Text Exploits
31,386 exploits tracked across all sources.
Kodi < 17.6 - Stored Cross-Site Scripting via Playlist
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
by Manuel García Cárdenas
CVSS 6.1
Brave Browser < 0.13.0 - Denial of Service via Tab Closure
Brave Browser before 0.13.0 allows a tab to close itself even if the tab was not opened by a script, resulting in denial of service.
by Sahil Tikoo
CVSS 7.5
Brave Browser < 0.13.0 - Denial of Service via Long JavaScript Alert Argument
Brave Browser before 0.13.0 allows remote attackers to cause a denial of service (resource consumption) via a long alert() argument in JavaScript code, because window dialogs are mishandled.
by Sahil Tikoo
CVSS 6.5
jdownloads < 3.2.59 - Cross-Site Scripting
The jDownloads extension before 3.2.59 for Joomla! has XSS.
by Sureshbabu Narvaneni
CVSS 6.1
D-Link DIR-615 T1 Firmware - Stored Cross-Site Scripting via Add User Feature
D-Link DIR-615 T1 devices allow XSS via the Add User feature.
by Sayan Chatterjee
CVSS 4.8
Windows 10 and Windows Server 2016 - Device Guard Security Feature Bypass via TOCTOU Race Condition
A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka "Device Guard Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
by Google Security Research
CVSS 3.3
Microsoft Edge - 'OpenProcess()' ACG Bypass
by Google Security Research
Western Bridge Cobub Razor 0.8.0 - SQL Injection
A SQL Injection vulnerability exists in Western Bridge Cobub Razor 0.8.0 via the channel_name or platform parameter in a /index.php?/manage/channel/addchannel request, related to /application/controllers/manage/channel.php.
by Kyhvedn
CVSS 9.8
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 - Authenticated Direct Object Reference
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. This is fixed in 10.6.5.
by Frogy
CVSS 8.8
MikroTik Router Firmware 6.41.4 - Unauthenticated Denial of Service via Malformed FTP Request
A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '\0' characters, preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
by FarazPajohan
CVSS 7.5
Convert Forms < 2.0.4 - Remote Command Execution via CSV Injection in Leads Export
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.
by Sairam Jetty
CVSS 7.8
iScripts EasyCreate 3.2.1 - Stored Cross-Site Scripting via Site Title Field
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
by ManhNho
CVSS 5.4
DVD X Player Standard 5.5.3.9 - Buffer Overflow via Crafted PLF File
DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf file, a related issue to CVE-2007-3068.
by Prasenjit Kanti Paul
CVSS 7.8
Wuzhicms - Cross-Site Request Forgery
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
by taoge
CVSS 8.8
Iptanus WordPress File Upload < 4.3.4 - Cross-Site Scripting via Settings Attributes
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
by ManhNho
CVSS 6.1
Iptanus WordPress File Upload < 4.3.3 - Cross-Site Scripting via Shortcode Attributes
The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
by ManhNho
CVSS 5.4
WordPress Activity Log <2.4.1 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
by Stefan Broeder
CVSS 6.1
iScripts EasyCreate 3.2.1 - Stored Cross-Site Scripting in Site Description Field
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field.
by ManhNho
CVSS 5.4
Dell EMC Avamar Server 7.3.1-7.5.0 & IDPA 2.0-2.1 - Unauthenticated Credential Read/Modify via Local Download Service
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
by SlidingWindow
CVSS 9.8
Google Drive for WordPress 2.2 Path Traversal RCE via gdrive-ajaxs.php
Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name parameter. Attackers can send POST requests to gdrive-ajaxs.php with the ajaxstype parameter set to del_fl_bkp and file_name containing traversal sequences ../../wp-config.php to access sensitive configuration files.
by Lenon Leite
CVSS 7.5
Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename parameter to delete sensitive files like wp-config.php outside the intended export directory.
by Lenon Leite
CVSS 7.5
Simple Fields 0.2-0.3.5 Local File Inclusion via wp_abspath
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4. Attackers can supply malicious wp_abspath values to simple_fields.php to include files like /etc/passwd or inject PHP code into Apache logs for remote code execution when allow_url_include is enabled.
by Graeme Robinson
CVSS 6.2
MyBB Recent threads 17.0 Persistent Cross-Site Scripting
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.
by Perileos
CVSS 7.2
BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server.
by Lenon Leite
CVSS 8.8
By Source