漏洞复现专栏

下面每一张卡片都是神龙 Claude Code Agent 端到端复现的 CVE：读懂 PoC，在隔离的 Docker 沙箱里重建真实脆弱系统，发起真实攻击，并用 asciinema 录下全过程。出现 "VULNERABLE:" 行就是漏洞被成功触发的硬证据。

42 个漏洞已复现，并附实测录像

CVE-2025-62521CriticalCVSS 10.0

ChurchCRM 代码注入漏洞

ChurchCRM / CRM

成功标志:VULNERABLE: Unauthenticated RCE via setup wizard DB_PASSWORD injection. Proof: RCE_CONFIRMED_by_CVE-2025-62521

解锁完整 POC 步骤

CVE-2026-28229CriticalCVSS 9.8

Argo Workflows 安全漏洞

argoproj / argo-workflows

解锁完整 POC 步骤

CVE-2024-39914CriticalCVSS 9.8

FOGProject 安全漏洞

FOGProject / fogproject

成功标志:VULNERABLE: uid=33(www-data) — OS command injection via filename param in /fog/management/export.php

解锁完整 POC 步骤

CVE-2026-7538CriticalCVSS 9.8

TOTOLINK A8000RU 命令注入漏洞

Totolink / A8000RU

解锁完整 POC 步骤

CVE-2026-42880CriticalCVSS 9.6

Argo CD 信息泄露漏洞

argoproj / argo-cd

成功标志:

VULNERABLE: Extracted Kubernetes Secret via ArgoCD ServerSideDiff mechanism (CVE-2026-42880): password=S3cretP@ssw0rd!2024 username=admin

解锁完整 POC 步骤

CVE-2025-13607CriticalCVSS 9.4

D-Link DCS-F5614-L1 安全漏洞

D-Link / DCS-F5614-L1

成功标志:

VULNERABLE: Unauthenticated credential leak via /cgi-bin/config.cgi - admin password D1nk@dmin2024! exposed without authentication

解锁完整 POC 步骤

CVE-2024-32880CriticalCVSS 9.1

pyload 安全漏洞

pyload / pyload

成功标志:

VULNERABLE: RCE confirmed via Jinja2 SSTI in /web/ endpoint - command executed as: uid=0(root) gid=0(root) groups=0(root)

解锁完整 POC 步骤

CVE-2024-42366CriticalCVSS 9.1

VRCX 安全漏洞

vrcx-team / VRCX

成功标志:

VULNERABLE: XSS via unsanitized overlay notification image field led to RCE — /tmp/vrcx-rce-pwned created via CefSharp AppApiVr elevated binding

解锁完整 POC 步骤

CVE-2025-22146CriticalCVSS 9.1

Sentry 授权问题漏洞

getsentry / sentry

解锁完整 POC 步骤

CVE-2026-7675HighCVSS 8.8

Shenzhen Libituo Technology LBT-T300-HW1 缓冲区错误漏洞

Shenzhen Libituo Technology / LBT-T300-HW1

成功标志:VULNERABLE: Buffer overflow in apply.cgi start_lan via Channel parameter - process crashed (SIGSEGV/exit 139)

解锁完整 POC 步骤

CVE-2026-7674HighCVSS 8.8

LINBLE LBT-T300-HW1 缓冲区错误漏洞

Shenzhen Libituo Technology / LBT-T300-HW1

解锁完整 POC 步骤

CVE-2026-7548HighCVSS 8.8

TOTOLINK NR1800X 注入漏洞

Totolink / NR1800X

成功标志:VULNERABLE: uid=0(root) gid=0(root) groups=0(root) — command injection confirmed in setUssd handler

解锁完整 POC 步骤

CVE-2026-7513HighCVSS 8.8

UTT HiPER 1200GW 缓冲区错误漏洞

UTT / HiPER 1200GW

成功标志:

VULNERABLE: strcpy buffer overflow in /goform/formRemoteControl - 1800 byte payload overflowed 256-byte buffer (CVE-2026-7513)

解锁完整 POC 步骤

CVE-2026-7512HighCVSS 8.8

UTT HiPER 1200GW 缓冲区错误漏洞

UTT / HiPER 1200GW

成功标志:

VULNERABLE: strcpy buffer overflow in /goform/formUser - 2000-byte Profile copied into 256-byte buffer without bounds check

解锁完整 POC 步骤

CVE-2026-41490HighCVSS 8.3

Dagster SQL注入漏洞

dagster-io / dagster

成功标志:

VULNERABLE: SQL injection via dynamic partition key - 3 rows returned instead of 1, partition keys are interpolated unsanitized into SQL WHERE clauses

解锁完整 POC 步骤

CVE-2024-32883HighCVSS 7.7

MCUboot 安全漏洞

mcu-tools / mcuboot

成功标志:VULNERABLE: BOOT_RECORD TLV (type 0x60) injected into unprotected TLV area accepted

解锁完整 POC 步骤

CVE-2024-38514HighCVSS 7.4

NextChat 安全漏洞

ChatGPTNextWeb / ChatGPT-Next-Web

解锁完整 POC 步骤

CVE-2026-7670HighCVSS 7.3

Jinher OA 注入漏洞

成功标志:VULNERABLE: SQL injection via DeptIDList in UserSel.aspx leaked admin password: SuperSecret123!

解锁完整 POC 步骤

CVE-2026-7594HighCVSS 7.3

MCP Asset Generation Server 路径遍历漏洞

Flux159 / mcp-game-asset-gen

解锁完整 POC 步骤

CVE-2026-7593HighCVSS 7.3

command-executor MCP Server 命令注入漏洞

Sunwood-ai-labs / command-executor-mcp-server

成功标志:

VULNERABLE: OS command injection confirmed - read /etc/shadow via "ls ; cat /etc/shadow" VULNERABLE: OS command injection confirmed - read /etc/shadow via "ls ; cat /etc/shadow"

解锁完整 POC 步骤

CVE-2026-7579HighCVSS 7.3

AstrBot 安全漏洞

AstrBotDevs / AstrBot

成功标志:

VULNERABLE: Hard-coded credentials accepted - username=astrbot password=77b90590a8945a7d36c963981a307dc9 JWT_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...

解锁完整 POC 步骤

CVE-2026-7592HighCVSS 7.3

itsourcecode Courier Management System 注入漏洞

itsourcecode / Courier Management System

成功标志:VULNERABLE: SQL injection in edit_staff.php ID parameter exposed secret: s3cret_admin_p@ss

解锁完整 POC 步骤

CVE-2026-7555HighCVSS 7.3

itsourcecode Electronic Judging System 注入漏洞

itsourcecode / Electronic Judging System

成功标志:

VULNERABLE: SQL injection in login.php Username parameter - bypassed authentication, leaked DB version: 10.5.29-MariaDB-0+deb11u1

解锁完整 POC 步骤

CVE-2026-7545HighCVSS 7.3

SourceCodester Advanced School Management System 注入漏洞

SourceCodester / Advanced School Management System

成功标志:VULNERABLE: SQL injection in checkEmail endpoint exposed secret: SCHOOL_SECRET_KEY_4BF2A9D8C1E7

解锁完整 POC 步骤

CVE-2026-7506HighCVSS 7.3

SourceCodester Hotel Management System 注入漏洞

SourceCodester / Hotel Management System

成功标志:

VULNERABLE: SQL injection confirmed - extracted secret_data=FLAG{sql_injection_successful}, password=supersecretpassword123 from admin_users table via room_type parameter

解锁完整 POC 步骤

CVE-2026-7413HighCVSS 7.2

Yarbo 安全漏洞

Yarbo / Firmware

成功标志:VULNERABLE: Root SSH access with hardcoded password hy@0886!# confirmed - uid=0(root) gid=0(root) groups=0(root)

解锁完整 POC 步骤

CVE-2026-7725MediumCVSS 6.3

Prefect 注入漏洞

PrefectHQ / prefect

成功标志:

VULNERABLE: uid=0(root) gid=0(root) groups=0(root) — RCE confirmed via git --upload-pack argument injection through commit_sha [trigger] Exploitation successful!

解锁完整 POC 步骤

CVE-2026-44500MediumCVSS 5.3

zebra 安全漏洞

ZcashFoundation / zebra

解锁完整 POC 步骤

CVE-2026-41417MediumCVSS 5.3

Netty 注入漏洞

成功标志:VULNERABLE: CRLF injection via DefaultHttpRequest.setUri() confirmed - HTTP request smuggling possible

解锁完整 POC 步骤

CVE-2026-2327MediumCVSS 5.3

Markdown-It 安全漏洞

n/a / markdown-it

成功标志:

VULNERABLE: ReDoS confirmed via /\*+$/ regex in markdown-it linkify - vulnerable regex took 4948ms vs 0ms for fixed code (50000 * chars payload)

解锁完整 POC 步骤

CVE-2020-15104MediumCVSS 4.6

Envoy 访问控制错误漏洞

envoyproxy / envoy

成功标志:

VULNERABLE: Wildcard SAN *.test.local incorrectly matched nested subdomain deep.sub.test.local (CVE-2020-15104). Envoy allowed the TLS connection.

解锁完整 POC 步骤

CVE-2022-3171MediumCVSS 4.3

Google protobuf 安全漏洞

Google LLC / Protocolbuffers

解锁完整 POC 步骤

CVE-2025-11143LowCVSS 3.7

Eclipse Jetty 输入验证错误漏洞

Eclipse Foundation / Eclipse Jetty

解锁完整 POC 步骤

CVE-2026-35537LowCVSS 3.7

Roundcube Webmail 代码问题漏洞

Roundcube / Webmail

解锁完整 POC 步骤

CVE-2021-46390中危

Lexar_F35 授权问题漏洞

成功标志:VULNERABLE: Auth bypass confirmed - accessed encryption_key=AES-256-KEY-a3f8b2c1d4e5f6071829 without valid password

解锁完整 POC 步骤

RabbitMQ 日志信息泄露漏洞

rabbitmq / rabbitmq-server

成功标志:

VULNERABLE: Basic Auth username logged in HTTP access log: 127.0.0.1 - guest [31/May/2026:10:04:08 +0000] "GET /api/overview HTTP/1.1" 200 2647 "" "curl/8.5.0"

解锁完整 POC 步骤

uuid 缓冲区错误漏洞

成功标志:

VULNERABLE: v3 silently wrote 5 bytes into undersized 5-byte buffer (needs 16) without RangeError. Partial UUID data: [69, 161, 19, 172, 199]

解锁完整 POC 步骤

CVE-2026-7259中危

PHP 代码问题漏洞

PHP Group / PHP

解锁完整 POC 步骤

Cockpit 代码问题漏洞

解锁完整 POC 步骤

CVE-2026-23631中危

Redis 资源管理错误漏洞

解锁完整 POC 步骤

Pi-hole 操作系统命令注入漏洞

Pi-hole LLC / Web

解锁完整 POC 步骤

CVE-2026-42469中危

Open-Vehicle-Monitoring-System-3 安全漏洞

成功标志:VULNERABLE: CANswitch DLC=196 overflows data.u8[8] buffer (memcpy 196 bytes into 8-byte buffer)

解锁完整 POC 步骤