Exploitdb Exploits

31,346 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-2215 EXPLOITDB HIGH text VERIFIED
Android Binder Use-After-Free Exploit
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
by Google Security Research
CVSS 7.8
EIP-2026-104226 EXPLOITDB text
DotNetNuke 9.3.2 - Cross-Site Scripting
by Semen Alexandrovich Lyhin
EIP-2026-103711 EXPLOITDB text VERIFIED
WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads
by Google Security Research
EIP-2026-103709 EXPLOITDB text VERIFIED
WebKit - Universal XSS Using Cached Pages
by Google Security Research
CVE-2019-25441 EXPLOITDB CRITICAL text
thesystem 1.0 - Command Injection
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
by Sadik Cetin
CVSS 9.8
CVE-2019-25311 EXPLOITDB MEDIUM text
thesystem 1.0 - XSS
thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_description, and server_name parameters to execute arbitrary JavaScript in victim browsers.
by Anıl Baran Yelken
CVSS 6.4
CVE-2019-16645 EXPLOITDB HIGH text
Embedthis GoAhead 2.5.0 - Info Disclosure
An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.
by Ramikan
CVSS 8.6
CVE-2019-25347 EXPLOITDB HIGH text
thesystem App 1.0 - SQL Injection
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts.
by Anıl Baran Yelken
CVSS 7.5
CVE-2019-25346 EXPLOITDB HIGH text
TheSystem 1.0 - SQL Injection
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information.
by Sadik Cetin
CVSS 7.5
CVE-2019-25312 EXPLOITDB MEDIUM text
InoERP 0.7.2 - XSS
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.
by strider
CVSS 5.4
CVE-2019-25239 EXPLOITDB HIGH text
V-SOL GPON/EPON OLT Platform 2.03 - Info Disclosure
V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.
by LiquidWorm
CVSS 7.5
CVE-2019-25238 EXPLOITDB MEDIUM text
V-SOL GPON/EPON OLT Platform 2.03 - CSRF
V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page.
by LiquidWorm
CVSS 4.3
CVE-2019-25237 EXPLOITDB CRITICAL text
V-SOL GPON/EPON OLT Platform v2.03 - Privilege Escalation
V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges.
by LiquidWorm
CVSS 9.8
EIP-2026-114363 EXPLOITDB text
WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting
by m0ze
EIP-2026-112657 EXPLOITDB text
thesystem App 1.0 - Persistent Cross-Site Scripting
by İsmail Güngör
CVE-2018-25158 EXPLOITDB HIGH text
Chamilo LMS 1.11.8 - Authenticated RCE
Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files.
by Sohel Yousef
CVSS 8.8
CVE-2019-25314 EXPLOITDB MEDIUM text
Yoast Duplicate-Post WP <3.2.3 - XSS
Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.
by Unk9vvN
CVSS 5.5
CVE-2019-16894 EXPLOITDB CRITICAL text
inoERP <4.15 - SQL Injection
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
by Semen Alexandrovich Lyhin
CVSS 9.8
EIP-2026-105855 EXPLOITDB text VERIFIED
citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection
by cakes
EIP-2026-105101 EXPLOITDB text
all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting
by Unk9vvN
CVE-2019-25315 EXPLOITDB MEDIUM text
WordPress Server Log Viewer 1.0 - XSS
WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface.
by strider
CVSS 6.4
CVE-2019-16532 EXPLOITDB MEDIUM text
YzmCMS V5.3 - SSRF
An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A malicious user can poison a web cache or trigger redirections.
by Debashis Pal
CVSS 6.1
EIP-2026-116312 EXPLOITDB text
SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service
by Emilio Revelo
CVE-2019-5485 EXPLOITDB CRITICAL text
Gitlabhook - OS Command Injection
NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
by Semen Alexandrovich Lyhin
CVSS 10.0
CVE-2019-1262 EXPLOITDB MEDIUM text
Microsoft Sharepoint Foundation - XSS
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.
by Davide Cioccia
CVSS 5.4
By Source
All 31,346 Exploitdb 50,135 Writeup 46,974 Nomisec 21,281 Metasploit 3,228 Github 2,465 Vulncheck_xdb 900 Inthewild 518 Gitlab 440 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,959 python 5,840 c 3,571 perl 2,854 html 2,055 php 1,334 bash 459 java 361 javascript 260 c++ 247 shell 89 go 48 postscript 25 xml 24