Exploitdb Exploits
4,751 exploits tracked across all sources.
Zeslecp < 3.1.9 - OS Command Injection
ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host.
by numan türle
CVSS 8.8
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
by Musyoka Ian
Strapi <3.0.0-beta.17.8 - RCE
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
by David Utón
CVSS 7.2
Strapi CMS Unauthenticated Password Reset
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
by David Anglada
CVSS 9.8
Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
by numan türle
MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)
by ninpwn
CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
by numan türle
WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
by Matheus Alexandre
Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)
by Justin White
HP Officejet 7110 Firmware - XSS
A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross-Site Scripting (XSS).
by Tyler Butler
CVSS 4.8
RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
by Moritz Gruber
Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Halit AKAYDIN
Simple Image Gallery v1.0 - RCE
Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.
by Tagoletta
CVSS 9.8
CrossFire 1.9.0 - RCE
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
by Khaled Salem
Simple Water Refilling Station Management System 1.0 - RCE
Remote Code Execution can occur in Simple Water Refilling Station Management System 1.0 via the System Logo option on the system_info page in classes/SystemSettings.php with an update_settings action.
by Matt Sorrell
CVSS 8.8
Simple Water Refilling Station Management System 1.0 - SQL Injection
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
by Matt Sorrell
CVSS 9.8
easy-mock <1.6.0 - Command Injection
easy-mock v1.5.0-v1.6.0 allows remote attackers to bypass the vm2 sandbox and execute arbitrary system commands through special js code.
by LionTree
CVSS 8.8
IPCop <2.1.9 - Authenticated RCE
IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.
by Mücahit Saratar
Agentejo Cockpit < 0.11.2 - SQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
by Brian Ombongi
CVSS 9.8
GFI Archiver < 15.2 - Unrestricted File Upload
File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.
by Amin Bohio
CVSS 9.8
Qdpm < 9.1 - Path Traversal
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
by Leon Trappett
CVSS 8.8
Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)
by Merbin Russel
CloverDX <5.9.0 - CSRF
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.
by niebardzo
CVSS 8.8
Event Registration System with QR Code 1.0 - Authentication Bypass
by Javier Olmedo
By Source