Text Exploits
31,341 exploits tracked across all sources.
WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi
by nu11secur1ty
Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path
by Esant1490
Magnolia CMS <6.2.19 - XSS
Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by Giulio Garzia Ozozuz
CVSS 6.1
Mailhog 1.0.1 - XSS
Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation.
by Vulnz
CVSS 7.2
Virtuasoftware Cobranca < 12r - SQL Injection
Virtua Cobranca before 12R allows SQL Injection on the login page.
by Luca Regne
CVSS 7.5
Marvalglobal Marval Msm - OS Command Injection
Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.
by Momen Eldawakhly
CVSS 9.8
Marvalglobal Marval Msm - CSRF
Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). An attacker can disable the 2FA by sending the user a malicious form.
by Momen Eldawakhly
CVSS 6.5
Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
by Eduardo Braun Prado
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
by Eduardo Braun Prado
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
by Ali Alipour
Old Age Home Management System 1.0 - SQLi Authentication Bypass
by twseptian
ChurchCRM 4.4.5 - SQL Injection
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
by nu11secur1ty
CVSS 7.2
Avantune Genialcloud ProJ <10 - XSS
A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by Andrea Intilangelo
CVSS 6.1
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-20660. Reason: This candidate is a reservation duplicate of CVE-2021-20660. Notes: All CVE users should reference CVE-2021-20660 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
by Ahmed Alroky
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-20660. Reason: This candidate is a reservation duplicate of CVE-2021-20660. Notes: All CVE users should reference CVE-2021-20660 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
by Ahmed Alroky
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)
by Sanjay Singh
Microweber < 1.2.15 - Incorrect Authorization
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
by Manojkumar J
CVSS 8.8
Zyxel Firewall SUID Binary Privilege Escalation
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
by Valentin Lobstein
CVSS 9.8
SolarView Compact <6.00 - Path Traversal
SolarView Compact ver.6.00 allows attackers to access sensitive files via directory traversal.
by Ahmed Alroky
CVSS 7.5
Newsletter Module - SQL Injection
Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.
by Saud Alenazi
CVSS 9.8
T-Soft E-Commerce 4 - SQL Injection
The T-Soft E-Commerce 4 web application is susceptible to SQL injection (SQLi) attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. By exploiting this flaw, attackers can bypass authentication mechanisms, view sensitive information stored in the database, and potentially exfiltrate data.
by Alperen Ergel
CVSS 7.2
Showdoc < 2.10.4 - XSS
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.
by Akshay Ravi
CVSS 5.4
T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)
by Alperen Ergel
By Source