Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-1345 EXPLOITDB MEDIUM text VERIFIED
Windows 10 and Windows Server 2016/2019 - Out-of-bounds Read in Kernel Memory Handling
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1334.
by Google Security Research
CVSS 5.5
CVE-2019-1346 EXPLOITDB MEDIUM text VERIFIED
Windows - Denial of Service via Memory Object Handling
A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-1343, CVE-2019-1347.
by Google Security Research
CVSS 6.5
CVE-2019-1344 EXPLOITDB MEDIUM text VERIFIED
Windows Code Integrity Module - Info Disclosure
An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory, aka 'Windows Code Integrity Module Information Disclosure Vulnerability'.
by Google Security Research
CVSS 5.5
CVE-2019-1343 EXPLOITDB MEDIUM text VERIFIED
Windows 10, 8.1, RT 8.1, Server 2012, 2016, 2019 - Denial of Service via Memory Object Handling
A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-1346, CVE-2019-1347.
by Google Security Research
CVSS 6.5
CVE-2019-13529 EXPLOITDB HIGH text
SMA Sunny WebBox Firmware < 1.6 - Cross-Site Request Forgery
An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.
by Borja Merino
CVSS 8.8
CVE-2019-8717 EXPLOITDB HIGH text VERIFIED
macOS < 10.15 and tvOS < 13 - Out-of-bounds Write
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15, tvOS 13. An application may be able to execute arbitrary code with kernel privileges.
by Google Security Research
CVSS 7.8
CVE-2019-17382 EXPLOITDB CRITICAL text
Zabbix < 4.4 - Unauthenticated Authorization Bypass via Dashboard View Action
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
by Milad Khoshdel
CVSS 9.1
CVE-2019-8452 EXPLOITDB HIGH text
Check Point Endpoint Security < E80.96 and ZoneAlarm < 15.4.062 - Privilege Escalation via Hard Link
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.
by Jakub Palaczynski
CVSS 7.8
CVE-2019-17225 EXPLOITDB MEDIUM text
Subrion 4.2.1 - Cross-Site Scripting via Admin Member JSON Update
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
by Creatigon
CVSS 5.4
CVE-2019-4013 EXPLOITDB CRITICAL text
IBM BigFix Platform 9.5.0-9.5.10 - Authenticated Arbitrary File Upload and Remote Code Execution
IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887.
by Jakub Palaczynski
CVSS 9.0
CVE-2019-25438 EXPLOITDB HIGH text
LabCollector 5.423 - Unauthenticated SQL Injection via login.php or retrieve_password.php Parameters
LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.
by Carlos Avila
CVSS 7.5
CVE-2019-2215 EXPLOITDB HIGH text VERIFIED
Android Binder Use-After-Free Exploit
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
by Google Security Research
CVSS 7.8
EIP-2026-104226 EXPLOITDB text
DotNetNuke 9.3.2 - Cross-Site Scripting
by Semen Alexandrovich Lyhin
EIP-2026-103711 EXPLOITDB text VERIFIED
WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads
by Google Security Research
EIP-2026-103709 EXPLOITDB text VERIFIED
WebKit - Universal XSS Using Cached Pages
by Google Security Research
CVE-2019-25441 EXPLOITDB CRITICAL text
thesystem 1.0 - Unauthenticated OS Command Injection via run_command Endpoint
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
by Sadik Cetin
CVSS 9.8
CVE-2019-25311 EXPLOITDB MEDIUM text
thesystem 1.0 - Stored Cross-Site Scripting via Operating System Parameter
thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_description, and server_name parameters to execute arbitrary JavaScript in victim browsers.
by Anıl Baran Yelken
CVSS 6.4
CVE-2019-16645 EXPLOITDB HIGH text
Embedthis GoAhead 2.5.0 - Info Disclosure
An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.
by Ramikan
CVSS 8.6
CVE-2019-25742 EXPLOITDB MEDIUM text
WordPress Theme Zoner Real Estate 4.1.1 Persistent XSS
WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execute when administrators view the property for approval, enabling cookie theft and session hijacking.
by m0ze
CVSS 5.4
CVE-2019-25347 EXPLOITDB HIGH text
thesystem App 1.0 - SQL Injection
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts.
by Anıl Baran Yelken
CVSS 7.5
CVE-2019-25346 EXPLOITDB HIGH text
TheSystem 1.0 - SQL Injection
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information.
by Sadik Cetin
CVSS 7.5
CVE-2019-25312 EXPLOITDB MEDIUM text
InoERP 0.7.2 - Unauthenticated Stored Cross-Site Scripting in Comment Section
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.
by strider
CVSS 5.4
CVE-2019-25239 EXPLOITDB HIGH text
V-SOL GPON/EPON OLT Platform 2.03 - Info Disclosure
V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.
by LiquidWorm
CVSS 7.5
CVE-2019-25238 EXPLOITDB MEDIUM text
V-SOL GPON/EPON OLT Platform 2.03 - CSRF
V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page.
by LiquidWorm
CVSS 4.3
CVE-2019-25237 EXPLOITDB CRITICAL text
V-SOL GPON/EPON OLT Platform v2.03 - Privilege Escalation
V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges.
by LiquidWorm
CVSS 9.8
By Source
All 31,386 Writeup 62,508 Exploitdb 50,076 Nomisec 22,472 Github 3,695 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 479 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,606 ruby 6,006 c 3,632 perl 2,849 html 2,076 php 1,333 bash 462 java 371 c++ 261 javascript 231 shell 135 go 73 postscript 25 typescript 25