Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-109794 EXPLOITDB text
MySQL Blob Uploader 1.7 - 'download.php' SQL Injection / Cross-Site Scripting
by AkkuS
EIP-2026-109524 EXPLOITDB text
Mobile Card Selling Platform 1 - Cross-Site Request Forgery
by L0RD
EIP-2026-109375 EXPLOITDB text
Mcard Mobile Card Selling Platform 1 - SQL Injection
by L0RD
EIP-2026-107467 EXPLOITDB text
GPSTracker 1.0 - 'id' SQL Injection
by AkkuS
EIP-2026-107409 EXPLOITDB text
Gigs 2.0 - 'username' SQL Injection
by AkkuS
EIP-2026-106947 EXPLOITDB text
eWallet Online Payment Gateway 2 - Cross-Site Request Forgery
by L0RD
EIP-2026-106737 EXPLOITDB text
EasyService Billing 1.0 - SQL Injection / Cross-Site Scripting
by AkkuS
EIP-2026-106736 EXPLOITDB text
EasyService Billing 1.0 - 'p1' SQL Injection
by AkkuS
EIP-2026-103280 EXPLOITDB text
Honeywell Scada System - Information Disclosure
by t4rkd3vilz
EIP-2026-102007 EXPLOITDB text
SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change
by Safak Aslan
CVE-2018-10751 EXPLOITDB MEDIUM text VERIFIED
Samsung Mobile - Memory Corruption via OMACP WbXml String Extension Processing
A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. The Samsung ID is SVE-2018-11463.
by Google Security Research
CVSS 5.3
CVE-2018-25339 EXPLOITDB HIGH text
Zechat 1.5 SQL Injection via v parameter (time-based blind)
Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the v parameter with sleep-based blind injection to confirm vulnerability and extract data.
by L0RD
CVSS 8.2
CVE-2018-25338 EXPLOITDB HIGH text
Zechat 1.5 SQL Injection via hashtag parameter
Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit the hashtag parameter with union-based payloads to retrieve table and column names.
by L0RD
CVSS 8.2
CVE-2018-25334 EXPLOITDB MEDIUM text
Zechat 1.5 Cross-Site Request Forgery (CSRF) via hashtag parameter
Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token.
by L0RD
CVSS 5.4
CVE-2018-25333 EXPLOITDB HIGH text
Nordex N149/4.0-4.5 Wind Turbine Web Server SQL Injection
Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloads in the login field to extract sensitive database information and bypass authentication mechanisms.
by t4rkd3vilz
CVSS 8.2
CVE-2018-8897 EXPLOITDB HIGH text VERIFIED
Intel 64 and IA-32 Architectures - Privilege Escalation
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
by Can Bölük
CVSS 7.8
EIP-2026-113361 EXPLOITDB text
WebSocket Live Chat - Cross-Site Scripting
by Alireza Norkazemi
EIP-2026-110496 EXPLOITDB text
PaulPrinting CMS Printing 1.0 - SQL Injection
by Mehmet Onder
EIP-2026-109919 EXPLOITDB text
NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
by AkkuS
EIP-2026-109918 EXPLOITDB text
NewsBee CMS 1.4 - 'download.php' SQL Injection
by AkkuS
EIP-2026-107971 EXPLOITDB text
iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery
by L0RD
EIP-2026-107067 EXPLOITDB text
Feedy RSS News Ticker 2.0 - 'cat' SQL Injection
by AkkuS
EIP-2026-106695 EXPLOITDB text
Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting
by AkkuS
EIP-2026-105304 EXPLOITDB text
Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
by L0RD
CVE-2014-2908 EXPLOITDB text
SIMATIC S7-1200 CPU 2.x-3.x - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
by t4rkd3vilz