Exploitdb Exploits

31,341 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-49730 EXPLOITDB HIGH text
Microsoft Windows 10 1507 < 10.0.10240.21073 - Heap Buffer Overflow
Time-of-check time-of-use (toctou) race condition in Microsoft Windows QoS scheduler allows an authorized attacker to elevate privileges locally.
by nu11secur1ty
CVSS 7.8
CVE-2025-50286 EXPLOITDB HIGH text
Grav CMS <1.7.48 - RCE
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.
by /bin/neko
CVSS 8.1
CVE-2025-41228 EXPLOITDB MEDIUM text
VMware ESXi - XSS
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
by Imraan Khan (Lich-Sec)
CVSS 4.3
CVE-2025-49741 EXPLOITDB HIGH text
Microsoft Edge Chromium < 135.0.3179.98 - Information Disclosure
No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
by nu11secur1ty
CVSS 7.4
CVE-2025-49683 EXPLOITDB HIGH text
Microsoft Windows 10 1507 < 10.0.10240.21073 - Integer Overflow
Integer overflow or wraparound in Virtual Hard Disk (VHDX) allows an unauthorized attacker to execute code locally.
by nu11secur1ty
CVSS 7.8
CVE-2025-50481 EXPLOITDB MEDIUM text
Mezzanine CMS 6.1.0 - XSS
A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post.
by Kevin Dicks
CVSS 4.8
CVE-2025-48932 EXPLOITDB text VERIFIED
Invision Community 4.7.20 - (calendar/view.php) SQL Injection
by Egidio Romano
CVE-2024-0737 EXPLOITDB MEDIUM text
Xlightftpd Xlight FTP Server 1.1 - DoS
A vulnerability classified as problematic was found in Xlightftpd Xlight FTP Server 1.1. This vulnerability affects unknown code of the component Login. The manipulation of the argument user leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-251560.
by Fernando Mengali
CVSS 5.3
CVE-2015-6176 EXPLOITDB text
Microsoft Edge - XSS
Microsoft Edge mishandles HTML attributes in HTTP responses, which allows remote attackers to bypass a cross-site scripting (XSS) protection mechanism via unspecified vectors, aka "Microsoft Edge XSS Filter Bypass Vulnerability."
by nu11secur1ty
CVE-2025-51401 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the operator name parameter.
by Manojkumar J
CVSS 5.4
CVE-2025-51396 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Telegram Bot Username parameter.
by Manojkumar J
CVSS 5.4
CVE-2025-51400 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
by Manojkumar J
CVSS 5.4
CVE-2025-51397 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in the Facebook Chat module of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Surname parameter under the Recipient' Lists.
by Manojkumar J
CVSS 5.4
CVE-2025-51398 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
by Manojkumar J
CVSS 5.4
CVE-2025-51403 EXPLOITDB MEDIUM text
Live Helper Chat <4.60 - XSS
A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Alias Nick parameter.
by Manojkumar J
CVSS 6.5
CVE-2025-49484 EXPLOITDB HIGH text
JS Jobs <1.4.1 - SQL Injection
A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL commands via the 'cvid' parameter in the employee application feature.
by Adam Wallwork
CVE-2025-49744 EXPLOITDB HIGH text
Microsoft Windows 10 1507 < 10.0.10240.21073 - Race Condition
Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
by nu11secur1ty
CVSS 7.0
CVE-2025-49677 EXPLOITDB HIGH text
Microsoft Windows 11 22h2 < 10.0.22621.5624 - Use After Free
Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
by nu11secur1ty
CVSS 7.0
CVE-2024-11605 EXPLOITDB MEDIUM text
wp-publications <1.2 - XSS
The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
by Zeynalxan Quliyev
CVSS 4.8
CVE-2025-44177 EXPLOITDB HIGH text
WSS Protop - Path Traversal
A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences.
by Imraan Khan (Lich-Sec)
CVSS 8.2
CVE-2024-58258 EXPLOITDB HIGH text
SugarCRM <13.0.4, <14.0.1 - SSRF
SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur.
by Egidio Romano
CVSS 7.2
CVE-2025-52367 EXPLOITDB MEDIUM text
Pivotx - XSS
Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.
by HayToN
CVSS 5.4
CVE-2025-6563 EXPLOITDB MEDIUM text
MikroTik RouterOS <7.19.2 - XSS
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload.
by Prak Sokchea
CVE-2025-52089 EXPLOITDB HIGH text
Totolink N300rb Firmware - Missing Authentication
A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges.
by Skander BELABED - Magellan Sécurité
CVSS 8.8
CVE-2025-47171 EXPLOITDB MEDIUM text
Microsoft Office - Improper Input Validation
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
by nu11secur1ty
CVSS 6.7
By Source
All 31,341 Exploitdb 50,123 Writeup 46,583 Nomisec 21,106 Metasploit 3,189 Github 2,211 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,723 c 3,550 perl 2,854 html 2,053 php 1,332 bash 459 java 359 javascript 256 c++ 245 shell 67 go 41 postscript 25 xml 24