Text Exploits
31,386 exploits tracked across all sources.
Matrix MLM Script 1.0 - Information Disclosure
by Ihsan Sencan
Nelson Open Source ERP 6.3.1 - SQL Injection via Query Parameter
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
by Emre ÖVÜNÇ
CVSS 9.8
Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery
Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.
by SajjadBnd
CVSS 4.3
BlogEngine.NET 3.3 - XML External Entity (XXE)
BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.
by Netsparker
CVSS 9.8
Windows 10 and Windows Server 2016/2019 - Elevation of Privilege via ALPC
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
by Google Security Research
CVSS 7.8
ZTE MF65 and MF65M1 Firmware < 1.0.0b05 - Cross-Site Scripting
All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.
by Nathu Nandwani
CVSS 6.1
Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
by Mehmet Onder
CVSS 8.2
Wireshark - 'get_t61_string' Heap Out-of-Bounds Read
by Google Security Research
Wireshark - 'get_t61_string' Heap Out-of-Bounds Read
by Google Security Research
All in One Video Downloader 1.2 SQL Injection via admin page-edit
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.
by Deyaa Muhammad
CVSS 8.2
MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.
by Mehmet Onder
CVSS 7.1
phpMoAdmin 1.1.5 - Unauthenticated Stored Cross-Site Scripting via Collection Parameter
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.
by Ozer Goker
CVSS 6.1
phpMoAdmin 1.1.5 - Unauthenticated Reflected Cross-Site Scripting via newdb Parameter
phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute arbitrary code in users' browsers when they visit the malicious link.
by Ozer Goker
CVSS 6.1
phpMoAdmin 1.1.5 - Cross-Site Request Forgery via moadmin.php
phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action, db, and collection to create, drop, or repair databases and collections without user consent.
by Ozer Goker
CVSS 8.8
Roxy Fileman 1.4.5 - Path Traversal via copydir.php, copyfile.php, and fileslist.php
Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.
by Pongtorn Angsuchotmetee_ Vittawat Masaree
CVSS 9.1
Deltek Ajera Timesheets <9.10.16 - Code Injection
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
by Anthony Cole
CVSS 8.8
kioware_server < 4.9.6 - Unauthenticated Privilege Escalation via Weak Directory Permissions
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
by Hashim Jawad
CVSS 7.8
WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation
by Noman Riffat
Roxy Fileman 1.4.5 - Unrestricted File Upload via upload.php
Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php.
by Pongtorn Angsuchotmetee_ Vittawat Masaree
CVSS 9.8
ougc_awards < 1.8.19 - Stored Cross-Site Scripting via Award Reason
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.
by 0xB9
CVSS 4.8
By Source