Exploitdb Exploits
31,346 exploits tracked across all sources.
Wordpress Plugin PicUploader 1.0 - Remote File Upload
by Milad karimi
Exagate SYSGuard 6001 - CSRF
Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent.
by Metin Yunus Kandemir
CVSS 5.3
Veritas NetBackup 7.0 - Code Injection
Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges.
by El Masas
CVSS 7.8
Mikrotik Routeros < 6.44.3 - Resource Allocation Without Limits
The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management.
by FarazPajohan
CVSS 7.5
Mikrotik Routeros < 6.46.3 - Denial of Service
An issue discovered in MikroTik Router v6.46.3 and earlier allows attacker to cause denial of service via misconfiguration in the SSH daemon.
by FarazPajohan
CVSS 7.5
Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload
by qw3rTyTy
Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)
by Miguel Mendez Z
WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification
by Nawaf Alkeraithe
Webpanel - SQL Injection
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.
by Berke YILMAZ
CVSS 9.8
HRSALE 1.1.8 - CSRF
HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges.
by Ismail Akıcı
CVSS 4.3
ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
by Roberto Piña
Codepeople Appointment Booking Calendar - Remote Code Execution
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
by Daniel Monzón
CVSS 7.8
Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
by Milad karimi
WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
by RedTeam Pentesting GmbH
Wing FTP Server <6.2.7 - CSRF
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization.
by Dhiraj Mishra
CVSS 4.3
Search Meter < 2.13.2 - Remote Code Execution
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
by Daniel Monzón
CVSS 9.8
CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)
by Kevin Randall
CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)
by Kevin Randall
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
by Touhid M.Shaikh
By Source