Exploitdb Exploits
31,341 exploits tracked across all sources.
Ateme TITAN File 3.9.12.4 - SSRF
Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the application to make HTTP, DNS, or file requests to arbitrary destinations.
by LiquidWorm
CVSS 6.5
Netlify CMS <2.10.192 - XSS
A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 allows a remote attacker to execute arbitrary code via a crafted payload to the body parameter of the new post function.
by tmrswrr
CVSS 5.4
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
by Idan Malihi
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
by Idan Malihi
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
by Idan Malihi
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
by Idan Malihi
Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)
by Sander Ferdinand
IP-DOT BuildaGate <v.BuildaGate5 - XSS
Cross Site Scripting vulnerability in IP-DOT BuildaGate v.BuildaGate5 allows a remote attacker to execute arbitrary code via a crafted script to the mc parameter of the URL.
by Idan Malihi
CVSS 6.1
HTTP Protocol Stack - RCE
HTTP Protocol Stack Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 9.8
Faculty Evaluation System v1.0 - SQL Injection
by Andrey Stoykov
Microsoft Outlook - RCE
Microsoft Outlook Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 8.8
Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
by Okan Kurtulus
Microsoft Edge < - Info Disclosure
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
by nu11secur1ty
CVSS 6.5
Alkacon Opencms - XSS
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
by tmrswrr
CVSS 6.1
WebsiteBaker 2.13.3 - XSS
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
by Mirabbas Ağalarov
CVSS 5.4
WebsiteBaker 2.13.3 - Path Traversal
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
by Mirabbas Ağalarov
CVSS 6.5
WBCE CMS 1.6.1 - XSS
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
by Mirabbas Ağalarov
CVSS 5.4
Spip 4.1.10 - XSS
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.
by nu11secur1ty
CVSS 8.8
PodcastGenerator 3.2.9 - SSRF
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
by Mirabbas Ağalarov
CVSS 9.8
Rukovoditel 3.4.1 - XSS
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
Rukovoditel 3.4.1 - XSS
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
D-Link DAP-1325 1.01 - Info Disclosure
D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information by directly accessing the export settings script.
by ieduardogoncalves
CVSS 7.5
Netflixtech WP Autocomplete Search < 1.0.4 - SQL Injection
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection
by matitanium
CVSS 9.8
By Source