Text Exploits
31,383 exploits tracked across all sources.
GYM MS - GYM Management System - Cross Site Scripting (Stored)
by yozgatalperen1
Curfew e-Pass Management System 1.0 - FromDate SQL Injection
by Puja Dey
Clinic's Patient Management System 1.0 - Unauthenticated RCE
by Oğulcan Hami Gül
TP-Link TL-WR740N - UnAuthenticated Directory Transversal
by Syed Affan Ahmed (ZEROXINN)
TP-LINK TL-WR740N - Multiple HTML Injection
by Shujaat Amin (ZEROXINN)
Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution
by LiquidWorm
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure
by LiquidWorm
Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass
by LiquidWorm
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure
by LiquidWorm
Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS
by LiquidWorm
EmbedThis GoAhead 2.5 - Code Injection
goform/formTest in EmbedThis GoAhead 2.5 allows HTML injection via the name parameter.
by Syed Affan Ahmed (ZEROXINN)
CVSS 7.2
RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC
by LiquidWorm
WordPress Sonaar Music Plugin 4.7 Stored XSS via Comments
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.
by Furkan Karaarslan
CVSS 7.2
Atcom 100M IP Phones <2.7.x.x - Command Injection
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.
by Mohammed Adel
CVSS 8.8
WebIGniter 28.7.23 - Authenticated Remote Code Execution via Media File Upload
WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server.
by nu11secur1ty
Coppermine Gallery 1.6.25 - Authenticated RCE
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
by Mirabbas Ağalarov
CVSS 8.8
Tinycontrol LAN Controller <1.58a - DoS
Tinycontrol LAN Controller v3 (LK3) firmware versions up to 1.58a (hardware v3.8) contain a missing authentication vulnerability in the stm.cgi endpoint. A remote, unauthenticated attacker can send crafted requests to forcibly reboot the device or restore factory settings, leading to a denial of service and configuration loss.
by LiquidWorm
Tinycontrol LAN Controller < 1.58a - Unauthenticated Authentication Bypass via /stm.cgi Endpoint
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials.
by LiquidWorm
CVSS 9.8
Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
by Moein Shahabi
By Source