Text Exploits
31,386 exploits tracked across all sources.
College-Management-System 1.2 - Authentication Bypass
by cakes
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery in Setup Page
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
by Manuel García Cárdenas
CVSS 6.5
LimeSurvey < 3.17.14 - Reflected Cross-Site Scripting in Survey_Common_Action.php
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
by SEC Consult
CVSS 5.4
Dolibarr < 10.0.2 - Stored Cross-Site Scripting via User-Agent Header
In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.
by Metin Yunus Kandemir
CVSS 6.1
Windows 10 - Information Disclosure via DirectWrite Memory Handling
An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1245, CVE-2019-1251.
by Google Security Research
CVSS 6.5
Windows DirectWrite - Information Disclosure via Memory Exposure
An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1244, CVE-2019-1251.
by Google Security Research
CVSS 6.5
10Web Photo Gallery <1.5.35 - SQL Injection
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
by MTK
CVSS 9.8
10web Photo Gallery < 1.5.35 - Cross-Site Scripting via Options.php
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.
by MTK
CVSS 6.1
10web Photo Gallery < 1.5.35 - Cross-Site Scripting via Galleries.php
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.
by MTK
CVSS 6.1
Dolibarr ERP/CRM 10.0.1 - SQL Injection
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
by Metin Yunus Kandemir
CVSS 7.5
Dolibarr ERP/CRM 10.0.1 - SQL Injection
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
by Metin Yunus Kandemir
CVSS 7.5
WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting
by Mr Winst0n
Enigma NMS < 65.0.0 - SQL Injection via manage_hosts_short.cgi search_pattern Parameter
A remote SQL injection web vulnerability was discovered in the Enigma NMS 65.0.0 and prior web application that allows an attacker to execute SQL commands to expose and compromise the web server, expose database tables and values, and potentially execute system-based commands as the mysql user. This affects the search_pattern value of the manage_hosts_short.cgi script.
by xerubus
CVSS 8.8
inventory-webapp - Unauthenticated SQL Injection via add-item.php Parameters
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands.
by mohammad zaheri
CVSS 8.2
WordPress Download Manager < 2.9.94 - Cross-Site Scripting via Category Shortcode Parameters
The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.
by MgThuraMoeMyint
CVSS 6.1
DASAN Zhone ZNID GPON 2426A EU < s3.1.285 - Cross-Site Scripting via GET Parameters
Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).
by Adam Ziaja
CVSS 6.1
FileThingie 2.5.7 - Arbitrary File Upload
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
by cakes
CVSS 9.8
WordPress Event Tickets <4.10.7.2 - Code Injection
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
by MTK
CVSS 8.8
OpenCart 3.0.0.0-3.0.3.1 - Authenticated Stored Cross-Site Scripting in Source/HTML Editor
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
by Nipun Somani
CVSS 4.8
Craft <2.7.10-3.2.6 - Info Disclosure
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
by Mohammed Abdul Raheem
CVSS 5.3
Alkacon OpenCms 10.5.4-10.5.5 - Local File Inclusion via Multiple Admin Endpoints
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
by Aetsu
CVSS 4.3
Alkacon OpenCms 10.5.4-10.5.5 - Reflected and Stored Cross-Site Scripting in Management Interface
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
by Aetsu
CVSS 6.1
By Source