Text Exploits
31,386 exploits tracked across all sources.
Avaya IP Office Application Server 11.0-11.0.4.0 - Cross-Site Scripting in WebUI
A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated.
by Scott Goodwin
CVSS 5.4
Easy2Pilot 7 Cross-Site Request Forgery via admin.php
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent.
by indoushka
CVSS 4.3
WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
by Ultra Security Team
WOOF Products Filter for WooCommerce 1.2.3 Persistent XSS
WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' and 'Custom front css styles' that executes on frontend pages when saved, affecting all site visitors.
by Shahab.ra.9
CVSS 5.5
TFTP Turbo 4.6.1273 - Unquoted Service Path Privilege Escalation
TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
by boku
CVSS 7.8
DHCP Turbo 4.61298 - Unquoted Service Path Privilege Escalation
DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts.
by boku
CVSS 7.8
BOOTP Turbo 2.0.1214 - Privilege Escalation
BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions.
by boku
CVSS 7.8
Windows - Elevation of Privilege via MSI Package Symbolic Link Processing
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686.
by nu11secur1ty
CVSS 7.8
HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
by Roberto Piña
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
by Ultra Security Team
WordPress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting
by Jinson Varghese Behanan
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
by J3rryBl4nks
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
by J3rryBl4nks
Avaya Aura Communication Manager 5.2 - Remote Code Execution
by Sarang Tumne
SprintWork 2.3.1 - Privilege Escalation
SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access.
by boku
CVSS 6.2
phpMyChat Plus 1.98 - SQL Injection
phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field.
by J3rryBl4nks
CVSS 8.2
EPSON EasyMP Network Projection 2.81 - Code Injection
EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges.
by Roberto Piña
CVSS 7.8
WordPress Plugin ultimate-member 2.1.3 Local File Inclusion
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code.
by Mehran Feizi
CVSS 5.5
WordPress Plugin Wordfence.7.4.5 - Local File Disclosure
by Mehran Feizi
WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
by Mehran Feizi
By Source