Text Exploits
31,386 exploits tracked across all sources.
Alkacon OpenCMS 15.0 - Arbitrary File Upload and Remote Code Execution via PNG File
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
by tmrswrr
CVSS 6.1
WebsiteBaker 2.13.3 - Authenticated Stored Cross-Site Scripting via SVG File Upload
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
by Mirabbas Ağalarov
CVSS 5.4
WebsiteBaker 2.13.3 - Path Traversal
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
by Mirabbas Ağalarov
CVSS 6.5
WBCE CMS 1.6.1 - Stored Cross-Site Scripting via CSS Keylogging
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
by Mirabbas Ağalarov
CVSS 5.4
Spip 4.1.10 - Stored Cross-Site Scripting via Malicious SVG Upload
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.
by nu11secur1ty
CVSS 8.8
PodcastGenerator 3.2.9 - Server-Side Request Forgery via Episode Upload Shortdesc Parameter
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
by Mirabbas Ağalarov
CVSS 9.8
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Application Copyright Text
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Project Task Comments
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
D-Link DAP-1325 1.01 - Info Disclosure
D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information by directly accessing the export settings script.
by ieduardogoncalves
CVSS 7.5
WP AutoComplete Search < 1.0.4 - Unauthenticated SQL Injection via AJAX Parameter
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection
by matitanium
CVSS 9.8
Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)
by CraCkEr
POS Codekop v2.0 - Authenticated RCE
POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter.
by yuyudhn
CVSS 8.8
Microsoft 365 Apps - Remote Code Execution via Use-After-Free
Microsoft Office Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 7.8
Microsoft Office - Remote Code Execution via Double Free
Microsoft Excel Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 7.8
Xenforo 2.2.13 - Authenticated Stored Cross-Site Scripting via Smilie Category Title Parameter
Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks.
by Furkan Karaarslan
CVSS 4.6
MCL-Net <4.3.5.8788 - Info Disclosure
A Directory Browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.
by Victor A. Morales
CVSS 5.3
Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing
by nu11secur1ty
diafan.cms v6.0 - Reflected Cross-Site Scripting via cat_id Parameter
Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search.
by tmrswrr
CVSS 6.1
Phpgurukul Student Study Center Management System V1.0 - XSS
Phpgurukul Student Study Center Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in the "Admin Name" field on Admin Profile page.
by VIVEK CHOUDHARY
CVSS 4.8
By Source