Python Exploits
5,750 exploits tracked across all sources.
Arubanetworks Instant < 6.4.4.8-4.2.4.18 - OS Command Injection
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
by Aleph Security
CVSS 8.1
Webmin - CSRF
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
by Mesh3l_911
CVSS 8.8
Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload
by Luca Bernardi
Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE
by Eleonora Guardini
Online Covid Vaccination Scheduler System - Unrestricted File Upload
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is affected vulnerable to Arbitrary File Upload. The admin panel has an upload function of profile photo accessible at http://localhost/scheduler/admin/?page=user. An attacker could upload a malicious file such as shell.php with the Content-Type: image/png. Then, the attacker have to visit the uploaded profile photo to access the shell.
by faisalfs10x
CVSS 9.8
Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
by Ron Jost
Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
by Davide \'yth1n\' Bianchin
Plainview Activity Monitor < 20180826 - OS Command Injection
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
by Beren Kuday GÖRÜN
CVSS 8.8
Rocket.Chat <3.14 - SQL Injection
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
by enox
CVSS 9.8
Pallets Werkzeug <0.15.5 - Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
by faisalfs10x
CVSS 7.5
WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
by TheSmuggler
Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Talha DEMİRSOY
Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
by SivertPL
Black Box Kvm Extender 3.4.31307 - Local File Inclusion
by Ferhat Çil
Simple Client Management System 1.0 - RCE
A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request.
by Ishan Saha
CVSS 9.8
Backup-guard Backup Guard < 1.6.0 - Unrestricted File Upload
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
by Ron Jost
CVSS 7.2
TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)
by Mevlüt Akçam
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
by Geiseric
Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)
by LiquidWorm
Webnus Modern Events Calendar Lite < 5.16.5 - Unrestricted File Upload
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
by Ron Jost
CVSS 7.2
Webnus Modern Events Calendar Lite < 5.16.5 - Improper Access Control
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
by Ron Jost
CVSS 7.5
Xcloner < 4.2.13 - Incorrect Authorization
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
by Ron Jost
CVSS 9.9
Phpabook - SQL Injection
phpABook 0.9i is vulnerable to SQL Injection due to insufficient sanitization of user-supplied data in the "auth_user" parameter in index.php script.
by Alejandro Perez
CVSS 9.8
Apache Superset 1.1.0 - Time-Based Account Enumeration
by Dolev Farhi
By Source