Text Exploits
31,386 exploits tracked across all sources.
Broadcom Symantec SiteMinder WebAgent - Cross-Site Scripting
A user can supply malicious HTML and JavaScript code that will be executed in the client browser
by Harshit Joshi
CVSS 5.4
Anevia Flamingo XL 3.2.9 - OS Command Injection via Traceroute Command
Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment.
by LiquidWorm
CVSS 10.0
Textpattern CMS 4.8.8 - Authenticated Stored Cross-Site Scripting in Article Excerpt Field
Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users.
by tmrswrr
CVSS 5.4
projectSend r1605 - Authenticated Stored Cross-Site Scripting via Custom Assets Page
projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection.
by Mirabbas Ağalarov
CVSS 4.8
ProjectSend r1605 - Authenticated CSV Injection via User Profile Name Field
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
by Mirabbas Ağalarov
CVSS 8.0
Xoops CMS 2.5.10 - Stored Cross-Site Scripting via Image Manager Category Name Field
Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.
by tmrswrr
CVSS 9.0
Online Thesis Archiving System v1.0 - Multiple-SQLi
by nu11secur1ty
Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution
by LiquidWorm
Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
by LiquidWorm
Online Examination System Project 1.0 - CSRF
The Online Examination System Project 1.0 version is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin's consent. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in a loss of data.
by Ramil Mustafayev
CVSS 6.5
PHPGurukul Teachers Record Management System 1.0 - Unrestricted Upload
A vulnerability, which was classified as critical, has been found in PHPGurukul Teachers Record Management System 1.0. Affected by this issue is some unknown functionality of the file /changeimage.php of the component Profile Picture Handler. The manipulation of the argument newpic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231176.
by AFFAN AHMED
CVSS 6.3
SourceCodester Sales Tracker Management System 1.0 - XSS
A vulnerability was found in SourceCodester Sales Tracker Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save. The manipulation of the argument firstname/middlename/lastname/username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231164.
by AFFAN AHMED
CVSS 2.4
USB Flash Drives Control 4.1.0.0 - Code Injection
USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\USB Flash Drives Control\usbcs.exe' to inject malicious executables and escalate privileges on Windows systems.
by Jeffrey Bencteux
CVSS 6.2
CMS Tree Page View <= 1.6.7 - Unauthenticated Reflected Cross-Site Scripting
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jon Christopher CMS Tree Page View plugin <= 1.6.7 versions.
by LEE SE HYOUNG
CVSS 7.1
MotoCMS 3.4.3 - SQL Injection via Search Keyword Parameter
SQL injection vulnerability in MotoCMS v.3.4.3 allows a remote attacker to gain privileges via the keyword parameter of the search function.
by tmrswrr
CVSS 9.8
Total CMS 1.7.4 - Unauthenticated Arbitrary File Upload via Edit Page Function
File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacker to execute arbitrary code via a crafted PHP file to the edit page function.
by tmrswrr
CVSS 8.8
Barebones CMS 2.0.2 - Authenticated Stored Cross-Site Scripting
The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel.
by tmrswrr
CVSS 5.4
Sourcecodester Enrollment System Project V1.0 - SQL Injection
Sourcecodester Enrollment System Project V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code.
by VIVEK CHOUDHARY
CVSS 9.8
STARFACE < 7.3.0.10 - Authentication Bypass via Password Hash
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
by RedTeam Pentesting GmbH
CVSS 8.1
Rukovoditel 3.3.1 - Authenticated CSV Injection via Firstname Field
Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.
by Mirabbas Ağalarov
CVSS 8.8
MotoCMS 3.4.3 - Server-Side Template Injection via Keyword Parameter
MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the keyword parameter.
by tmrswrr
CVSS 9.8
bumsys < 1.0.3-beta - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.
by AFFAN AHMED
CVSS 8.8
By Source