Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-106399 EXPLOITDB text
DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
by Vulnerability Research Laboratory
EIP-2026-102298 EXPLOITDB text
SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
EIP-2026-102233 EXPLOITDB text
File Transfer iFamily 2.1 - Directory Traversal
by Vulnerability-Lab
EIP-2026-102213 EXPLOITDB text
AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
by Vulnerability-Lab
CVE-2020-37150 EXPLOITDB HIGH text
Edimax EW-7438RPn-v3 Mini 1.27 - Info Disclosure
Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication.
by Wadeek
CVSS 7.5
CVE-2020-37149 EXPLOITDB HIGH text
Edimax EW-7438RPn-v3 Mini 1.27 - CSRF
Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges.
by Wadeek
CVSS 8.1
CVE-2020-37125 EXPLOITDB CRITICAL text
Edimax EW-7438RPn-v3 Mini 1.27 - RCE
Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device.
by Wadeek
CVSS 9.8
EIP-2026-102435 EXPLOITDB text
WSO2 3.1.0 - Persistent Cross-Site Scripting
by Raki Ben Hamouda
CVE-2020-37220 EXPLOITDB HIGH text
Huawei HG630 V2 Router Authentication Bypass via Serial Number
Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the SerialNumber field, then use the last 8 characters as the default password to log in to the router.
by Eslam Medhat
CVSS 7.5
CVE-2020-23069 EXPLOITDB MEDIUM text
webTareas 2.0 - Path Traversal via extpath Parameter in general_serv.php
Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files.
by China Banking and Insurance Information Technology Management Co.
CVSS 6.5
EIP-2026-113884 EXPLOITDB text
WordPress Plugin Media Library Assistant 2.81 - Local File Inclusion
by Daniel Monzón
CVE-2019-16383 EXPLOITDB CRITICAL text
Progress MOVEit Transfer <11.1.1 - SQL Injection
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
by Aviv Beniash
CVSS 9.4
EIP-2026-102434 EXPLOITDB text
WSO2 3.1.0 - Arbitrary File Delete
by Raki Ben Hamouda
CVE-2020-22809 EXPLOITDB HIGH text
Windscribe <v1.83 Build 20 - Privilege Escalation
In Windscribe v1.83 Build 20, 'WindscribeService' has an Unquoted Service Path that facilitates privilege escalation.
by MgThuraMoeMyint
CVSS 7.8
EIP-2026-113808 EXPLOITDB text
WordPress Plugin Helpful 2.4.11 - SQL Injection
by numan türle
EIP-2026-106475 EXPLOITDB text
Django 3.0 - Cross-Site Request Forgery Token Bypass
by Spad Security Group
CVE-2020-37152 EXPLOITDB MEDIUM text VERIFIED
PHP-Fusion 9.03.50 - Cross-Site Scripting via Panel Content POST Parameter
PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site.
by hyp3rlinx
CVSS 6.1
CVE-2020-37136 EXPLOITDB HIGH text
ZOC Terminal 7.25.5 - Denial of Service via Private Key File Input Buffer Overflow
ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files.
by chuyreds
CVSS 7.5
CVE-2020-37129 EXPLOITDB CRITICAL text
Memu Play 7.1.3 - Privilege Escalation
Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions.
by chuyreds
CVSS 9.8
CVE-2020-11456 EXPLOITDB MEDIUM text
LimeSurvey < 4.1.12+200324 - Stored Cross-Site Scripting in Survey Groups
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
by Matthew Aberegg
CVSS 5.4
CVE-2020-11455 EXPLOITDB CRITICAL text VERIFIED
LimeSurvey < 4.1.12+200324 - Path Traversal in LimeSurveyFileManager
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
by Matthew Aberegg
CVSS 9.8
CVE-2019-18426 EXPLOITDB HIGH text
WhatsApp Desktop < 0.3.9309 and WhatsApp for iPhone < 2.20.10 - Cross-Site Scripting via Link Preview
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
by Gal Weizman
CVSS 8.2
CVE-2020-11457 EXPLOITDB MEDIUM text
pfSense < 2.4.5 - Stored Cross-Site Scripting via User Full Name Parameter
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.
by Matthew Aberegg
CVSS 5.4
CVE-2020-37137 EXPLOITDB MEDIUM text
PHP-Fusion 9.03.50 - Remote Code Execution via panels.php Panel Content Parameter
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code.
by Unkn0wn
CVSS 6.1
CVE-2020-37219 EXPLOITDB HIGH text
Joomla com_fabrik 3.9.11 Directory Traversal via image.php
Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files in system directories outside the intended web root.
by qw3rTyTy
CVSS 7.5
By Source
All 31,386 Writeup 62,507 Exploitdb 50,076 Nomisec 22,463 Github 3,681 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 479 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,602 ruby 6,006 c 3,631 perl 2,849 html 2,076 php 1,333 bash 462 java 371 c++ 261 javascript 231 shell 133 go 73 postscript 25 typescript 25