Exploitdb Exploits
31,346 exploits tracked across all sources.
Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
by Mehmet Onder
CVSS 8.2
Wireshark - 'get_t61_string' Heap Out-of-Bounds Read
by Google Security Research
Wireshark - 'get_t61_string' Heap Out-of-Bounds Read
by Google Security Research
MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.
by Mehmet Onder
CVSS 7.1
phpMoAdmin 1.1.5 - XSS
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.
by Ozer Goker
CVSS 6.1
phpMoAdmin 1.1.5 - XSS
phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute arbitrary code in users' browsers when they visit the malicious link.
by Ozer Goker
CVSS 6.1
phpMoAdmin 1.1.5 - CSRF
phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action, db, and collection to create, drop, or repair databases and collections without user consent.
by Ozer Goker
CVSS 8.8
Roxyfileman Roxy Fileman - Path Traversal
Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.
by Pongtorn Angsuchotmetee_ Vittawat Masaree
CVSS 9.1
Deltek Ajera Timesheets <9.10.16 - Code Injection
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
by Anthony Cole
CVSS 8.8
Kioware Server < 4.9.6 - Incorrect Permission Assignment
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
by Hashim Jawad
CVSS 7.8
WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation
by Noman Riffat
Roxyfileman Roxy Fileman - Unrestricted File Upload
Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php.
by Pongtorn Angsuchotmetee_ Vittawat Masaree
CVSS 9.8
Ougc Awards < 1.8.19 - XSS
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.
by 0xB9
CVSS 4.8
Layerbb - XSS
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).
by 0xB9
CVSS 6.1
Embed Video Scripts - Persistent Cross-Site Scripting
by Deyaa Muhammad
All in One Video Downloader 1.2 - (Authenticated) SQL Injection
by Deyaa Muhammad
ChinaMobile PLC Wireless Router - XSS
ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have XSS via the cgi-bin/webproc?getpage=html/index.html var:subpage parameter.
by Kumar Saurav
CVSS 6.1
Microsoft Windows - Windows Error Reporting Local Privilege Escalation
by SandboxEscaper
WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
by Kaimi
Frog Cms - XSS
Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.
by WangDudu
CVSS 5.4
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
by Kaimi
Craftcms Craft Cms - XSS
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
by Raif Berkay Dincel
CVSS 4.8
bludit <3.0.0 - RCE
bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code.
by BouSalman
CVSS 8.8
FrontAccounting 2.4.5 - SQL Injection
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.
by Sainadh Jamalpur
CVSS 7.5
By Source