Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-37072 EXPLOITDB HIGH text
Victor CMS 1.0 - Stored Cross-Site Scripting via Comment Author Parameter
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.
by Kishan Lal Choudhary
CVSS 7.2
CVE-2020-14960 EXPLOITDB HIGH text
php-fusion 9.03.50 - SQL Injection via Comments Administration Endpoint ctype Parameter
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
by SunCSR
CVSS 7.2
CVE-2020-13157 EXPLOITDB MEDIUM text
NukeViet 4.4 - Cross-Site Request Forgery via User Edit URI
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.
by JEBARAJ
CVSS 6.5
CVE-2020-13156 EXPLOITDB MEDIUM text
NukeViet 4.4 - Cross-Site Request Forgery via User Add Admin Endpoint
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
by JEBARAJ
CVSS 6.5
CVE-2020-13155 EXPLOITDB HIGH text
NukeViet 4.4 - Cross-Site Request Forgery via clearsystem.php deltype Parameter
clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.
by JEBARAJ
CVSS 8.8
EIP-2026-113076 EXPLOITDB text
Victor CMS 1.0 - 'cat_id' SQL Injection
by Kishan Lal Choudhary
CVE-2020-12882 EXPLOITDB MEDIUM text
Submitty <= 20.04.01 - Cross-Site Scripting via SVG Upload
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
by humblelad
CVSS 5.4
EIP-2026-111612 EXPLOITDB text
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting
by Kishan Lal Choudhary
CVE-2020-36998 EXPLOITDB MEDIUM text
Forma.lms The E-Learning Suite 2.3.0.2 - XSS
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.
by Daniel Ortiz
CVSS 6.4
CVE-2020-13384 EXPLOITDB HIGH text
Monstra CMS 3.0.4 - Authenticated Arbitrary PHP File Upload via .php7 Extension
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
by Kishan Lal Choudhary
CVSS 8.8
EIP-2026-113548 EXPLOITDB text
WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
by Nguyen Khang
EIP-2026-110111 EXPLOITDB text
Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
by Daniel Monzón
EIP-2026-110110 EXPLOITDB text
Online Healthcare management system 1.0 - Authentication Bypass
by BKpatron
EIP-2026-110097 EXPLOITDB text
Online Examination System 1.0 - 'eid' SQL Injection
by BKpatron
EIP-2026-110067 EXPLOITDB text
online Chatting System 1.0 - 'id' SQL Injection
by BKpatron
CVE-2020-7209 EXPLOITDB CRITICAL text
HP LinuxKI < 6.0-2 - Remote Code Execution
LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
by Cody Winkler
CVSS 9.8
CVE-2019-3025 EXPLOITDB CRITICAL text
Oracle Food and Beverage Apps <5.7 - RCE
Vulnerability in the Oracle Hospitality RES 3700 component of Oracle Food and Beverage Applications. The supported version that is affected is 5.7. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality RES 3700. While the vulnerability is in Oracle Hospitality RES 3700, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality RES 3700. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
by Walid Faour
CVSS 9.0
CVE-2020-13118 EXPLOITDB CRITICAL text
Mikrotik Router Monitoring System <2018-10-22 - SQL Injection
An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. SQL Injection exists in check_community.php via the parameter community.
by jul10l1r4
CVSS 9.8
CVE-2019-15083 EXPLOITDB MEDIUM text
ManageEngine ServiceDesk Plus < 10500 - Stored Cross-Site Scripting via Workstation Software Name
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
by Felipe Molina
CVSS 6.1
EIP-2026-106624 EXPLOITDB text
E-Commerce System 1.0 - Unauthenticated Remote Code Execution
by SunCSR
EIP-2026-101892 EXPLOITDB text
Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution
by Seecko Das
CVE-2020-37014 EXPLOITDB MEDIUM text
Tryton < 5.4 - Stored Cross-Site Scripting via User Profile Name Input
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
by Vulnerability-Lab
CVSS 6.4
CVE-2020-37003 EXPLOITDB MEDIUM text
Sellacious eCommerce < 4.6 - Stored Cross-Site Scripting in Manage Your Addresses Module
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.
by Vulnerability-Lab
CVSS 6.4
CVE-2020-37019 EXPLOITDB MEDIUM text
Orchard Core RC1 - Stored Cross-Site Scripting via Blog Post MarkdownBodyPart.Source Parameter
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
by SunCSR
CVSS 6.4
CVE-2020-11530 EXPLOITDB CRITICAL text
idangero chop_slider - Blind SQL Injection via id GET Parameter
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
by SunCSR
CVSS 9.8
By Source
All 31,386 Writeup 62,491 Exploitdb 50,076 Nomisec 22,459 Github 3,677 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 479 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,598 ruby 6,006 c 3,631 perl 2,849 html 2,076 php 1,333 bash 462 java 371 c++ 261 javascript 231 shell 133 go 73 postscript 25 typescript 25