Text Exploits
31,364 exploits tracked across all sources.
Z-BlogPHP <1.5.1.1740 - Info Disclosure
In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by admin_footer.php or admin_footer.php. NOTE: the software maintainer disputes that this is a vulnerability
by zzw
CVSS 5.3
Z-BlogPHP 1.5.1.1740 - XSS
In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability
by zzw
CVSS 6.1
Yzmcms - XSS
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter.
by zzw
CVSS 6.1
WordPress Activity Log <2.4.1 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
by Stefan Broeder
CVSS 6.1
Joomsky JS Jobs < 1.2.1 - XSS
The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS.
by Sureshbabu Narvaneni
CVSS 5.4
Get-simple Getsimple Cms - XSS
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
by Sureshbabu Narvaneni
CVSS 6.1
VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.
by LiquidWorm
CVSS 6.5
VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device.
by LiquidWorm
CVSS 4.3
VideoFlow Digital Video Protection DVP 2.10 - Path Traversal
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.
by LiquidWorm
CVSS 6.5
VideoFlow DVP 2.10 - Authenticated RCE
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.
by LiquidWorm
CVSS 4.3
WampServer 3.1.1 - XSS
Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter.
by Vipin Chaudhary
CVSS 5.4
Alkacon OpenCMS 10.5.3 - XSS
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.
by Sureshbabu Narvaneni
CVSS 4.6
D-Link DIR-601 B1 2.02NA - Info Disclosure
An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file restore_default), which is displayed in XML.
by Kevin Randall
CVSS 8.0
Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change
Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.
by Todor Donev
CVSS 9.8
Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change
Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.
by Todor Donev
CVSS 9.8
Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.
by Todor Donev
CVSS 9.8
WP Security Audit Log <3.1.1 - Info Disclosure
An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.
by Colette Chamberland
CVSS 5.3
Relevanssi < 4.0.4 - XSS
Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.
by Stefan Broeder
CVSS 5.4
Contact Form 7 to Database Ext <2.10.32 - Code Injection
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
by Stefan Broeder
CVSS 9.6
AcySMS <3.5.1 - CSV Injection
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.
by Sureshbabu Narvaneni
CVSS 8.8
Acyba AcyMailing <5.9.6 - CSV Injection
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.
by Sureshbabu Narvaneni
CVSS 8.8
Dlink Dir-850l Firmware < 2.06 - Authentication Bypass
An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router (Hardware Version : A1, B1; Firmware Version : 1.02-2.06) devices potentially allows attackers to bypass SharePort Web Access Portal by directly visiting /category_view.php or /folder_view.php.
by Gem George
CVSS 9.8
Open-audit - CSRF
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
by Nilesh Sapariya
CVSS 8.8
Tenda W316R Wireless Router 5.07.50 - Remote DNS Change
by Todor Donev
By Source