Text Exploits
31,346 exploits tracked across all sources.
WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting
by Mr Winst0n
Enigma NMS 65.0.0 - SQL Injection
A remote SQL injection web vulnerability was discovered in the Enigma NMS 65.0.0 and prior web application that allows an attacker to execute SQL commands to expose and compromise the web server, expose database tables and values, and potentially execute system-based commands as the mysql user. This affects the search_pattern value of the manage_hosts_short.cgi script.
by xerubus
CVSS 8.8
Inventory Webapp - SQL Injection
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands.
by mohammad zaheri
CVSS 8.2
WordPress <2.9.94 - XSS
The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.
by MgThuraMoeMyint
CVSS 6.1
Dasanzhone Znid Gpon 2426a EU Firmware < s3.1.285 - XSS
Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).
by Adam Ziaja
CVSS 6.1
FileThingie 2.5.7 - Arbitrary File Upload
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
by cakes
CVSS 9.8
WordPress Event Tickets <4.10.7.2 - Code Injection
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
by MTK
CVSS 8.8
Opencart < 3.0.3.2 - XSS
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
by Nipun Somani
CVSS 4.8
Craft <2.7.10-3.2.6 - Info Disclosure
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
by Mohammed Abdul Raheem
CVSS 5.3
Alkacon Opencms Apollo Template < 11.0.1 - Path Traversal
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
by Aetsu
CVSS 4.3
Alkacon Opencms < 11.0.1 - XSS
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
by Aetsu
CVSS 6.1
Alkacon Opencms Apollo Template < 11.0.1 - XSS
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.
by Aetsu
CVSS 6.1
YouPHPTube 7.4 - Info Disclosure
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.
by Damian Ebelties
CVSS 9.8
WebAppick WooCommerce Product Feed <2.2.18 - XSS
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
by Damian Ebelties
CVSS 5.4
Sentrifugo 3.2 - XSS
Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML.
by creosote
CVSS 5.4
Sentrifugo 3.2 - RCE
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
by creosote
CVSS 8.8
DomainMOD <4.13 - XSS
In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
by Damian Ebelties
CVSS 6.1
Canon PRINT - Info Disclosure
The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2.5.5 application for Android does not properly restrict canon.ij.printer.capability.data data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for the administrator web interface and WPA2-PSK key.
by 0x48piraj
CVSS 5.5
Kartatopia PilusCart <1.4.1 - Info Disclosure
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.
by Damian Ebelties
CVSS 7.5
Apple Icloud < 7.13 - Out-of-Bounds Write
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution.
by Google Security Research
CVSS 8.8
Jobberbase - SQL Injection
Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint.
by Suvadip Kar
CVSS 9.8
Sqlitemanager - SQL Injection
SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitemanager/main.php dbsel parameter. NOTE: This product is discontinued.
by Rafael Pedrero
CVSS 9.8
By Source