Text Exploits
31,383 exploits tracked across all sources.
Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
by Sandeep Vishwakarma
Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)
by Sandeep Vishwakarma
Gibbon < 26.0.00 - Server-Side Template Injection via Messenger Settings
Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.
by Ali Maharramli_Fikrat Guliev_Islam Rzayev
CVSS 9.8
E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
by Sandeep Vishwakarma
Axigen Mail Server < 10.5.7 - Cross-Site Scripting via serverName_input Parameter
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
by Vincent McRae_ Mesut Cetin
CVSS 9.6
Casdoor < 1.331.0 - Cross-Site Request Forgery via Password Reset Endpoint
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
by Van Lam Nguyen
CVSS 6.5
Purei CMS 1.0 - SQL Injection via getAllParks.php and events-ajax.php Endpoints
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
by Number 7
liveSite 2019.1 - Remote Code Execution via edit_designer_region.php or add_email_campaign.php
liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php.
by tmrswrr
CVSS 9.8
Phpgurukul Tourism Management System 2.0 - Unrestricted Upload of File with Dangerous Type via Change Image Endpoint
Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image.
by SoSPiro
CVSS 8.1
SPA-CART CMS 1.9.0.3 - Authenticated Stored Cross-Site Scripting via Product Description Parameter
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.
by Eren Sen
CVSS 7.5
Lime Survey CE <v.5.3.32+220817 - XSS
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
by Subhankar Singh
CVSS 6.1
Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS
by Hakkı TOKLU
CSZCMS 1.3.0 - Authenticated SQL Injection via Members View Parameter
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.
by Abdulaziz Almetairy
CVSS 8.8
phpgurukul Teacher Subject Allocation Management System 1.0 - SQL Injection via searchdata Parameter
SQL Injection vulnerability in index.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to run arbitrary SQL commands and obtain sensitive information via the 'searchdata' parameter.
by Ersin Erenler
CVSS 7.5
Employee Management System v1.0 - SQL Injection via admin_id Parameter
SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.
by Shubham Pandey
CVSS 9.8
Code-Projects Blood Bank 1.0 - SQL Injection
SQL Injection vulnerability in delete.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via the 'bid' parameter.
by Ersin Erenler
CVSS 7.8
WEBIGniter 28.7.23 - Unauthenticated Cross-Site Scripting in User Creation Process
WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks.
by Mesut Cetin
xbtitFM 4.1.18 - Authenticated Arbitrary PHP File Upload via File Hosting Feature
xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.
by h5kj23kj32io2kj
CVSS 7.2
xbtitFM 4.1.18 - Unauthenticated Path Traversal via URL Parameter Manipulation
xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.
by h5kj23kj32io2kj
CVSS 7.5
By Source