Text Exploits
31,386 exploits tracked across all sources.
Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
by fuzzyap1
MTPutty 1.0.1.21 - Sensitive Information Disclosure via PowerShell Process Listing
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials.
by Sedat Ozdemir
CVSS 6.2
TestLink 1.19 - Arbitrary File Download (Unauthenticated)
by Gonzalo Villegas
Kabir Alhasan Student Management System 1.0 - Auth Bypass
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
by Enes Özeser
CVSS 9.8
Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
by able403
Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
by able403
Croogo 3.0.2 - Remote Code Execution via Admin File Manager Attachments Upload
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
by Deha Berkin Bir
CVSS 8.8
Auerswald COMpact 8.0B - Privilege Escalation
by RedTeam Pentesting GmbH
Auerswald COMpact 5500R <8.0B - RCE
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
by RedTeam Pentesting GmbH
CVSS 9.8
Auerswald COMpact 8.0B - Arbitrary File Disclosure
by RedTeam Pentesting GmbH
Auerswald COMfortel 2.8F - Authentication Bypass
by RedTeam Pentesting GmbH
WordPress Plugin Slider by Soliloquy 2.6.2 Stored XSS
Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages.
by Abdurrahman Erkan
CVSS 6.4
Zoomsounds <= 6.45 - Unauthenticated Arbitrary File Read via dzsap_download Action
The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.
by Uriel Yochpaz
CVSS 7.5
WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
by Mohamed Magdy Abumusilm
Online Pre-owned/Used Car Showroom Management System 1.0 - SQL Injection Authentication Bypass via Login Form
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
by Mohamed habib Smidi
CVSS 9.8
Online Magazine Management System 1.0 - SQL Injection Authentication Bypass via Login Form
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.
by Mohamed habib Smidi
CVSS 9.8
MilleGPG5 5.7.2 - Privilege Escalation
MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts.
by Alessandro Salzano
CVSS 7.8
Sourcecodester Online Enrollment Management System - XSS
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 in the Add-Users page via the Name parameter.
by Tushar Jadhav
CVSS 5.4
OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.
by Hubert Wojciechowski
CVSS 9.8
Orangescrum 1.8.0 - Session Cookie Account Takeover
Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.
by Hubert Wojciechowski
CVSS 8.8
Orangescrum 1.8.0 - Authenticated SQL Injection via Multiple Parameters
Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.
by Hubert Wojciechowski
CVSS 7.1
Orangescrum 1.8.0 - Authenticated Cross-Site Scripting via Input Parameters
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
by Hubert Wojciechowski
CVSS 5.4
Bagisto 1.3.3 - Client-Side Template Injection
by Mohamed Abdellatif Jaber
HTTPDebuggerPro 9.11 - Code Injection
HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.
by Aryan Chehreghani
CVSS 7.8
By Source