Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-8404 EXPLOITDB MEDIUM text
Webiness Inventory 2.3 - Arbitrary File Upload via Product Image
An issue was discovered in Webiness Inventory 2.3. The ProductModel component allows Arbitrary File Upload via a crafted product image during the creation of a new product. Consequently, an attacker can steal information from the site with the help of an installed executable file, or change the contents of pages.
by Mehmet EMIROGLU
CVSS 6.5
CVE-2019-8391 EXPLOITDB MEDIUM text
qdPM 9.1 - Cross-Site Scripting via Configuration Type Parameter
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
by Mehmet EMIROGLU
CVSS 6.1
CVE-2019-8390 EXPLOITDB MEDIUM text
qdPM 9.1 - Cross-Site Scripting via Search Keywords Parameter
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
by Mehmet EMIROGLU
CVSS 6.1
EIP-2026-104160 EXPLOITDB text
Apache CouchDB 2.3.0 - Cross-Site Scripting
by Ozer Goker
CVE-2019-8394 EXPLOITDB MEDIUM text
ManageEngine ServiceDesk Plus < 10.0 - Unauthenticated Arbitrary File Upload via Login Page Customization
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
by Dao Duy Hung
CVSS 6.5
EIP-2026-102333 EXPLOITDB text VERIFIED
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
by Google Security Research
EIP-2026-102332 EXPLOITDB text VERIFIED
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
by Google Security Research
EIP-2026-102331 EXPLOITDB text VERIFIED
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process
by Google Security Research
EIP-2026-102330 EXPLOITDB text VERIFIED
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour
by Google Security Research
CVE-2019-25669 EXPLOITDB HIGH text
qdPM 9.1 SQL Injection via search_by_extrafields Parameter
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors and extract database information.
by Mehmet EMIROGLU
CVSS 8.2
CVE-2018-14575 EXPLOITDB HIGH text
Trash Bin plugin 1.1.3 for MyBB - XSS/CSRF
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.
by 0xB9
CVSS 8.8
CVE-2019-6974 EXPLOITDB HIGH text VERIFIED
Linux kernel <4.20.8 - Use After Free
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
by Google Security Research
CVSS 8.1
EIP-2026-117145 EXPLOITDB text
exacqVision ESM 5.12.2 - Privilege Escalation
by bzyo
CVE-2018-20556 EXPLOITDB HIGH text
Booking Calendar 8.4.3 - SQL Injection via booking_id Parameter
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.
by B0UG
CVSS 8.8
CVE-2018-17996 EXPLOITDB MEDIUM text
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
by 0xB9
CVSS 6.5
CVE-2018-20009 EXPLOITDB MEDIUM text VERIFIED
DomainMOD 4.09.03-4.11.01 - Stored Cross-Site Scripting via SSL Provider Name or URL Field
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
by Mohammed Abdul Raheem
CVSS 4.8
CVE-2018-20010 EXPLOITDB MEDIUM text VERIFIED
DomainMOD 4.09.03-4.11.01 - Stored Cross-Site Scripting via SSL Provider Account Username Field
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
by Mohammed Abdul Raheem
CVSS 4.8
CVE-2018-20011 EXPLOITDB MEDIUM text VERIFIED
DomainMOD 4.09.03-4.11.01 - Cross-Site Scripting via Category Name or Stakeholder Field
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
by Mohammed Abdul Raheem
CVSS 4.8
CVE-2018-19915 EXPLOITDB MEDIUM text VERIFIED
DomainMOD 4.09.03-4.11.01 - Stored Cross-Site Scripting via Web Host Name or URL Field
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
by Mohammed Abdul Kareem
CVSS 4.8
CVE-2018-19914 EXPLOITDB MEDIUM text VERIFIED
DomainMOD 4.09.03-4.11.01 - Stored Cross-Site Scripting via Profile Name or Notes Field
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
by Mohammed Abdul Kareem
CVSS 4.8
CVE-2019-25672 EXPLOITDB HIGH text
PilusCart 1.4.1 SQL Injection via send Parameter
PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to extract sensitive database information.
by Mehmet EMIROGLU
CVSS 8.2
CVE-2019-7541 EXPLOITDB MEDIUM text
Rukovoditel < 2.4.1 - Cross-Site Scripting via URL Without Login Module
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
by Mehmet EMIROGLU
CVSS 6.1
CVE-2019-25377 EXPLOITDB MEDIUM text
OPNsense 19.1 - Reflected Cross-Site Scripting via system_advanced_sysctl.php Value Parameter
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.
by Ozer Goker
CVSS 5.4
CVE-2019-25376 EXPLOITDB MEDIUM text
OPNsense 19.1 - Unauthenticated Reflected Cross-Site Scripting via Proxy Endpoint ignoreLogACL Parameter
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.
by Ozer Goker
CVSS 6.1
CVE-2019-25375 EXPLOITDB MEDIUM text
OPNsense 19.1 - Unauthenticated Reflected Cross-Site Scripting via Monit Interface Mailserver Parameter
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.
by Ozer Goker
CVSS 6.1
By Source
All 31,386 Writeup 62,533 Exploitdb 50,076 Nomisec 22,490 Github 3,720 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 480 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,618 ruby 6,006 c 3,635 perl 2,849 html 2,076 php 1,334 bash 462 java 371 c++ 261 javascript 231 shell 137 go 73 postscript 25 typescript 25