Text Exploits
31,386 exploits tracked across all sources.
Brynamics Online Trade - Info Disclosure
Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, or /privacy&terms, as demonstrated by reading database username, database password, database_name, and IP address fields, related to CVE-2018-12908.
by Dhamotharan
CVSS 9.8
Kirby 2.5.12 - Cross-Site Request Forgery in Delete Page Functionality
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
by Zaran Shaikh
CVSS 4.3
MusicCenter / Trivum Multiroom Setup Tool V8.76-9.34 - Auth Bypass
MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18, allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue=0" (a successful attack will allow attackers to login without authorization).
by vulnc0d3
CVSS 9.8
Nagios Core < 4.4.1 - Denial of Service via NULL Pointer Dereference in qh_echo
qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
by Fakhri Zulkifli
CVSS 5.5
Nagios < 4.4.1 - Denial of Service via qh_help NULL Pointer Dereference
qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
by Fakhri Zulkifli
CVSS 5.5
Nagios Core < 4.4.1 - Denial of Service via Crafted UNIX Socket Payload
qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
by Fakhri Zulkifli
CVSS 5.5
D-link DAP-1360 - Path Traversal / Cross-Site Scripting
by r3m0t3nu11
D-link DAP-1360 - Path Traversal / Cross-Site Scripting
by r3m0t3nu11
Splinterware System Scheduler Pro 5.12 Privilege Escalation
Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Attackers can rename the WService.exe file in the installation directory and replace it with a malicious executable that executes with LocalSystem privileges when the service is triggered.
by bzyo
CVSS 8.4
NUUO NVRmini Firmware - Remote Command Execution via uploaddir Parameter
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
by Berk Dusunur
CVSS 9.8
Kirby 2.5.12 - Cross-Site Request Forgery
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
by Zaran Shaikh
CVSS 5.4
Microsoft Windows Speech Recognition - Buffer Overflow (PoC)
by Nassim Asrir
Synology DiskStation Manager 4.1 - Directory Traversal
by Berk Dusunur
msvod_cms v10 - SQL Injection via images/lists cid Parameter
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
by Hzllaga
CVSS 9.8
Touchpad / Trivum WebTouch Setup V9 V2.53 - Auth Bypass
Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303) allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue=0" (a successful attack will allow attackers to login without authorization).
by vulnc0d3
CVSS 9.8
TP-Link WR840N - Denial of Service via Random MAC Address Packets
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
by Aniket Dinda
CVSS 7.5
all_in_one_favicon < 4.6 - Persistent Cross-Site Scripting via Favicon Text Fields
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.
by Javier Olmedo
CVSS 4.8
New Threads plugin < 1.2 for MyBB - Cross-Site Scripting
The New Threads plugin before 1.2 for MyBB has XSS.
by 0xB9
CVSS 6.1
Google Chrome - Swiftshader Texture Allocation Integer Overflow
by Google Security Research
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
by AkkuS
Open-AudIT < 2.2.2 - Stored Cross-Site Scripting via Attribute Name
Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute.
by Ranjeet Jaiswal
CVSS 5.4
Microhard Systems IPn4G 1.1.0 - Authenticated RCE
Microhard Systems IPn4G 1.1.0 contains multiple authenticated remote code execution vulnerabilities in the admin interface that allow attackers to create crontab jobs and modify system startup scripts. Attackers can exploit hidden admin features to execute arbitrary commands with root privileges, including starting services, disabling firewalls, and writing files to the system.
by LiquidWorm
CVSS 8.8
By Source