Text Exploits
31,346 exploits tracked across all sources.
Cszcms Csz Cms - XSS
CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard.
by Metin Yunus Kandemir
CVSS 5.4
Cszcms Csz Cms - XSS
CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks.
by Metin Yunus Kandemir
CVSS 5.4
P5 FNIP-8x16A FNIP-4xSH 1.0.20 - CSRF
P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted form.
by LiquidWorm
CVSS 4.3
Atomic Alarm Clock 6.3 - Privilege Escalation
Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access.
by boku
CVSS 7.8
Fork CMS 5.8.0 - Persistent Cross-Site Scripting
by Vulnerability-Lab
TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection
by Vulnerability-Lab
Playable 9.18 iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
Cisco IP Phones - RCE/DoS
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
by Jacob Baines
CVSS 9.8
Pinger 1.0 - RCE
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
by Milad karimi
CVSS 9.8
Xeroneit Library Management System 3.0 - 'category' SQL Injection
by Sohel Yousef
SeedDMS 5.1.18 - Persistent Cross-Site Scripting
by Vulnerability-Lab
Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
by Vulnerability-Lab
DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
by Vulnerability Research Laboratory
SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
Edimax EW-7438RPn-v3 Mini 1.27 - Info Disclosure
Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication.
by Wadeek
CVSS 7.5
Edimax EW-7438RPn-v3 Mini 1.27 - CSRF
Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges.
by Wadeek
CVSS 8.1
Edimax EW-7438RPn-v3 Mini 1.27 - RCE
Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device.
by Wadeek
CVSS 9.8
webTareas 2.0 - Path Traversal
Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files.
by China Banking and Insurance Information Technology Management Co.
CVSS 6.5
WordPress Plugin Media Library Assistant 2.81 - Local File Inclusion
by Daniel Monzón
Progress MOVEit Transfer <11.1.1 - SQL Injection
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
by Aviv Beniash
CVSS 9.4
By Source