cbcvebase.

Yogeshojha Rengine vulnerabilities

12 known vulnerabilities affecting yogeshojha/rengine.

Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH5MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2023-50094P2HIGHCVSS 8.8PoC≤ 2.0.22024-01-01
CVE-2023-50094 [HIGH] CWE-78 CVE-2023-50094: reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.
nvd
CVE-2024-58287P2HIGHCVSS 8.8v2.2.02025-12-11
CVE-2024-58287 [HIGH] CWE-78 CVE-2024-58287: reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine co reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration.
nvd
CVE-2022-36566P2CRITICALCVSS 9.8v1.3.02022-08-31
CVE-2022-36566 [CRITICAL] CWE-78 CVE-2022-36566: Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine funct Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine function.
nvd
CVE-2025-24968P3HIGHCVSS 8.8≤ 2.2.02025-02-04
CVE-2025-24968 [HIGH] CWE-284 CVE-2025-24968: reNgine is an automated reconnaissance framework for web applications. An unrestricted project delet reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or
nvd
CVE-2022-28995P3CRITICALCVSS 9.8v1.0.22022-05-20
CVE-2022-28995 [CRITICAL] CVE-2022-28995: Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml co Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function.
nvd
CVE-2025-24962P3HIGHCVSS 8.8v2.2.0≤ 2.2.02025-02-03
CVE-2025-24962 [HIGH] CWE-74 CVE-2025-24962: reNgine is an automated reconnaissance framework for web applications. In affected versions a user c reNgine is an automated reconnaissance framework for web applications. In affected versions a user can inject commands via the nmap_cmd parameters. This issue has been addressed in commit `c28e5c8d` and is expected in the next versioned release. Users are advised to filter user input and monitor the project for a new release.
nvd
CVE-2025-24899P3HIGHCVSS 7.5fixed in 2.2.02025-02-03
CVE-2025-24899 [HIGH] CWE-200 CVE-2025-24899: reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovere reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovered in reNgine, where **an insider attacker with any role** (such as Auditor, Penetration Tester, or Sys Admin) **can extract sensitive information from other reNgine users.** After running a scan and obtaining vulnerabilities from a target, the attacker
nvd
CVE-2021-38606P3CRITICALCVSS 9.8≤ 0.52021-08-12
CVE-2021-38606 [CRITICAL] CWE-330 CVE-2021-38606: reNgine through 0.5 relies on a predictable directory name. reNgine through 0.5 relies on a predictable directory name.
nvd
CVE-2025-61319P4MEDIUMCVSS 6.1≤ 2.2.02025-10-10
CVE-2025-61319 [MEDIUM] CWE-79 CVE-2025-61319: ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Vulnera ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Vulnerabilities module. When scanning a target with an XSS payload, the unsanitized payload is rendered in the ReNgine web UI, resulting in arbitrary JavaScript execution in the victim's browser. This can be abused to steal session cookies, perform unauthoriz
nvd
CVE-2025-24966P4MEDIUMCVSS 5.4≤ 2.2.02025-02-04
CVE-2025-24966 [MEDIUM] CWE-79 CVE-2025-24966: reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an application improperly validates or sanitizes user inputs, allowing attackers to inject arbitrary HTML code. In this scenario, the vulnerability exists in the "Add Target" functionality of the application, where the Target Organization and Target Desc
nvd
CVE-2024-43381P4MEDIUMCVSS 5.4fixed in 2.1.3≤ 2.1.22024-08-16
CVE-2024-43381 [MEDIUM] CWE-79 CVE-2024-43381: reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view whe
nvd
CVE-2025-24967P4MEDIUMCVSS 5.4≤ 2.2.02025-02-04
CVE-2025-24967 [MEDIUM] CWE-79 CVE-2025-24967: reNgine is an automated reconnaissance framework for web applications. A stored cross-site scripting reNgine is an automated reconnaissance framework for web applications. A stored cross-site scripting (XSS) vulnerability exists in the admin panel's user management functionality. An attacker can exploit this issue by injecting malicious payloads into the username field during user creation. This vulnerability allows unauthorized script execution whe
nvd
Yogeshojha Rengine vulnerabilities | cvebase