Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-50892 EXPLOITDB HIGH text
VIAVIWEB Wallpaper Admin 1.0 - SQL Injection
VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface.
by Edd13Mora
CVSS 8.2
CVE-2022-38841 EXPLOITDB HIGH text
Linksys AX3200 1.1.00 - Command Injection
Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page.
by Ahmed Alroky
CVSS 8.8
EIP-2026-101085 EXPLOITDB text
SoX 14.4.2 - Denial Of Service
by LiquidWorm
CVE-2022-37197 EXPLOITDB HIGH text
IOBit IOTransfer V4 - Unquoted Service Path
IOBit IOTransfer V4 is vulnerable to Unquoted Service Path.
by BLAY ABU SAFIAN
CVSS 7.8
CVE-2022-31188 EXPLOITDB HIGH text
CVAT < 2.0.0 - Server-Side Request Forgery
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.
by Emir Polat
CVSS 8.6
CVE-2022-23854 EXPLOITDB HIGH text
AVEVA InTouch Access Anywhere <2020 R2 - Path Traversal
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.
by Jens Regel
CVSS 7.5
CVE-2022-2441 EXPLOITDB HIGH text
ImageMagick Engine < 1.7.5 - Unauthenticated Remote Code Execution via cli_path Parameter
The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.
by ABDO10
CVSS 8.8
CVE-2022-2840 EXPLOITDB CRITICAL text VERIFIED
Zephyr Project Manager <3.2.5 - SQL Injection
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
by Rizacan Tufan
CVSS 9.8
CVE-2022-50945 EXPLOITDB MEDIUM text
WordPress 3dady Real-Time Web Stats 1.0 Stored XSS
WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
by UnD3sc0n0c1d0
CVSS 6.4
CVE-2022-50896 EXPLOITDB MEDIUM text
Testa 3.5.1 - Reflected Cross-Site Scripting via Login Redirect Parameter
Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context.
by Ashkan Moghaddas
CVSS 6.1
CVE-2022-50895 EXPLOITDB CRITICAL text
Aero CMS 0.0.1 - SQL Injection
Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.
by nu11secur1ty
CVSS 9.8
CVE-2022-2941 EXPLOITDB MEDIUM text VERIFIED
WP-UserOnline <= 2.88.0 - Authenticated Stored Cross-Site Scripting in Naming Conventions
The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
by UnD3sc0n0c1d0
CVSS 5.5
CVE-2022-34140 EXPLOITDB MEDIUM text
Feehi CMS 2.1.1 - Stored Cross-Site Scripting via Username Field
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
by yuyudhn
CVSS 5.4
CVE-2022-36633 EXPLOITDB HIGH text
Teleport < 10.1.2 and < 8.3.17 - Unauthenticated Remote Code Execution via SSH Agent Installation Link
Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.
by Brandon Roach
CVSS 8.8
CVE-2023-31904 EXPLOITDB HIGH text
savysoda Wifi HD Wireless Disk Drive 11 - Local File Inclusion
savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.
by Chokri Hammedi
CVSS 7.5
CVE-2022-2651 EXPLOITDB CRITICAL text VERIFIED
bookwyrm-social/bookwyrm <0.4.5 - Auth Bypass
Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.
by Akshay Ravi
CVSS 9.8
EIP-2026-101577 EXPLOITDB text
Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass
by Jordan Glover
CVE-2022-50947 EXPLOITDB MEDIUM text
WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS
WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.
by Luqman Hakim Zahari
CVSS 6.4
CVE-2022-50946 EXPLOITDB MEDIUM text
WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS
WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking.
by Luqman Hakim Zahari
CVSS 6.4
CVE-2022-1040 EXPLOITDB CRITICAL text
Sophos Firewall < 18.5.3 - Unauthenticated Remote Code Execution
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
by Aryan Chehreghani
CVSS 9.8
CVE-2022-34140 EXPLOITDB MEDIUM text
Feehi CMS 2.1.1 - Stored Cross-Site Scripting via Username Field
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
by Shivam Singh
CVSS 5.4
CVE-2021-42750 EXPLOITDB MEDIUM text
ThingsBoard 3.3.1 - Authenticated Stored Cross-Site Scripting in Rule Engine Node Title
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node.
by Steffen Langenfeld
CVSS 4.8
CVE-2021-42751 EXPLOITDB MEDIUM text
ThingsBoard 3.3.1 - Authenticated Stored Cross-Site Scripting in Rule Engine Description
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node.
by Steffen Langenfeld
CVSS 4.8
CVE-2020-20277 EXPLOITDB CRITICAL text
uftpd 2.7-2.10 - Unauthenticated Directory Traversal via FTP Command Chroot Bypass
There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10 due to improper implementation of a chroot jail in common.c's compose_abspath function that can be abused to read or write to arbitrary files on the filesystem, leak process memory, or potentially lead to remote code execution.
by Aaron Esau
CVSS 9.8
CVE-2022-36642 EXPLOITDB CRITICAL text
Omnia MPX Node Firmware < 1.5.0 - Unauthenticated Local File Disclosure via /appConfig/userDB.json
A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users credentials which makes him able to gain initial access to the control panel with high privilege because the cleartext storage of sensitive information which can be unlatched by exploiting the LFD vulnerability.
by Momen Eldawakhly
CVSS 9.8
By Source
All 31,386 Writeup 62,046 Exploitdb 50,076 Nomisec 22,338 Github 3,520 Metasploit 3,299 Vulncheck_xdb 927 Inthewild 514 Gitlab 470 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,515 ruby 5,989 c 3,622 perl 2,849 html 2,072 php 1,332 bash 462 java 370 c++ 257 javascript 228 shell 130 go 72 postscript 25 typescript 25