Text Exploits
31,341 exploits tracked across all sources.
WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
by Mohamed Magdy Abumusilm
Online Pre-owned/used Car Showroom Management System - SQL Injection
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
by Mohamed habib Smidi
CVSS 9.8
Oretnom23 Online Magazine Management System - SQL Injection
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.
by Mohamed habib Smidi
CVSS 9.8
MilleGPG5 5.7.2 - Privilege Escalation
MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts.
by Alessandro Salzano
CVSS 7.8
Sourcecodester Online Enrollment Management System - XSS
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 in the Add-Users page via the Name parameter.
by Tushar Jadhav
CVSS 5.4
Orangescrum - IDOR
Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.
by Hubert Wojciechowski
CVSS 8.8
Orangescrum - SQL Injection
Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.
by Hubert Wojciechowski
CVSS 7.1
Orangescrum - XSS
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
by Hubert Wojciechowski
CVSS 5.4
Bagisto 1.3.3 - Client-Side Template Injection
by Mohamed Abdellatif Jaber
HTTPDebuggerPro 9.11 - Code Injection
HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.
by Aryan Chehreghani
CVSS 7.8
Phpgurukul Bus Pass Management System - SQL Injection
Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php..
by Abhijeet Singh
CVSS 9.8
WebRun 3.6.0.42 - SQL Injection
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
by Vinicius Alves
CVSS 9.8
Aimeos-laravel - SQL Injection
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.
by Ilker Burak ADIYAMAN
CVSS 8.2
Gitlab < 13.8.8 - Code Injection
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
by Jacob Baines
CVSS 10.0
Quick.CMS 6.7 - Cross Site Request Forgery (CSRF) to Cross Site Scripting (XSS) (Authenticated)
by Rahad Chowdhury
Bludit <3-13-1 - XSS
Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login.
by Vasu
CVSS 6.1
CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
by Hosein Vita
Igexsolutions Wpschoolpress < 2.1.17 - XSS
The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
by Davide Taraschi
CVSS 4.8
WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
by Mohammed Aadhil Ashfaq
Sourcecodester 1.0 - SQL Injection
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
by Daniel Haro
CVSS 9.8
Laravel Framework <8.70.2 - Code Injection
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
by Hosein Vita
CVSS 9.8
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
by Rahad Chowdhury
Mumara Classic <2.93 - SQL Injection
A SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter.
by Shain Lakin
CVSS 9.8
By Source