Text Exploits
31,433 exploits tracked across all sources.
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
by Mohsen Dehghani
REDCap < 11.4.0 - Stored Cross-Site Scripting in Missing Data Codes
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
by Kendrick Lam
CVSS 9.0
PKP Open Journals System >=2.4.8 - XSS
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
by Hemant Kashyap
CVSS 6.1
Zyxel NWA-1100-NH - Command Injection
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
by Ahmed Alroky
CVSS 9.8
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
by LiquidWorm
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
by LiquidWorm
MiniTool Partition Wizard v12.0 - Privilege Escalation
MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
by Saud Alenazi
CVSS 7.8
Razer Sila Gaming Router <2.0.441_api-2.0.418 - Info Disclosure
A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files.
by Kevin Randall
CVSS 7.5
Razer Sila Gaming Router <v2.0.441_api-2.0.418 - Command Injection
A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request.
by Kevin Randall
CVSS 9.8
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Path Traversal
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
by Momen Eldawakhly
CVSS 7.5
Telesquare TLR-2855KS6 - Info Disclosure
An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts.
by Momen Eldawakhly
CVSS 9.1
Telesquare TLR-2855KS6 - Info Disclosure
An unauthorized file creation vulnerability in Telesquare TLR-2855KS6 via PUT method can allow creation of CGI scripts.
by Momen Eldawakhly
CVSS 7.5
SUNNY TRIPOWER 5.0 - Info Disclosure
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.
by Momen Eldawakhly
CVSS 8.1
Sherpa Connector Service <2020.2.20328.2050 - Privilege Escalation
There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file.
by Manthan Chhabra
CVSS 7.8
qdPM 9.2 - Cross-Site Request Forgery via My Account Update Endpoint
qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI.
by Chetanya Sharma
CVSS 8.8
minewebcms < 1.15.2 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minewebcms prior to next.
by Chetanya Sharma
CVSS 4.8
ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
by Devansh Bordia
OpServices OpMon <= 9.11 - Cross-Site Scripting via Search Parameter
A Cross Site Scripting (XSS) vulnerability exists in OpServices OpMon through 9.11 via the search parameter in the request URL.
by Marlon Petry
CVSS 6.1
WordPress Plugin admin-word-count-column 2.2 Local File Read
WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration.
by Hassan Khan Yusufzai
CVSS 6.2
Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS
Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.
by Milad karimi
CVSS 6.1
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery
WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page with curtain parameters to toggle maintenance mode without valid nonce validation.
by Hassan Khan Yusufzai
CVSS 4.3
WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include arbitrary files outside the intended controllers directory.
by Hassan Khan Yusufzai
CVSS 6.2
By Source