Text Exploits
31,386 exploits tracked across all sources.
Windows 10 1903/1909 and Windows Server 1903/1909 - Remote Code Execution via SMBv3 Compression Buffer Overflow
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
by Daniel García Gutiérrez
CVSS 10.0
ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)
by Mustafa Emre Gül
Avast SecureLine 5.5.522.0 - Code Injection
Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Roberto Piña
CVSS 7.8
10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
by Felipe Winsnes
LeptonCMS 4.5.0 - Stored Cross-Site Scripting via Event Handler Injection
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.
by SunCSR
CVSS 6.1
Veyon Service <4.4.2 - Privilege Escalation
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.
by Víctor García
CVSS 8.0
WPForms Contact Form < 1.5.9 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.
by Jinson Varghese Behanan
CVSS 5.4
UliCMS < 2020.2 - Stored Cross-Site Scripting in PageController
UliCMS before 2020.2 has PageController stored XSS.
by SunCSR
CVSS 6.1
Joomla com_hdwplayer 4.2 SQL Injection via search.php
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.
by qw3rTyTy
CVSS 8.2
FIBARO System Home Center 5.021 - RCE
FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content.
by LiquidWorm
CVSS 7.5
Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)
by Cem Onat Karagun
Wordpress Plugin PicUploader 1.0 - Remote File Upload
by Milad karimi
Exagate Sysguard 6001 - Cross-Site Request Forgery via /kulyon.php Admin Account Creation
Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent.
by Metin Yunus Kandemir
CVSS 5.3
Veritas NetBackup 7.0 - Code Injection
Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges.
by El Masas
CVSS 7.8
MikroTik RouterOS <= 6.44.3 - Denial of Service via SSH Daemon Resource Exhaustion
The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management.
by FarazPajohan
CVSS 7.5
MikroTik RouterOS < 6.46.3 - Denial of Service via SSH Daemon Misconfiguration
An issue discovered in MikroTik Router v6.46.3 and earlier allows attacker to cause denial of service via misconfiguration in the SSH daemon.
by FarazPajohan
CVSS 7.5
Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload
by qw3rTyTy
Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)
by Miguel Mendez Z
WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification
by Nawaf Alkeraithe
Webpanel - SQL Injection
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.
by Berke YILMAZ
CVSS 9.8
By Source