Python Exploits
5,750 exploits tracked across all sources.
Simple Image Gallery v1.0 - RCE
Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.
by Tagoletta
CVSS 9.8
CrossFire 1.9.0 - RCE
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
by Khaled Salem
Simple Water Refilling Station Management System 1.0 - RCE
Remote Code Execution can occur in Simple Water Refilling Station Management System 1.0 via the System Logo option on the system_info page in classes/SystemSettings.php with an update_settings action.
by Matt Sorrell
CVSS 8.8
Simple Water Refilling Station Management System 1.0 - SQL Injection
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
by Matt Sorrell
CVSS 9.8
easy-mock <1.6.0 - Command Injection
easy-mock v1.5.0-v1.6.0 allows remote attackers to bypass the vm2 sandbox and execute arbitrary system commands through special js code.
by LionTree
CVSS 8.8
IPCop <2.1.9 - Authenticated RCE
IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.
by Mücahit Saratar
Agentejo Cockpit < 0.11.2 - SQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
by Brian Ombongi
CVSS 9.8
GFI Archiver < 15.2 - Unrestricted File Upload
File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.
by Amin Bohio
CVSS 9.8
Qdpm < 9.1 - Path Traversal
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
by Leon Trappett
CVSS 8.8
Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)
by Merbin Russel
CloverDX <5.9.0 - CSRF
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.
by niebardzo
CVSS 8.8
Event Registration System with QR Code 1.0 - Authentication Bypass
by Javier Olmedo
PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
by S1lv3r
NoteBurner 2.35 - Buffer Overflow
NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the 'Name' and 'Code' fields to trigger an application crash.
by stresser
CVSS 9.8
Leawo Prof. Media 11.0.0.1 - DoS
Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface.
by stresser
CVSS 7.5
Elastic Cloud Enterprise - Info Disclosure
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
by Joan Martinez
CVSS 7.5
Elasticsearch < 7.13.3 - Information Disclosure
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
by r0ny
CVSS 6.5
Microsoft .net Core < 15.9 - Remote Code Execution
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
by Podalirius
CVSS 7.8
Webmin - XSS
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.
by Mesh3l_911
CVSS 9.6
Argussurveillance Dvr - Weak Encryption
Argus Surveillance DVR v4.0 employs weak password encryption.
by Salman Asad
CVSS 5.5
ForgeRock AM <7.0 - Code Injection
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
by Photubias
CVSS 9.8
Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection
by Metin Yunus Kandemir
Aruba Instant <6.4.4.8-4.2.4.17 <6.5.4.18 <8.3.0.14 <8.5.0.11 - Remote Arbitrary File Modification
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
by Gr33nh4t
CVSS 6.5
Wordpress Popular Posts < 5.3.2 - Unrestricted File Upload
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
by Simone Cristofaro
CVSS 8.8
By Source