Python Exploits

5,738 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-43131 EXPLOITDB CRITICAL python
General Device Manager 2.5.2.2 - Buffer Overflow
General Device Manager 2.5.2.2 is vulnerable to Buffer Overflow.
by Ahmet Ümit BAYRAM
CVSS 9.8
CVE-2023-39147 EXPLOITDB HIGH python VERIFIED
Uvdesk 1.1.3 - RCE
An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file.
by Daniel Barros
CVSS 7.8
CVE-2023-53888 EXPLOITDB HIGH python
Zomplog 3.9 - RCE
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application.
by Mirabbas Ağalarov
CVSS 8.8
CVE-2023-2636 EXPLOITDB HIGH python VERIFIED
AN_GradeBook <5.0.1 - SQL Injection
The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber
by Lukas Kinneberg
CVSS 8.8
EIP-2026-117828 EXPLOITDB python
RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
by Andre Nogueira
CVE-2023-53895 EXPLOITDB CRITICAL python
PimpMyLog 1.7.14 - XSS
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.
by thoughtfault
CVSS 9.8
CVE-2023-53894 EXPLOITDB CRITICAL python
phpfm 1.7.9 - Auth Bypass
phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.
by thoughtfault
CVSS 9.8
EIP-2026-108905 EXPLOITDB python
Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)
by qw3rTyTy
CVE-2023-1258 EXPLOITDB MEDIUM python
ABB Flow-x/m Firmware < 3.2.6 - Information Disclosure
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ABB Flow-X firmware on Flow-X embedded hardware (web service modules) allows Footprinting.This issue affects Flow-X: before 4.0.
by Paul Smith
CVSS 5.3
CVE-2022-28171 EXPLOITDB HIGH python
Hikvision Ds-a71024 Firmware < 2.3.8-6 - Command Injection
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
by Thurein Soe
CVSS 7.5
EIP-2026-111359 EXPLOITDB python
Pluck v4.7.18 - Remote Code Execution (RCE)
by Mirabbas Ağalarov
CVE-2022-24715 EXPLOITDB HIGH python
Icinga Web 2 <2.8.6-2.10 - Authenticated RCE
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
by Dante Corona
CVSS 8.5
CVE-2022-22963 EXPLOITDB CRITICAL python
Vmware Spring Cloud Function < 3.1.6 - Remote Code Execution
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
by GatoGamer1155
CVSS 9.8
CVE-2023-33592 EXPLOITDB CRITICAL python
Lost and Found Information System v1.0 - SQL Injection
Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.
by Amirhossein Bahramizadeh
CVSS 9.8
EIP-2026-107411 EXPLOITDB python
Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
by Omer Shaik
CVE-2023-36346 EXPLOITDB MEDIUM python
POS Codekop v2.0 - XSS
POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.
by Amirhossein Bahramizadeh
CVSS 6.1
CVE-2023-24078 EXPLOITDB HIGH python
Real Time Logic FuguHub <8.1 - RCE
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.
by redfire359
CVSS 8.8
CVE-2023-36355 EXPLOITDB CRITICAL python
TP-Link TL-WR940N V4 - Buffer Overflow
TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
by Amirhossein Bahramizadeh
CVSS 9.9
CVE-2023-30198 EXPLOITDB HIGH python
Webbax Winbizpayment < 1.0.2 - Path Traversal
Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.
by Amirhossein Bahramizadeh
CVSS 7.5
CVE-2023-23408 EXPLOITDB MEDIUM python
Microsoft Azure Hdinsight - XSS
Azure Apache Ambari Spoofing Vulnerability
by Amirhossein Bahramizadeh
CVSS 4.5
CVE-2023-53907 EXPLOITDB MEDIUM python
Bludit <3.13.1 - Authenticated File Download
Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system files through directory traversal.
by Antonio Cuomo
CVSS 6.5
CVE-2020-11560 EXPLOITDB HIGH python
Nchsoftware Express Invoice - Insufficiently Protected Credentials
NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file.
by Tejas Pingulkar
CVSS 7.8
CVE-2022-47076 EXPLOITDB HIGH python
Smart Office Web <20.28 - Info Disclosure
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to view sensitive information via DisplayParallelLogData.aspx.
by Tejas Pingulkar
CVSS 7.5
CVE-2023-3320 EXPLOITDB MEDIUM python
WP Sticky Social <1.0.2 - CSRF
The WP Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
by Amirhossein Bahramizadeh
CVSS 6.1
CVE-2023-2779 EXPLOITDB MEDIUM python VERIFIED
Heator Social Share, Social Login And Social Comments < 7.13.52 - XSS
The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
by Amirhossein Bahramizadeh
CVSS 6.1
By Source
All 5,738 Exploitdb 50,121 Writeup 46,751 Nomisec 21,199 Metasploit 3,189 Github 2,250 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,738 c 3,550 perl 2,854 html 2,054 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 68 go 41 postscript 25 xml 24