Text Exploits
31,386 exploits tracked across all sources.
Bus Pass Management System 1.0 - SQL Injection via Searchdata Parameter
Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php..
by Abhijeet Singh
CVSS 9.8
WebRun 3.6.0.42 - SQL Injection via P_0 Parameter
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
by Vinicius Alves
CVSS 9.8
Aimeos 2021.10 LTS - SQL Injection via JSON API Sort Parameter
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.
by Ilker Burak ADIYAMAN
CVSS 8.2
Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted.
by Rahad Chowdhury
CVSS 5.4
GitLab 11.9.0-13.8.7 - Unauthenticated Remote Code Execution via ExifTool Image Parsing
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
by Jacob Baines
CVSS 10.0
Bludit 3.13.1 - Cross-Site Scripting via Admin Login Username
Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login.
by Vasu
CVSS 6.1
CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting
CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.
by Hosein Vita
CVSS 6.4
Fuel CMS 1.4.13 Blind SQL Injection via col Parameter
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
by Rahad Chowdhury
CVSS 7.1
WordPress Contact Form to Email 1.3.24 Stored XSS
Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.
by Mohammed Aadhil Ashfaq
CVSS 6.4
WPSchoolPress < 2.1.17 - Stored Cross-Site Scripting via Insufficient Output Escaping
The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
by Davide Taraschi
CVSS 4.8
Simple Subscription Website 1.0 - SQL Injection via Login
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
by Daniel Haro
CVSS 9.8
Laravel Framework <8.70.2 - Code Injection
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
by Hosein Vita
CVSS 9.8
WordPress Plugin WP Symposium Pro 2021.10 Stored XSS via wps_admin_forum_add_name
WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed.
by Murat DEMİRCİ
CVSS 6.4
WordPress Plugin AccessPress Social Icons 1.8.2 Stored XSS
AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface.
by Murat DEMİRCİ
CVSS 6.4
Mumara Classic <2.93 - SQL Injection
A SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter.
by Shain Lakin
CVSS 9.8
Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
by Marcio Mendes
YeaLinkSIP-T19P-E2 <v.53.84.0.15 - RCE
An issue in YeaLinkSIP-T19P-E2 v.53.84.0.15 allows a remote privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.
by tahaafarooq
CVSS 8.8
Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)
by Ragavender A G
Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
by İlhami Selamet
WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
by Murat DEMİRCİ
CVSS 8.8
Kmaleon 1.1.0.205 - Authenticated SQL Injection via tipocomb Parameter
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.
by Amel BOUZIANE-LEBLOND
CVSS 7.1
Simple Client Management System 1.0 - SQLi (Authentication Bypass)
by Sentinal920
Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
by Sentinal920
Money Transfer Management System 1.0 - Authentication Bypass
by Aryan Chehreghani
By Source