Exploitdb Exploits

31,341 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-13068 EXPLOITDB MEDIUM text VERIFIED
Grafana < 6.2.5 - XSS
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
by SimranJeet Singh
CVSS 5.4
EIP-2026-114615 EXPLOITDB text
Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)
by mister0xf
EIP-2026-114384 EXPLOITDB text
WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
by Rafael Pedrero
EIP-2026-113376 EXPLOITDB text
WebTareas 2.4 - Reflected XSS (Unauthorised)
by Hubert Wojciechowski
EIP-2026-107125 EXPLOITDB text
FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
by Sinem Şahin
EIP-2026-105874 EXPLOITDB text
Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)
by Sinem Şahin
EIP-2026-105707 EXPLOITDB text
Canteen-Management v1.0 - XSS-Reflected
by nu11secur1ty
EIP-2026-105706 EXPLOITDB text
Canteen-Management v1.0 - SQL Injection
by nu11secur1ty
EIP-2026-105004 EXPLOITDB text
Aero CMS v0.0.1 - SQL Injection (no auth)
by Hubert Wojciechowski
EIP-2026-105003 EXPLOITDB text
Aero CMS v0.0.1 - PHP Code Injection (auth)
by Hubert Wojciechowski
EIP-2026-102477 EXPLOITDB text
Desktop Central 9.1.0 - Multiple Vulnerabilities
by Rafael Pedrero
CVE-2023-31903 EXPLOITDB CRITICAL text
GuppY CMS 6.00.10 - RCE
GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.
by Chokri Hammedi
CVSS 9.8
CVE-2018-5701 EXPLOITDB CRITICAL text
Iolo System Shield - Memory Corruption
In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values from IOCtl 0x00226003.
by Brandon Marshall
CVSS 9.8
CVE-2022-37109 EXPLOITDB CRITICAL text
Camp < 2022-07-21 - Insufficiently Protected Credentials
patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.
by Elias Hohl
CVSS 9.8
CVE-2022-34668 EXPLOITDB CRITICAL text
Nvidia Nvflare < 2.1.4 - Insecure Deserialization
NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.
by Elias Hohl
CVSS 9.8
EIP-2026-114535 EXPLOITDB text
Yoga Class Registration System v1.0 - Multiple SQLi
by Abdulhakim Öner
CVE-2022-3141 EXPLOITDB HIGH text VERIFIED
Cozmoslabs Translatepress < 2.3.3 - SQL Injection
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.
by Elias Hohl
CVSS 8.8
CVE-2022-26982 EXPLOITDB HIGH text VERIFIED
SimpleMachinesForum <2.1.1 - Authenticated RCE
SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server.
by Sarang Tumne
CVSS 7.2
EIP-2026-111072 EXPLOITDB text
PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS
by Prasheek Kamble
EIP-2026-110086 EXPLOITDB text
Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
by yousef alraddadi
CVE-2022-3142 EXPLOITDB HIGH text VERIFIED
Basixonline Nex-forms < 7.9.7 - SQL Injection
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
by Elias Hohl
CVSS 8.8
CVE-2022-26149 EXPLOITDB HIGH text VERIFIED
MODX Revolution <2.8.3-pl - Authenticated RCE
MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
by Sarang Tumne
CVSS 7.2
EIP-2026-109076 EXPLOITDB text
Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal
by nu11secur1ty
CVE-2022-26986 EXPLOITDB HIGH text
ImpressCMS <1.4.3 - SQL Injection
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.
by Sarang Tumne
CVSS 7.2
EIP-2026-107678 EXPLOITDB text
Human Resources Management System v1.0 - Multiple SQLi
by Abdulhakim Öner
By Source
All 31,341 Exploitdb 50,121 Writeup 46,637 Nomisec 21,130 Metasploit 3,189 Github 2,236 Vulncheck_xdb 900 Inthewild 518 Gitlab 438 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,730 c 3,550 perl 2,854 html 2,054 php 1,334 bash 459 java 359 javascript 260 c++ 246 shell 68 go 41 postscript 25 xml 24