Text Exploits
31,386 exploits tracked across all sources.
Adrenalin HRMS <5.4.0 - XSS
Adrenalin HRMS version 5.4.0 contains a Reflected Cross Site Scripting (XSS) vulnerability in the ApplicationtEmployeeSearch page via 'prntDDLCntrlName' and 'prntFrmName'.
by Cy83rl0gger
CVSS 6.1
Prima Systems FlexAir <2.3.38 - RCE
Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.
by LiquidWorm
CVSS 9.0
Alps HID Monitor Service 8.1.0.10 - Code Injection
Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\Apoint2K\HidMonitorSvc.exe to inject malicious executables and gain system-level access.
by Héctor Gabriel Chimecatl Hernández
CVSS 7.8
GCaf 3.0 - Unquoted Service Path in gbClientService
GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions.
by 4ll4u
CVSS 7.8
Adobe Acrobat and Reader DC < 15.006.30504, 15.008.20082-19.021.20047 - Untrusted Pointer Dereference
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
by Google Security Research
CVSS 9.8
Adobe Acrobat and Reader DC < 15.006.30504, 15.008.20082-19.021.20047 - Untrusted Pointer Dereference
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
by Google Security Research
CVSS 9.8
iPhone OS < 12.4 - Use-After-Free via Untrusted NSDictionary Deserialization
This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary.
by Google Security Research
CVSS 9.8
SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
by Carlos A Garcia R
Adaware Web Companion 4.8.2078.3950 - Code Injection
Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup.
by Mariela L Martínez Hdez
CVSS 7.8
Wacom WTabletService 6.6.7-3 - Code Injection
Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots.
by Marcos Antonio León
CVSS 7.8
Smartwares HOME easy <1.0.9 - Auth Bypass
Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.
by LiquidWorm
CVSS 9.8
QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path
by Ivan Marmolejo
Network Inventory Advisor 5.0.26.0 Unquoted Service Path Privilege Escalation
Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts.
by Samuel DiazL
CVSS 7.8
SD.NET RIM < 4.7.3c - SQL Injection via POST Parameters 'idtyp' and 'idgremium'
SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/ endpoint, enabling unauthorized database manipulation and potential information disclosure.
by Fabian Mosch_ Nick Theisinger
CVSS 8.2
Millhouse Project 1.414 - Stored Cross-Site Scripting via Comment Content Parameter
Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add_comment_sql.php to execute arbitrary scripts in victim browsers.
by cakes
CVSS 6.4
Globitek CMS 1.4 - SQL Injection via 'id' GET Parameter
thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information.
by cakes
CVSS 7.1
RimbaLinux AhadPOS 1.11 - SQL Injection
RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with the underlying database.
by cakes
CVSS 7.1
html5_snmp 1.11 - SQL Injection via Router_ID and Router_IP Parameters
html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads.
by cakes
CVSS 9.1
html5_snmp 1.11 - Stored Cross-Site Scripting via Remark Parameter
html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded.
by cakes
CVSS 6.1
BlueStacks App Player 2.4.44.62.57 - Local Privilege Escalation
BlueStacks App Player 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe to inject malicious executables and escalate privileges.
by Diego Armando Buztamante Rico
CVSS 7.8
WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
by Google Security Research
iCloud < 7.15 - Memory Corruption via Malicious Web Content
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.
by Google Security Research
CVSS 8.8
macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()
by Google Security Research
By Source