Text Exploits
31,394 exploits tracked across all sources.
ISC DHCP 3.0.x-4.2.x - Remote Code Execution via DHCP Hostname Shell Metacharacters
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
by Pierre Kim
WordPress Plugin Download Manager Free 2.7.94 & Pro 4 - (Authenticated) Persistent Cross-Site Scripting
by Filippos Mastrogiannis
8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution
by Pierre Kim
4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting
by Pierre Kim
Kaseya Virtual System Administrator 7.x < 7.0.0.29, 8.x < 8.0.0.18, 9.0 < 9.0.0.14, 9.1 < 9.1.0.4 - Open Redirect
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
by Pedro Ribeiro
Joomla! Component com_docman - Multiple Vulnerabilities
by Hugo Santiago
pimcore < build 3473 - Authenticated Path Traversal and Arbitrary File Write via Admin Asset Compatibility Endpoint
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.
by Portcullis
sysPass < 1.0.9 - Authenticated SQL Injection via Search Parameter
SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.
by SySS GmbH
SquirrelMail <= 1.4.4 - Remote Code Execution via Extract Function
options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.
by GulfTech Security
Free Reprintables ArticleFR 3.0.6 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to dashboard/settings/links/, or (4) url parameter to dashboard/tools/pingservers/.
by LiquidWorm
soplanning < 1.32 - Path Traversal via URL Path Parameter
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
by Huy-Ngoc DAU
CVSS 5.3
soplanning < 1.32 - Exposure of Sensitive Information via ICAL Calendar Link
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
by Huy-Ngoc DAU
CVSS 7.5
soplanning < 1.33 - Cross-Site Scripting via nb_mois, mb_ligness, and export.php Debug Parameter
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code.
by Huy-Ngoc DAU
CVSS 5.4
SOPPlanning <1.33 - SQL Injection
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.
by Huy-Ngoc DAU
CVSS 9.8
zenphoto < 1.4.9 - Cross-Site Request Forgery in admin.php
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
by Tim Coen
CVSS 6.5
Swim Team plugin <1.44.10777 - Path Traversal
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
by Larry W. Cashdollar
CVSS 5.3
WordPress Plugin CP Contact Form with Paypal 1.1.5 - Multiple Vulnerabilities
by Nitin Venkatesh
soplanning < 1.32 - Authenticated Remote Code Execution via Crafted Database Name
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
by Huy-Ngoc DAU
CVSS 5.3
Free Reprintables ArticleFR 3.0.6 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/.
by LiquidWorm
Arab Portal 3 - SQL Injection via showemail Parameter
SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php.
by ali ahmady
WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection
by i0akiN SEC-LABORATORY
By Source