscan)uscan is the AirScan/Mopria HTTP scanner protocol used by macOS Image Capture, iOS Notes, and Mopria-compatible clients to discover and drive network scanners. Detected via the _uscan._tcp mDNS record and the /eSCL/ScannerCapabilities XML returned by the device.
uscans — Apple Image Capture over HTTPS (uscans)uscans is the TLS-protected variant of the AirScan/Mopria scanner discovery protocol, advertised via the _uscans._tcp mDNS record. runZero fetches the HTTPS /eSCL/ScannerCapabilities document to recover the device make, model, firmware, and supported scan profiles.
vault — HashiCorp VaultVault is HashiCorp's secrets-management platform. runZero queries /v1/sys/health and /v1/sys/seal-status on the HTTP API to recover the Vault version, cluster name, cluster ID, sealed/initialized state, and replication mode.
Port: 8200
vmauthd — VMware vmauthdVMware vmauthd is the authentication daemon listening on VMware ESXi and Workstation hosts. Identifies the service from its 220 greeting banner.
Port: 902
vmware — VMware vSphere SOAPVMware vSphere SOAP is the vSphere Web Services SOAP API exposed by vCenter Server and ESXi hosts for management and automation. Issues a RetrieveServiceContent call to /sdk and returns the product name, full version and build, API type and version, OS type, and product line.
Port: 443
vnc — VNC / RFBVNC / RFB is the Virtual Network Computing remote-desktop protocol, also known as the Remote Frame Buffer protocol. Reads the protocol-version handshake and returns the RFB version, supported security types, and any disclosed vendor banner.
Ports: 5800, 5900, 5901, 5902, 5903
vsdp — Vivotek Search Discovery ProtocolVSDP is the UDP broadcast discovery protocol used by Vivotek IP cameras and video servers. runZero parses the response to recover the camera model, firmware version, MAC address, and IP configuration.
Port: 3702
vxlan — Virtual eXtensible LANVXLAN is the L2-over-UDP tunneling protocol (RFC 7348) used by data-center overlay networks. runZero observes VXLAN encapsulation on UDP/4789 and records the VXLAN Network Identifier (VNI) of the inner Ethernet frame.
Port: 4789
waveu — Wave/UE DiscoveryWaveU is the UDP discovery service used by Crestron AirMedia and selected Wave-branded conferencing endpoints to advertise their presence to companion mobile and desktop apps. runZero parses the response to recover the model and firmware revision.
wbsm — IBM Web-Based System ManagerIBM Web-Based System Manager (WSM/WebSM) is the remote-administration protocol used by the Java WSM client to manage AIX systems. Identifies the service from its banner.
Port: 9090
wdbrpc — VxWorks WDB AgentWDB RPC is the Wind River Workbench Debug Bridge agent built into many VxWorks images and exposed (often unintentionally) on UDP/17185. runZero issues a target-info query to recover the VxWorks version, BSP name, CPU type, and target name; presence of WDB indicates the host can be remotely controlled without authentication.
Port: 17185
webminWebmin is a web-based Unix administration suite that exposes a UDP discovery service on UDP/10000 alongside Usermin and Virtualmin. Sends the "webmin" query and returns the advertised Webmin server IP, port, and HTTP/HTTPS scheme used to reach the management UI.
Port: 10000
wireguardWireGuard is a modern in-kernel VPN protocol. Sends a benign handshake-initiation probe and returns the responsiveness and any rate-limited replies that confirm a WireGuard endpoint.
Port: 51820
wiznet — WIZnet DiscoveryWIZnet Discovery is a device-discovery protocol used by WIZnet serial-to-Ethernet modules and embedded TCP/IP chips. Sends the discovery probe and returns the raw advertised configuration fields.
Ports: 5000, 50001
wsd — Web Services Dynamic DiscoveryWeb Services Dynamic Discovery (WS-Discovery) is the SOAP-over-UDP multicast discovery protocol used by Windows printers, scanners, and ONVIF IP cameras. runZero issues a Probe to ff02::c / 239.255.255.250 and parses the ProbeMatch response to recover the device's endpoint reference, types, scopes, and metadata URLs.
Port: 3702
wsman — WS-ManagementWS-Management (WS-Man) is the SOAP-over-HTTP/HTTPS management protocol used by Windows Remote Management (WinRM), iDRAC, iLO, and IPMI baseboard controllers. runZero issues an Identify request to recover the product vendor, product version, and supported protocol versions.
Ports: 5985, 5986
x11 — X11 / X Window SystemX11 / X Window System is the X Window System display protocol used by Unix graphical desktops; if exposed, it allows remote display capture and input injection. Performs an X11 connection-setup probe and returns the X.Org/XFree86 vendor string, protocol-major version, and the access state of the server.
Ports: 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009, 6010, 6011, 6012, 6013, 6014, 6015
x2ap — X2AP (SCTP)X2AP (SCTP) is the X2 Application Protocol (3GPP TS 36.423) over SCTP used between LTE eNodeBs. Verifies the SCTP association and X2AP payload protocol identifier and returns endpoint identification.
Port: 36422
xdmcpXDMCP is the X Display Manager Control Protocol used by X Window System login managers (xdm, gdm, kdm). Sends an XDMCP query and returns the responding manager's hostname and supported authentication types.
Port: 177
xmppXMPP is the Extensible Messaging and Presence Protocol used by chat servers (Jabber, Openfire, ejabberd). Sends a stream-start request and returns the server software banner, supported XMPP version, and STARTTLS / SASL feature summary.
Ports: 5222, 5223, 5269
zabbix — Zabbix AgentZabbix Agent is the monitoring agent used by the Zabbix server to collect host metrics. Sends an agent.version request and returns the agent version, derived CPE, and whether remote commands are enabled.
Ports: 10050, 10051
zabbix-agent — Zabbix AgentZabbix Agent is the host-side collector polled by a Zabbix server over TCP/10050. runZero requests the agent.version and agent.hostname items to recover the agent build and configured hostname from unauthenticated agents.
Port: 10050
zebra — Zebra DiscoveryZebra Discovery is a network discovery protocol used by Zebra Technologies label and barcode printers. Sends the discovery probe and returns the printer hostname disclosed in the response.
Port: 6101
zookeeper — Apache ZooKeeperApache ZooKeeper is a distributed coordination service whose wire protocol exposes four-letter administrative commands. Sends a four-letter (ruok/srvr/conf) command and returns the access state, mode (leader/follower/standalone), node count, and ZooKeeper version when the command is permitted.
Ports: 2181, 2888, 3888
zyxel — Zyxel Device Web ManagementZyxel Device Web Management is the HTTP management interface exposed by Zyxel switches and routers (e.g. GS1200 series), serving a system_data.js endpoint that advertises model, firmware version, MAC, hostname, and IP configuration.
Additional protocols
iec60870-5-104
Customers running a self-hosted instance or using the standalone scanner have the ability to use custom-written fingerprints. This can be useful in adding new fingerprint coverage for very unique or custom assets and services, such as device prototypes or proprietary applications/services. Custom fingerprints can also be used to override existing, similar runZero fingerprints by using a same-or-higher certainty value.
When using the runZero standalone scanner with custom fingerprints, you'll need to use the `RUNZERO_EXTERNAL_FINGERPRINTS` value as an environment variable when launching the scanner.
Create new fingerprints
Custom fingerprints follow the structure and format of the open-source Recog fingerprint database. You can author your own fingerprint XML entries in files of similar name and format to those found in Recog. For cases where an asset or service matches both a built-in runZero fingerprint and a custom fingerprint of the same kind, preference will be given to the fingerprint with higher “certainty” value(s) (e.g. hw.certainty, os.certainty, service.certainty). In the event of a certainty “tie” (i.e. same certainty value(s)), the custom fingerprint will be given preference.
There are three main versions of the protocol.
SNMP versions 1 and 2
SNMP version 1 was designed in the 1980s as an interim protocol, intended to be replaced by ISO CMIP. It was built to be used across any network common at the time, not just TCP/IP networks, so security was left up to the host network. The protocol defined a community string for arbitrary organization of groups of assets, but didn’t specify how access should be granted.
]]>- SNMPv3 credentials
- Access secrets for cloud services like AWS and Azure
- API keys for services such as Censys and Miradore
Credentials are stored in encrypted form in the runZero database. Credentials, such as SNMP passwords, are used by runZero Explorers and are transmitted to them in encrypted form. For security reasons, the secret part of any credential cannot be viewed once entered.
]]>After you have run a full network discovery scan, you can start to better understand your coverage and begin to optimize. By the end of this guide, you will understand how to use the out of the box reports in runZero to understand your gaps in network coverage.
RFC 1918 coverage
The first report to look at is the RFC 1918 coverage report. This report shows you which internal IPv4 subnets have been scanned, which likely contain assets, and which are still unknowns.
]]>Once you have an Explorer installed, you can start using it for network discovery. While our goal is to configure scheduled scans that we set and forget, we need to go about our first scans in a more structured manner.
The goals of our first scans are to:
- Verify the Explorer is setup properly and has everything installed
- Validate Explorer connectivity to varying parts of the network
- Determine how long scans will take at varying sizes to help with future scheduling
Your first few scans
To get started, you will want to scan a few smaller ranges to make sure everything is working as expected. Start with a few /24 network blocks from each of the RFC 1918 ranges to make sure everything looks good.
]]>When creating a new scan, you have multiple parameters you can set, ranging from scheduling a date to more advanced options. To get started, login to the runZero Console, select Scan from the Data sources section of the navigation menu, and choose “Start Standard Scan”. Scans can also be launched from the Inventory views.
]]>Active scanning
The runZero Explorer and scanner perform unauthenticated active scanning of your specified networks based on the configurations you set. They leverage various network protocols to discover and fingerprint assets connected to the network.
Active scans can be configured to run once or on a schedule. Scan templates can also be used to ensure consistency across multiple scan tasks.
]]>Not a superuser or billing user? Please contact your organization’s superuser or billing user to get help with licensing and billing information. These users are tagged with a yellow star.
How do I view my license?
If you’re a superuser or billing user, go to Account > License to view your runZero licensing information.
]]>Here are the high-level steps to set up single sign-on (SSO) using Okta to authenticate and manage user access to runZero:
Requirements
Before you can set up Okta SAML:
]]>Here are the high-level steps to set up SSO using Microsoft Entra (formerly Azure AD) to authenticate and manage user access to runZero:
]]>
Only runZero administrators can automatically map users to user groups using SSO attributes and custom rules.
SSO group mapping allows you to map your SAML attributes to user groups in runZero. In runZero, user groups explicitly set the organizational role and determines the tasks users can perform within each organization. When you set up SSO group mappings, you explicitly define the SSO attribute and value you want to use for mapping. If there is a match, runZero will apply the group settings for the user. As a result, you can ensure that SSO users are mapped to their respective groups in runZero.
]]>runZero’s SSO implementation is designed to work with common SAML providers with minimal configuration, but there are a few requirements:
- Your users need to authenticate to a single domain such as
example.com, not to multiple domains or a domain with many subdomains. - The domain name needs to be configured in the SSO identity provider settings in runZero. This is true even for self-hosted runZero deployments.
- Your SAML IdP should provide something that looks like an email address in the standard NameID parameter. It doesn’t need to be a valid email address, but it should be a unique value that has the same syntax as an email address (
user@example.com). The field nameNameIDis case sensitive. - If the
NameIDdoes not look like an email address, runZero will check the fieldsemail,user.email,emailaddressandemail addressfor a suitable ID. These field names are not case sensitive. - runZero will check for the user’s full name in the fields
name,gecos,user.nameanddisplayname. If no full name field is found, runZero will proceed to check for a first name infirst_name,firstname,given_name,user.firstname,givennameorfirst name; and for a last name inlast_name,lastname,family_name,user.lastname,surname,sn, orlast name. These field names are not case sensitive.
Note that you must be a superuser to manage runZero SSO settings.
]]>You can invite external users to join your runZero instance and view the organizational data available to them. The ability to add external users is useful for consultants, value-added resellers, and managed service providers who want to be able to share data from runZero with external partners and clients.
If you are a superuser, you can invite any user who has a runZero account to join your account. When you invite the user, they will receive an invitation to join your account via email. After they accept the invitation and sign in to runZero, they will see a new menu next to their organization switcher that lists all the clients they can access. Your client name will display in the list.
]]>Instead of manually adding users one at a time, runZero administrators can add multiple users via bulk import. To bulk import users, you will need to create a CSV (comma separated values) file that contains the user information, such as their first name, last name, email, role, and organizational access.
Bulk imports will only add new users; it will not update existing users. If the file contains a user that already exists in the system, the import will not complete. You’ll need to remove all duplicate users from your CSV file and import the file again.
]]>
What happens if there are conflicting permissions?
<![CDATA[Managing access]]>
https://www.runzero.com/docs/managing-your-team/
2026-04-11T03:07:33+00:00
2026-04-11T03:07:33+00:00
runZero supports multiple concurrent users with a variety of roles. Roles can be set per-user on both a default and per-organization basis. The standard roles are administrator, user, billing, annotator, viewer, and no access. There is also a superuser role available to manage global settings.
<![CDATA[Data retention]]>
https://www.runzero.com/docs/data-retention/
2025-11-13T17:23:51+00:00
2025-11-13T17:23:51+00:00
runZero allows the data retention periods to be configured at the organization level. The organization settings page provides three ways to control how runZero manages your asset and scan data. Data expiration is processed as a nightly batch job based on the current settings for each organization in your account.
<![CDATA[Self-hosted troubleshooting]]>
https://www.runzero.com/docs/self-hosting-collection/
2024-02-22T16:30:44+00:00
2024-02-22T16:30:44+00:00
The runZero console includes a diagnostics collection script inspired by the need to troubleshoot a self-hosted environment. Collecting the necessary performance statistics, log files, system configuration, and profile debug capture was difficult for customers since there are many different commands and files involved. After checking permissions and dependencies, the diagnostic script gathers and compresses troubleshooting data into a convenient archive file that can be provided to runZero support. The script provides a consistent method for data collection whether it be from a system running your self-hosted console or an Explorer.]]>
<![CDATA[High-availability configuration]]>
https://www.runzero.com/docs/self-hosting-ha/
2026-04-11T03:07:33+00:00
2026-04-11T03:07:33+00:00
Self-hosted installations of runZero can be configured for high-availability. For this configuration, a load balancer is used to direct traffic to multiple console servers, which use a shared PostgreSQL cluster and storage backend. The following diagram illustrates an example architecture of a high-availability installation using AWS with two availability zones.
<![CDATA[Offline mode configuration]]>
https://www.runzero.com/docs/self-hosting-offline/
2026-05-10T19:03:44+00:00
2026-05-10T19:03:44+00:00
Supported operating systems
<![CDATA[Self-hosting runZero]]>
https://www.runzero.com/docs/self-hosting/
2026-05-27T17:08:11+00:00
2026-05-27T17:08:11+00:00
Platform
<![CDATA[Sites]]>
https://www.runzero.com/docs/sites/
2026-05-10T19:03:44+00:00
2026-05-10T19:03:44+00:00
By default, your account includes a single organization, which itself contains a single site, named Primary. If the only site in an organization is deleted, a replacement will be created automatically. Similarly, if the last organization is removed, a replacement will be created. You can rename organizations and sites at any time.
<![CDATA[Organizations]]>
https://www.runzero.com/docs/organizations/
2025-01-29T15:32:28+00:00
2025-01-29T15:32:28+00:00
Community Platform
<![CDATA[runZero 201 training]]>
https://www.runzero.com/docs/training-201/
2026-05-22T14:50:01+00:00
2026-05-22T14:50:01+00:00
Prerequisites
<![CDATA[runZero 101 training]]>
https://www.runzero.com/docs/training/
2025-12-04T14:33:33+00:00
2025-12-04T14:33:33+00:00
This training introduces the core components of the runZero platform. It provides the foundational concepts that help you understand how runZero gathers and structures asset data, how to explore the environment, and how to begin identifying risks and trends.
<![CDATA[Use case library]]>
https://www.runzero.com/docs/use-case-library/
2026-05-10T19:03:44+00:00
2026-05-10T19:03:44+00:00
Appendix
<![CDATA[Types of networks]]>
https://www.runzero.com/docs/sample-networks/
2024-05-10T10:54:34+00:00
2024-05-10T10:54:34+00:00
It is often helpful to use network examples as a starting point for planning your runZero implementation. This document breaks down a few standard network types and provides potential configurations for each. With that being said, every network has nuance, so it’s likely there will be some differences for your implementation.
<![CDATA[Full-scale deployment]]>
https://www.runzero.com/docs/deployment-plan/
2025-11-13T10:35:40+00:00
2025-11-13T10:35:40+00:00
As you get started with runZero, we recommend kicking off with our standard deployment plan and adding tasks as needed. The standard deployment plan is broken out into six stages which will help you plan out your requirements, execute the deployment, and optimize your environment based on runZero’s best practices.
<![CDATA[Verifying binaries]]>
https://www.runzero.com/docs/binary-verification/
2025-01-19T12:09:31+00:00
2025-01-19T12:09:31+00:00
runZero uses dynamically generated binaries for the runZero Console, CLI, and Explorer downloads. Although Windows
binaries have a valid Authenticode signature, all binaries also contain a secondary, internal signature. Dynamic
binaries make it easy to deploy Explorers that connect back to the right organization, but present a challenge for
independent integrity validation. To enable verification of the internal signature, we offer the runZero Verifier.
This verification tool can confirm whether a given binary contains a valid internal signature, in
addition to any existing Authenticode signatures.]]>
<![CDATA[Managing Explorers]]>
https://www.runzero.com/docs/managing-explorers/
2026-03-02T17:16:23+00:00
2026-03-02T17:16:23+00:00
The runZero Explorer is a lightweight scan engine that enables network and asset discovery. You should have at least one Explorer deployed. After deployment, you can manage your Explorers from the Deploy page in your runZero web console.
<![CDATA[Installing on a Raspberry Pi]]>
https://www.runzero.com/docs/installing-explorer-on-raspberry-pi/
2026-04-11T03:07:33+00:00
2026-04-11T03:07:33+00:00
The runZero Explorer enables discovery scanning. In most cases, you can deploy an Explorer on an existing system that has connectivity to the network you want to discover. However, there may be times when the traditional deployment model may not work for you. Some locations, like retail stores or customer sites, may not have staff or hardware available to install the Explorer, making remote deployment a bit tricky.
<![CDATA[Automated MSI deployments]]>
https://www.runzero.com/docs/explorer-msi/
2026-04-11T03:07:33+00:00
2026-04-11T03:07:33+00:00
runZero uses dynamically generated binaries for the runZero Explorer downloads and this doesn’t always play well
with MSI-based installation methods.
<![CDATA[Installing an Explorer]]>
https://www.runzero.com/docs/installing-an-explorer/
2026-04-11T03:07:33+00:00
2026-04-11T03:07:33+00:00
runZero requires the use of at least one Explorer within your environment to enable active and passive network discovery. The Explorer should be installed on a system with reliable connectivity to the network you want to discover. For internal networks, runZero works best when installed on a system with a wired (vs wireless) connection.
<![CDATA[Creating an account]]>
https://www.runzero.com/docs/creating-account/
2025-02-12T15:40:29+00:00
2025-02-12T15:40:29+00:00
To get started, you’ll need to sign up for a runZero account. The default account is a trial of the full runZero Platform. After the trial expires, you will have the option to convert to the free Community Edition or purchase a subscription.
<![CDATA[Getting started]]>
https://www.runzero.com/docs/getting-started/
2026-05-10T19:03:44+00:00
2026-05-10T19:03:44+00:00
To get started, you’ll need to sign up for a runZero account. The default account is a trial of the full runZero Platform. After the trial expires, you will have the option to convert to the free Community Edition or purchase a subscription.
<![CDATA[What is runZero?]]>
https://www.runzero.com/docs/what-is-runzero/
2026-05-01T22:14:59+00:00
2026-05-01T22:14:59+00:00
runZero
runZero will always grant the role with the highest permissions level. For example, let's say an account has a viewer role for all organizations, but they've been added to a user group that has a user role for all organizations. This user will now have user-level permissions for all organizations. If the user group expires, the user's role reverts back to their account-level role.
]]>Where there are multiple roles defined for a user, the access granted is based on most privilege. For example, if a user has user access by being in a group, but admin access assigned directly, they will be given admin privileges.
]]>By default, data is retained for up to 1 year in the runZero Platform. This can be increased to up to 3 years for active subscriptions. The runZero Community Edition is limited to 30 days of retention.
]]>
In this diagram, an application load balancer (ALB) is terminating TLS and pointing to a target group that consists of two runZero servers, each in separate availability zones. The runZero servers use a multi-availability-zone PostgreSQL RDS instance, also configured for the same two availability zones, and both servers point to the same set of S3 storage buckets.
]]>The runZero self-hosted console runs on the same operating systems whether you are installing online or offline. See Self-hosting runZero — Supported operating systems for the full list (Ubuntu 18.04+, RHEL 7+, CentOS 7+, Oracle Linux 7+, Debian 9+, on x86_64).
Note that for offline installs, PostgreSQL packages must be available locally. The PostgreSQL.org RPM bundles linked below cover RHEL/CentOS 8, 9, and 10. On older or other distributions, supply PostgreSQL through your own offline mirror or use --distro-packages-only to install whatever PostgreSQL version your OS provides (must be PostgreSQL 14 or newer).
Background
The self-hosted version of runZero allows you to run the entire platform on-premises or within your own cloud environment. This platform is functionally identical to the hosted service, provides a fully-offline mode, and does not send any inventory data back to runZero.
While self-hosting is less common, here are a few reasons your company might choose to:
- ISO compliance requirement
- Other compliance requirement
- Prefer data on-premise
Self-hosting must be explicitly enabled for your account. Self-hosting is available if you have a runZero Platform license, or if you are running an initial trial for a platform license. Please contact your runZero sales representative for further information.
]]>Every organization has at least one site, but may have multiple sites. A site represents a distinct network segment, usually defined by addressing or accessibility. Sites in runZero do not necessarily correspond to physical sites or locations. Instead, they are used to represent distinct networks that may have overlapping address space. This allows for multiple sites to use the same RFC1918 space, something common in retail, while still being possible to differentiate their assets within the inventory.
]]>An organization represents a distinct entity; this can be your business, a specific department within your business, or one of your customers. All actions, tasks, Explorers, scans, and other objects managed by runZero are tied to specific organizations and isolated from each other.
Your active organization can be switched by using the dropdown selector at the top right of the runZero Console. If your default role is Viewer or higher, you can select All Organizations from the dropdown to view the data for all of your organizations in the Dashboard and Inventory. The Queries page also supports the All Organizations view. Pages that are not compatible with the All Organizations view will be hidden until a single organization is selected.
]]>Prior to starting this training, we have two recommendations:
- Superuser access to a runZero account. This can be a corporate account with a paid license, or you can use a personal email to create a community account which will make you the superuser.
- Completion of the runZero 101 training is also recommended so that you understand the context behind all of the administrative actions you will learn about in this training.
Introduction to the training
This video provides a brief introduction to what you will learn in this training.
]]>Each section includes an accompanying walkthrough and links to deeper documentation. runZero 201 covers advanced workflows, automation, and deployment planning.
Platform overview
Before using inventories, findings, reporting views, or dashboards, it’s important to understand the core concepts that shape how runZero organizes and processes data. This section provides short, conceptual introductions to:
]]>- Total attack surface visibility
- Full-spectrum exposure detection
- Risk prioritization and insights
- Compliance, Reporting, and KPIs
Total attack surface visibility
Achieving complete visibility is essential for understanding and managing your organization’s attack surface. This encompasses internal and external assets, cloud amd security tooling integrations, and passive discovery methods to ensure comprehensive oversight and proactive threat mitigation.
]]>This is a basic overview of how discovery will be done using Explorers and scanners. By default, one Explorer will be deployed with the goal of running discovery on as much of the network as possible. If needed, more Explorers can be added for areas the primary Explorer cannot get to. You can also use a scanner for offline environments where there is no internet connectivity.
]]>1. Identify key success outcomes
Total attack surface visibility
- Active discovery on all internal assets
- Active discovery on all externally facing assets
- Passive discovery and enrichment in key network segments
- Integrate with all cloud providers and other relevant data sources
Additional Resources
]]>Viewing all Explorers
For each Explorer, you can see:
- The Explorer status (whether it is communicating with runZero)
- The OS it is running on
- Its name
- Any site it is associated with
- Its IP addresses
- The software version it is running
- Whether the version of npcap installed is up-to-date, if the OS is Windows (see upgrading npcap below)
- The CPU architecture of the host machine
- Any tags associated with the Explorer
- The status of its last scan
- Its capabilities, like Chrome support
Screenshot capabilities
To capture screenshots, Chrome must be installed. You can check if an Explorer has screenshot capabilities by looking for the Chrome icon in the Capabilities column.
]]>In these types of scenarios, you can install a runZero Explorer on a Raspberry Pi and send the device to the location for them to plug into their network.
]]>To work around this issue, we have provided a shim MSI package that can be used with automated installers. This package has a valid Authenticode signature and can also be verified using the runZero Verifier.
Some components of the application still reference the name "Rumble" for backwards compatibility. All new installations will use runZero for directory, file, and user names.
To use this package, deploy it with the URL parameter specified as the organization-specific download URL from the runZero Console Explorers section.
For external network discovery, nearly any cloud provider with a reliable connection should do. If the runZero Explorer is installed in a container or virtualized system, ensure that it has direct access to the network (host networking in Docker, bridged networking in VMware, etc). SaaS customers with a Platform license can use the runZero hosted Explorers at no additional cost.
]]>Activating your account
After you sign up for an account, we’ll email you a link to activate your account. If you don’t see an email from us, check your spam folder.
]]>- Sign up for a runZero account
- Read up on creating an account for help activating your account, changing your password, and adding a profile picture.
- Once your account is set up, there are a couple of paths you can take to deploy runZero.
Quickstart guide
The quickstart path is ideal for those who want to jump into using runZero and explore its core functionalities. This section covers the initial setup, running basic scans, and configuring integrations.
]]>runZero is a total attack surface and exposure management platform that combines active scanning, passive discovery, and API integrations to deliver complete visibility into managed and unmanaged assets across IT, OT, IoT, cloud, mobile, and remote environments. runZero can be used as a hosted service (SaaS) or managed on-premise. The runZero stack consists of one more Consoles, linked Explorers that run as light-weight services on network points-of-presence, and a command-line tool that can be used for offline data collection. runZero can be managed through the web interface, via API, or for self-hosted customers, on the command line.
]]>