Exploitdb Exploits
4,751 exploits tracked across all sources.
Opencats < 0.9.4-3 - XXE
lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.
by Jake Ruston
CVSS 7.5
Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
by syntegris information solutions GmbH
e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
Yenkee Yms 3029 Firmware - Out-of-Bounds Write
Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash.
by Quadron Research Lab
CVSS 7.5
Websitebaker - Unrestricted File Upload
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server.
by Halit AKAYDIN
CVSS 8.8
Online Food Ordering System - Unrestricted File Upload
Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.
by Abdullah Khawaja
CVSS 9.8
Church Management System - Unrestricted File Upload
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.
by Abdullah Khawaja
CVSS 9.8
Booster For Woocommerce < 5.4.3 - Authentication Bypass
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
by 0xB455
CVSS 9.8
Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
by boku
ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)
by Ricardo Ruiz
Purchase Order Management System 1.0 - Remote File Upload
by Aryan Chehreghani
PHPGurukul AVMS <1.0 - SQL Injection
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
by mari0x00
CVSS 9.8
Facebook Parlai < 1.1.0 - Insecure Deserialization
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
by Abhiram V
CVSS 9.8
Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
by spacehen
WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
by Mohin Paramasivam
Smartftp - Resource Allocation Without Limits
SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface.
by Eric Salario
CVSS 7.5
Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload
by a-rey
Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting
by a-rey
Flatcore-cms - Unrestricted File Upload
Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code.
by Mason Soroka-Gill
CVSS 7.2
Telegram Desktop - Resource Allocation Without Limits
Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash.
by Aryan Chehreghani
CVSS 7.5
Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Tagoletta
Atlassian Confluence Server and Data Center - OGNL Injection
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
by Fellipe Oliveira
CVSS 9.8
Umbraco CMS <=8.9.1 - Path Traversal
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.
by BitTheByte
CVSS 6.5
By Source