Exploitdb Exploits
31,341 exploits tracked across all sources.
Oretnom23 Service Provider Management System - SQL Injection
Sourcecodester Service Provider Management System v1.0 is vulnerable to SQL Injection via the ID parameter in /php-spms/?page=services/view&id=2
by ASHIK KUNJUMON
CVSS 9.8
Helakuru - Uncontrolled Search Path
An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file.
by Ahsan Azad
CVSS 7.8
Hubstaff 1.6.14 - DLL Search Order Hijacking
Hubstaff 1.6.14 contains a DLL search order hijacking vulnerability that allows attackers to replace a missing system32 wow64log.dll with a malicious library. Attackers can generate a custom DLL using Metasploit and place it in the system32 directory to obtain a reverse shell during application startup.
by Ahsan Azad
CVSS 7.8
Cameleon CMS 2.7.4 - XSS
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.
by Yasin Gergin
CVSS 4.8
WBiz Desk 1.2 - SQL Injection
WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive database information by sending malformed requests to the ticket endpoint.
by h4ck3r
CVSS 5.4
TinyWebGallery v2.5 - RCE
TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.
by Mirabbas Ağalarov
CVSS 9.8
SitemagicCMS 4.4.3 - RCE
SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands.
by Mirabbas Ağalarov
CVSS 9.8
PodcastGenerator 3.2.9 - XSS
PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute when users visit the application's home page.
by Mirabbas Ağalarov
CVSS 5.4
PodcastGenerator 3.2.9 - XSS
PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into the Freebox content execute when users visit the application's home page.
by Mirabbas Ağalarov
CVSS 5.4
PodcastGenerator 3.2.9 - XSS
PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page (episodes_list.php).
by Mirabbas Ağalarov
CVSS 6.1
Affiliate Me <5.0.1 - SQL Injection
Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes.
by h4ck3r
CVSS 6.5
e107 <2.3.2 - XSS
Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.
by Hubert Wojciechowski
CVSS 5.4
Dbbroadcast Sft Dab 600/c Firmware < 1.9.3 - Missing Authentication
Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values.
by LiquidWorm
CVSS 5.3
MicroWorld eScan Management Console <14.0.1400.2281 - SQL Injection
SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.
by Sahil Ojha
CVSS 7.2
Microworld Technologies eScan <14.0.1400.2281 - XSS
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.
by Sahil Ojha
CVSS 9.0
MobileTrans <4.0.11 - Privilege Escalation
Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.
by Thurein Soe
CVSS 7.8
WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
by Wadeek
Webkul Qloapps - XSS
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
by Astik Rawat
CVSS 6.1
Stackposts Social Marketing Tool v1.0 - SQL Injection
by Ahmet Ümit BAYRAM
Civicrm - XSS
Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.
by Andrea Intilangelo
CVSS 5.4
By Source