Exploitdb Exploits

31,341 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-58303 EXPLOITDB HIGH text
FoF Pretty Mail 1.1.2 - Code Injection
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
by Chokri Hammedi
CVE-2024-58302 EXPLOITDB MEDIUM text
FoF Pretty Mail 1.1.2 - Local File Inclusion
FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.
by Chokri Hammedi
CVE-2024-24520 EXPLOITDB HIGH text
Lepton CMS <7.0.0 - RCE
An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place.
by tmrswrr
CVSS 7.8
CVE-2024-24399 EXPLOITDB HIGH text
Lepton-cms Leptoncms - Unrestricted File Upload
An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.
by tmrswrr
CVSS 7.2
EIP-2026-117831 EXPLOITDB text
Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
by Saud Alenazi
EIP-2026-117564 EXPLOITDB text
Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G
by hyp3rlinx
EIP-2026-116820 EXPLOITDB text
ASUS Control Center Express 01.06.15 - Unquoted Service Path
by Alaa Kachouh
CVE-2022-4395 EXPLOITDB CRITICAL text
Membership For WooCommerce <2.1.7 - Unauthenticated RCE
The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
by Milad karimi
CVSS 9.8
EIP-2026-112233 EXPLOITDB text
Smart School 6.4.1 - SQL Injection
by CraCkEr
EIP-2026-112064 EXPLOITDB text
Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal
by Ven3xy
CVE-2024-29410 EXPLOITDB text
Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
by Sandeep Vishwakarma
EIP-2026-107622 EXPLOITDB text
Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)
by Sandeep Vishwakarma
CVE-2024-24724 EXPLOITDB CRITICAL text
Gibbon <26.0.00 - SSRF/RCE
Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.
by Ali Maharramli_Fikrat Guliev_Islam Rzayev
CVSS 9.8
EIP-2026-106626 EXPLOITDB text
E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
by Sandeep Vishwakarma
EIP-2026-105535 EXPLOITDB text
Blood Bank v1.0 - Stored Cross Site Scripting (XSS)
by Ersin Erenler
CVE-2023-48974 EXPLOITDB CRITICAL text
Axigen WebMail <10.3.3.61 - XSS
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
by Vincent McRae_ Mesut Cetin
CVSS 9.6
CVE-2023-34927 EXPLOITDB MEDIUM text
Casbin Casdoor < 1.331.0 - CSRF
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
by Van Lam Nguyen
CVSS 6.5
CVE-2024-58301 EXPLOITDB CRITICAL text
Purei CMS 1.0 - SQL Injection
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
by Number 7
CVE-2024-22638 EXPLOITDB CRITICAL text
liveSite <2019.1 - RCE
liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php.
by tmrswrr
CVSS 9.8
EIP-2026-114367 EXPLOITDB text
Workout Journal App 1.0 - Stored XSS
by MURAT CAGRI ALIS
EIP-2026-104189 EXPLOITDB text
Broken Access Control - on NodeBB v3.6.7
by Vibhor Sharma
CVE-2024-32256 EXPLOITDB HIGH text
Phpgurukul Tourism Management System - Unrestricted File Upload
Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image.
by SoSPiro
CVSS 8.1
CVE-2024-58304 EXPLOITDB HIGH text
SPA-CART CMS 1.9.0.3 - XSS
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.
by Eren Sen
CVSS 7.5
CVE-2024-24506 EXPLOITDB MEDIUM text
Lime Survey CE <v.5.3.32+220817 - XSS
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
by Subhankar Singh
CVSS 6.1
EIP-2026-113177 EXPLOITDB text
Wallos < 1.11.2 - File Upload RCE
by sml
By Source
All 31,341 Exploitdb 50,123 Writeup 46,586 Nomisec 21,111 Metasploit 3,189 Github 2,219 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,725 c 3,550 perl 2,854 html 2,054 php 1,334 bash 459 java 359 javascript 256 c++ 245 shell 67 go 41 postscript 25 xml 24