Valve Steam remote code execution. This vulnerability works for all Source Engine games. Exploitation video:

A root privilege escalation vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows unauthorised access to privileged content via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to Build 485. It affects the SWe Lite devices 6.1.x up to Build 111 and 7.0.x up to Build 140.

POC and analysis of Windows IPv6 Fragmentation Vulnerability (CVE-2021-24086): https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html Another POC is here: https://github.com/0vercl0k/CVE-2021-24086

Exploit of CVE-2020-16040 Google Chrome <= 87.0.4280.88 vulnerability https://github.com/r4j0x00/exploits/tree/master/CVE-2020-16040

CVE-2019-8761 is an interesting macOS bug that lets attackers execute HTML within a TXT file, leak files, and do all sorts of other funky things https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html

Zoom Unintended Screen Sharing Vulnerability POC:

This looks like a false positive, because: * obtaining the MS AJAX framework script is not a security vulnerability - it is a publicly available script that can also be served from the standard webresource handler * the presence of code that contains the `true` keyword (which is a reserved word in JavaScript as well) does not prove a command was executed on the server * the Telerik WebResource handler is supposed to combine scripts based on server settings and the fact that requesting the handler returns Telerik code is not a vulnerability by itself - this is also code that is publicly avaialble (for example, from the Telerik CDN) and it is a JavaScript code that is not generated based on

I. VULNERABILITY ------------------------- Data Manipulation with X-Forwarded-For header at WordPress II. CVE REFERENCE ------------------------- CVE-2020-35539 III. VENDOR ------------------------- https://wordpress.org IV. TIMELINE ------------------------- 20/12/2020 Vulnerability discovered 21/12/2020 Vendor contacted 09/03/2021 CVE Assigned V. CREDIT ------------------------- Alphan Yavas VI. DESCRIPTION ------------------------- "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X

CVE-2021-21327 recently found in GLPI by Iterasec allows remote PHP objects instantiation Technical writeup and exploit included for research purposes: https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/

Shodan dork of CVE-2021-21972 VMware vCenter Server vSphere Client Remote Code Execution: https://www.shodan.io/search?query=http.title:%22ID_VC_Welcome%22