Text Exploits
31,343 exploits tracked across all sources.
Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack
by LiquidWorm
Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery
by LiquidWorm
Osprey Pump Controller 1.0.1 - Administrator Backdoor Access
by LiquidWorm
Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection
by LiquidWorm
Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection
by LiquidWorm
Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection
by LiquidWorm
ABUS TVIP - RCE
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
CVSS 7.2
Mitel Micollab Audio, Web & Video Conferencing - Path Traversal
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
by Kahvi-0
CVSS 5.3
ProjectSend r1605 - RCE
ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.
by Mirabbas Ağalarov
CVSS 9.8
SOUND4 LinkAndShare Transmitter 1.1.2 - Memory Corruption
SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application.
by LiquidWorm
CVSS 9.8
Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)
by Muhammad Navaid Zafar Ansari
I-Tech Trainsmart r1044 - SQL Injection
A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.
by Adrian Bondocea
CVSS 7.5
Ckeditor < 36.0.0 - XSS
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
by Manish Pathak
CVSS 6.1
Calendar Event Multi View WP <1.4.07 - XSS
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
by Mostafa Farzaneh
CVSS 4.3
Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)
by Matteo Conti
bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)
by nu11secur1ty
ImageMagick 7.1.0-49 - DoS
ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.
by nu11secur1ty
CVSS 6.5
Skyhigh SWG <11.2.6-10.2.17-12.0.1 - XSS
A cross-site scripting vulnerability in Skyhigh SWG in main releases 11.x prior to 11.2.6, 10.x prior to 10.2.17, and controlled release 12.x prior to 12.0.1 allows a remote attacker to craft SWG-specific internal requests with URL paths to any third-party website, causing arbitrary content to be injected into the response when accessed through SWG.
by RedTeam Pentesting GmbH
CVSS 6.1
Farsight Provide Server - XSS
Cross Site Scripting (XSS) vulnerability in Provide server 14.4 allows attackers to execute arbitrary code through the server-log via username field from the login form.
by Andreas Finstad
CVSS 6.1
Btcpayserver Btcpay Server < 1.7.5 - Injection
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.
by Manojkumar J
CVSS 5.3
ImageMagick 7.1.0-49 - Info Disclosure
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
by Cristian Giustini
CVSS 6.5
Frappe ERPNext <12.29.0 - XSS
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
by Patrick Dean Ramos / Nathu Nandwani / Junnair Manla
CVSS 6.1
D-Link DIR-846 - RCE
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
by Françoa Taffarel
CVSS 8.8
By Source