Python Exploits

5,770 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-37009 EXPLOITDB HIGH python
MedDream PACS Server 6.8.3.751 - Authenticated RCE
MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated privileges.
by bzyo
CVSS 8.8
CVE-2020-36885 EXPLOITDB CRITICAL python
Sony IPELA Network Camera 1.82.01 - RCE
Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code. Attackers can exploit the vulnerability by sending a crafted POST request with oversized data to the FTP client functionality, potentially causing remote code execution or denial of service.
by LiquidWorm
CVSS 9.8
CVE-2020-37010 EXPLOITDB CRITICAL python
BearShare Lite 5.2.5 - Buffer Overflow
BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field.
by Christian Vierschilling
CVSS 9.8
CVE-2018-6892 EXPLOITDB CRITICAL python
Cloudme Sync < 1.10.9 - Memory Corruption
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
by boku
CVSS 9.8
EIP-2026-113352 EXPLOITDB python
WebsiteBaker 2.12.2 - Remote Code Execution
by Enesdex
CVE-2020-15922 EXPLOITDB CRITICAL python
Midasolutions Eframework < 2.9.0 - OS Command Injection
There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required.
by elbae
CVSS 9.8
CVE-2020-25761 EXPLOITDB MEDIUM python
Projectworlds Visitor Management System - XSS
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.
by Rahul Ramkumar
CVSS 6.1
CVE-2018-17431 EXPLOITDB CRITICAL python
Comodo UTM Firewall <2.7.0 - RCE
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
by Milad Fadavvi
CVSS 9.8
EIP-2026-104181 EXPLOITDB python
B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
by LiquidWorm
CVE-2020-15921 EXPLOITDB CRITICAL python
Midasolutions Eframework < 2.9.0 - Authentication Bypass
Mida eFramework through 2.9.0 has a back door that permits a change of the administrative password and access to restricted functionalities, such as Code Execution.
by elbae
CVSS 9.8
CVE-2019-15715 EXPLOITDB HIGH python
Mantisbt < 1.3.20 - OS Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
by Nikolas Geiselman
CVSS 7.2
CVE-2020-11804 EXPLOITDB HIGH python
Titanhq Spamtitan - Code Injection
An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request.
by Felipe Molina
CVSS 8.8
CVE-2020-0618 EXPLOITDB HIGH python
Microsoft Sql Server - Insecure Deserialization
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
by West Shepherd
CVSS 8.8
CVE-2020-37011 EXPLOITDB HIGH python
Gnome Fonts Viewer 3.34.0 - Memory Corruption
Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process.
by Cody Winkler
CVSS 7.5
CVE-2020-10229 EXPLOITDB HIGH python
Vtenext - CSRF
A CSRF issue in vtecrm vtenext 19 CE allows attackers to carry out unwanted actions on an administrator's behalf, such as uploading files, adding users, and deleting accounts.
by Marco Ruela
CVSS 8.8
CVE-2020-10228 EXPLOITDB HIGH python
Vtenext - Unrestricted File Upload
A file upload vulnerability in vtecrm vtenext 19 CE allows authenticated users to upload files with a .pht extension, resulting in remote code execution.
by Marco Ruela
CVSS 8.8
CVE-2020-10227 EXPLOITDB MEDIUM python
Vtenext - XSS
A cross-site scripting (XSS) vulnerability in the messages module of vtecrm vtenext 19 CE allows attackers to inject arbitrary JavaScript code via the From field of an email.
by Marco Ruela
CVSS 6.1
CVE-2019-11447 EXPLOITDB HIGH python VERIFIED
CutePHP CuteNews 2.1.2 - Code Injection
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
by Musyoka Ian
CVSS 8.8
EIP-2026-102049 EXPLOITDB python
Tiandy IPC and NVR 9.12.7 - Credential Disclosure
by zb3
CVE-2020-37013 EXPLOITDB HIGH python
Audio Playback Recorder 3.2.2 - Buffer Overflow
Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application's input fields.
by Felipe Winsnes
CVSS 8.4
CVE-2020-14008 EXPLOITDB HIGH python
Zohocorp Manageengine Applications Manager - Unrestricted File Upload
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
by Hodorsec
CVSS 7.2
CVE-2020-11819 EXPLOITDB CRITICAL python
Rukovoditel - Path Traversal
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
by danyx07
CVSS 9.8
EIP-2026-116900 EXPLOITDB python
BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)
by emalp
EIP-2026-105985 EXPLOITDB python
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
by Luis Noriega
CVE-2020-36892 EXPLOITDB CRITICAL python
Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation
Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication.
by LiquidWorm
CVSS 9.8
By Source
All 5,770 Exploitdb 50,130 Writeup 46,870 Nomisec 21,221 Metasploit 3,189 Github 2,316 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,920 python 5,770 c 3,560 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 74 go 43 postscript 25 xml 24