Exploitdb Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-10049 EXPLOITDB CRITICAL text
Raidsonic IB-NAS5220 and IB-NAS4220 - Unauthenticated OS Command Injection via timeHandler.cgi timeZone Parameter
An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands.
by m-1-k-3
EIP-2026-119435 EXPLOITDB text
SonicWALL Scrutinizer 9.5.2 - SQL Injection
by Vulnerability-Lab
EIP-2026-119434 EXPLOITDB text
SonicWALL OEM Scrutinizer 9.5.2 - Multiple Vulnerabilities
by Vulnerability-Lab
CVE-2013-0291 EXPLOITDB HIGH text VERIFIED
NextGEN Gallery Plugin for WordPress 1.9.10-1.9.11 - Path Disclosure
NextGEN Gallery Plugin for WordPress 1.9.10 and 1.9.11 has a Path Disclosure Vulnerability
by Henrique Montenegro
CVSS 7.5
EIP-2026-112889 EXPLOITDB text VERIFIED
Ultra Light Forum - Persistent Cross-Site Scripting
by cr4wl3r
EIP-2026-102079 EXPLOITDB text
Transferable Remote 1.1 iPad iPhone - Multiple Vulnerabilities
by Vulnerability-Lab
EIP-2026-101905 EXPLOITDB text
OpenPLI 3.0 Beta (OpenPLi-beta-dm7000-20130127-272) - Multiple Vulnerabilities
by m-1-k-3
EIP-2026-112343 EXPLOITDB text VERIFIED
Sonar - Multiple Cross-Site Scripting Vulnerabilities
by DevilTeam
EIP-2026-110356 EXPLOITDB text VERIFIED
osCommerce - Cross-Site Request Forgery
by Jakub Galczyk
EIP-2026-105509 EXPLOITDB text VERIFIED
BlackNova Traders - 'news.php' SQL Injection
by ITTIHACK
CVE-2013-10062 EXPLOITDB MEDIUM text VERIFIED
Linksys router <1.0.00-1.0.05 - Path Traversal
A directory traversal vulnerability exists in Linksys router's web interface (tested on the E1500 model firmware versions 1.0.00, 1.0.04, and 1.0.05), specifically in the /apply.cgi endpoint. Authenticated attackers can exploit the next_page POST parameter to access arbitrary files outside the intended web root by injecting traversal sequences. This allows exposure of sensitive system files and configuration data.
by m-1-k-3
CVE-2013-10059 EXPLOITDB HIGH text
D-Link DIR-615H1 <8.04 - Command Injection
An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
by m-1-k-3
CVSS 7.2
CVE-2013-10058 EXPLOITDB HIGH text
Linksys router <v2.0.03 - Command Injection
An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. The web interface fails to properly sanitize user-supplied input passed to the ping_size parameter during diagnostic operations. An attacker with valid credentials can inject arbitrary shell commands, enabling remote code execution.
by m-1-k-3
CVE-2013-0008 EXPLOITDB text
Windows Vista/7/8, Server 2008/2012, RT - Privilege Escalation via Win32k Window Broadcast
win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle window broadcast messages, which allows local users to gain privileges via a crafted application, aka "Win32k Improper Message Handling Vulnerability."
by 0vercl0k
EIP-2026-107954 EXPLOITDB text
IRIS Citations Management Tool - (Authenticated) Remote Command Execution
by aeon
EIP-2026-107946 EXPLOITDB text VERIFIED
IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting
by Mohamed Ramadan
EIP-2026-103483 EXPLOITDB text
Google Chrome - Silent HTTP Authentication
by T355
EIP-2026-102053 EXPLOITDB text
TP-Link - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities
by CYBSEC Labs
CVE-2013-2678 EXPLOITDB HIGH text
Cisco Linksys E4200 1.0.05 - Code Injection
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
by m-1-k-3
CVSS 8.1
EIP-2026-101836 EXPLOITDB text
Linksys WAG200G - Multiple Vulnerabilities
by m-1-k-3
CVE-2013-2678 EXPLOITDB HIGH text VERIFIED
Cisco Linksys E4200 1.0.05 - Code Injection
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
by m-1-k-3
CVSS 8.1
EIP-2026-101515 EXPLOITDB text
Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities
by Vulnerability-Lab
EIP-2026-106697 EXPLOITDB text VERIFIED
Easy Live Shop System - SQL Injection
by Ramdan Yantu
EIP-2026-114345 EXPLOITDB text VERIFIED
WordPress Theme Pinboard - 'tab' Cross-Site Scripting
by Henrique Montenegro
EIP-2026-101482 EXPLOITDB text VERIFIED
TP-Link TL-WR2543ND Router - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities
by Juan Manuel Garcia