CraCkEr

101 exploits Active since Mar 2007
CVE-2006-7128 EXPLOITDB WORKING POC
JAF CMS 4.0 RC1 - Code Injection
PHP remote file inclusion vulnerability in forum/forum.php JAF CMS 4.0 RC1 allows remote attackers to execute arbitrary PHP code via a URL in the website parameter.
CVE-2025-71179 EXPLOITDB MEDIUM text WORKING POC
Creativeitem Academy Lms - XSS
Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint.
CVSS 6.1
CVE-2023-53882 EXPLOITDB text WORKING POC
JLex GuestBook 1.6.4 - XSS
JLex GuestBook 1.6.4 contains a reflected cross-site scripting vulnerability in the 'q' URL parameter that allows attackers to inject malicious scripts. Attackers can craft malicious links with XSS payloads to steal session tokens or execute arbitrary JavaScript in victims' browsers.
CVE-2023-53876 EXPLOITDB MEDIUM text WORKING POC
Academy LMS 6.1 - XSS
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
CVSS 5.4
CVE-2009-2218 EXPLOITDB text WORKING POC
phpCollegeExchange 0.1.5c - RCE
Multiple PHP remote file inclusion vulnerabilities in phpCollegeExchange 0.1.5c, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the home parameter to (1) i_head.php, (2) i_nav.php, (3) user_new_2.php, or (4) house/myrents.php; or (5) allbooks.php, (6) home.php, or (7) mybooks.php in books/. NOTE: house/myrents.php was also separately reported as a local file inclusion issue.
CVE-2009-2182 EXPLOITDB text WORKING POC
Campsite 3.3.0 RC1 - RCE
Multiple PHP remote file inclusion vulnerabilities in Campsite 3.3.0 RC1 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[g_campsiteDir] parameter to (1) ad_popup.php, (2) camp_html.php, (3) init_content.php, (4) logout.php, (5) menu.php, and (6) set-author.php in admin-files/; (7) conf/liveuser_configuration.php; (8) include/phorum_load.php; (9) CommandProcessor.php and (10) index.php in admin-files/article_import; and (11) add.php, (12) add_move.php, (13) autopublish.php, and (14) autopublish_del.php in admin-files/articles/.
CVE-2009-2181 EXPLOITDB text WORKING POC
Campsite 3.3.0 RC1 - XSS
Cross-site scripting (XSS) vulnerability in admin-files/templates/list_dir.php in Campsite 3.3.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the listbasedir parameter.
CVE-2008-6635 EXPLOITDB text WORKING POC
Geody Dagger - Code Injection
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the dir_inc parameter.
CVE-2008-5203 EXPLOITDB text WORKING POC
PowerAward 1.1.0 RC1 - XSS
Cross-site scripting (XSS) vulnerability in external_vote.php in PowerAward 1.1.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the l_vote_done parameter.
CVE-2006-7127 EXPLOITDB text WORKING POC
Salims Softhouse Jaf Cms - Code Injection
Multiple PHP remote file inclusion vulnerabilities in JAF CMS 4.0 and 4.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the main_dir parameter to (1) forum/main.php and (2) forum/headlines.php.
CVE-2008-2984 EXPLOITDB text WORKING POC
Cmreams Cms - XSS
Cross-site scripting (XSS) vulnerability in backend/umleitung.php in CMReams CMS 1.3.1.1 Beta 2 allows remote attackers to inject arbitrary web script or HTML via the lang[be_red_text] parameter.
CVE-2008-2981 EXPLOITDB text WORKING POC
Homeph Design - Code Injection
PHP remote file inclusion vulnerability in admin/templates/template_thumbnail.php in HomePH Design 2.10 RC2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the thumb_template parameter.
CVE-2008-2980 EXPLOITDB text WORKING POC
Homeph Design - XSS
Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.
CVE-2008-2978 EXPLOITDB text WORKING POC
Ourvideocms Ourvideo Cms - Path Traversal
Directory traversal vulnerability in phpi/rss.php in Ourvideo CMS 9.5, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the prefix parameter.
CVE-2008-2977 EXPLOITDB text WORKING POC
Ourvideo Cms - Code Injection
Multiple PHP remote file inclusion vulnerabilities in Ourvideo CMS 9.5 allow remote attackers to execute arbitrary PHP code via a URL in the include_connection parameter to (1) edit_top_feature.php and (2) edit_topics_feature.php in phpi/.
CVE-2008-2975 EXPLOITDB text WRITEUP
Tinx Cms - XSS
Cross-site scripting (XSS) vulnerability in admin/objects/obj_image.php in TinX/cms 1.1 allows remote attackers to inject arbitrary web script or HTML via the language parameter.
CVE-2008-2973 EXPLOITDB text WRITEUP
MM Chat - XSS
Multiple cross-site scripting (XSS) vulnerabilities in chathead.php in MM Chat 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) sitename and (2) wmessage parameters.
CVE-2008-5947 EXPLOITDB text WRITEUP
PHP - RCE
PHP remote file inclusion vulnerability in include/class_yapbbcooker.php in YapBB 1.2.Beta 2 allows remote attackers to execute arbitrary PHP code via a URL in the cfgIncludeDirectory parameter.
EIP-2026-113478 EXPLOITDB text WORKING POC
WordPress adivaha Travel Plugin 2.3 - SQL Injection
EIP-2026-113477 EXPLOITDB text WORKING POC
WordPress adivaha Travel Plugin 2.3 - Reflected XSS
EIP-2026-112943 EXPLOITDB text WORKING POC
Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)
CVE-2008-3603 EXPLOITDB text WORKING POC
Vacation Rental Script 3.0 - SQL Injection
SQL injection vulnerability in index.php in Vacation Rental Script 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a sections action.
EIP-2026-112562 EXPLOITDB text WORKING POC
taskhub 2.8.7 - SQL Injection
EIP-2026-112690 EXPLOITDB text WRITEUP
Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)
CVE-2008-2976 EXPLOITDB text WRITEUP
Tinx Cms - Path Traversal
Multiple directory traversal vulnerabilities in TinX/cms 1.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) language parameter to (a) include_me.php, (b) admin/ajax.php, and (c) admin/objects/catalog.ajaxhandler.php; and the (2) prefix parameter to (d) admin/inc/config.php.