Text Exploits
31,341 exploits tracked across all sources.
Code-projects Online Exam Mastering System - XSS
code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code.
by Pruthu Raut
CVSS 6.1
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.
by VeryLazyTech
CVSS 9.8
AnyDesk 7.0.15,9.0.1 - Code Injection
AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions.
by Parastou Razi
ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal
by LiquidWorm
ABB Aspect-ent-2 Firmware < 3.08.03 - Code Injection
Unauthorized Access vulnerabilities allow Remote Code Execution.
Affected products:
ABB ASPECT - Enterprise v3.08.02;
NEXUS Series v3.08.02;
MATRIX Series v3.08.02
by LiquidWorm
CVSS 10.0
compop.ca ONLINE MALL <3.5.3 - RCE
An issue in compop.ca ONLINE MALL v.3.5.3 allows a remote attacker to execute arbitrary code via the rid, tid, et, and ts parameters.
by dmlino
CVSS 9.8
Phpgurukul Blood Bank & Donor Managem... - Missing Authorization
A vulnerability has been found in PHPGurukul Blood Bank & Donor Management System 2.4 and classified as problematic. This vulnerability affects unknown code of the file /logout.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
by Kwangyun Keum
CVSS 4.3
TP-Link VN020 F3v(T) TT_V6.2.1021 - DoS
A vulnerability was found in TP-Link VN020 F3v(T) TT_V6.2.1021. It has been rated as critical. This issue affects some unknown processing of the file /control/WANIPConnection of the component Incomplete SOAP Request Handler. The manipulation leads to denial of service. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used.
by Mohamed Maatallah
CVSS 6.5
Kodcloud Kodexplorer - Open Redirect
KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication.
by Rahad Chowdhury
CVSS 6.1
Software AG webMethods <10.15.0 - Info Disclosure
The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI.
by Rasime Ekici
CVSS 7.5
Hugging Face Transformers MobileViTV2 - Deserialization
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.
by The Kernel Panic
CVSS 8.8
Smart Manager WP <8.28.0 - SQL Injection
The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
by Ivan Spiridonov
CVSS 7.2
phpMyFAQ <3.2.10 - XSS
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.
by Geo
CVSS 4.9
Phpmyfaq < 3.1.9 - XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
by CodeSecLab
CVSS 6.1
ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution
by LiquidWorm
ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS
by LiquidWorm
ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS
by LiquidWorm
Vanquish Woocommerce Customers Manager < 29.7 - SQL Injection
The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
by Ivan Spiridonov
CVSS 8.1
Sismics Teedy - XSS
Teedy 1.11 is vulnerable to Cross Site Scripting (XSS) via the management console.
by Ayato Shitomi @ Fore-Z co.ltd
CVSS 8.4
Proconf < 6.1 - IDOR
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).
by ub3rsick
CVSS 6.5
Garage Management System v1.0 - XSS
A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php.
by ub3rsick
CVSS 5.4
Ethercreative Logs < 3.0.4 - Path Traversal
The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.
by ub3rsick
CVSS 4.9
CommScope Ruckus IoT Controller <1.7.1.0 - Privilege Escalation
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.
by ub3rsick
CVSS 9.8
ASUS ASMB8 iKVM <1.14.51 - RCE
ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.
by ub3rsick
CVSS 9.8
By Source