Exploitdb Exploits
31,341 exploits tracked across all sources.
Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
by blockomat2100
Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
by Sam Ferguson
Eclipse Jetty - Information Disclosure
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
by Mayank Deshmukh
CVSS 5.3
Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
by z4nd3r
Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
by Ghuliev
Macro Expert 4.7 - Privilege Escalation
Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup.
by Mert Daş
CVSS 7.8
Dolibarr ERP-CRM 14.0.2 - XSS
Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
by Oscar Gil Gutierrez
CVSS 5.4
Sonicwall Sma 200 Firmware < 9.0.0.10-28sv - Improper Access Control
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
by Jacob Baines
CVSS 9.1
Enfold WordPress <4.8.4 - XSS
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
by David Álvarez Robles
CVSS 6.1
Myfactory Fms < 7.1-912 - XSS
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
by RedTeam Pentesting GmbH
CVSS 6.1
Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)
by John Jefferson Li
Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Plastic SCM <10.0.16.5622 - Info Disclosure
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.
by Basavaraj Banakar
CVSS 7.5
Mitsubishi Electric Europe B.V. SmartRTU - Info Disclosure
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
by Hamit CİBO
CVSS 7.5
Mitsubishielectric Smartrtu Firmware - XSS
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
by Hamit CİBO
CVSS 6.1
Hkurl I-panel Administration System - XSS
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button.
by Forster Chiu
CVSS 6.1
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
by Mert Daş
Simple Payroll System With Dynamic Tax Bracket - SQL Injection
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
by Yash Mahajan
CVSS 9.8
Cypress Solutions CTM-200 2.7.1 - Command Injection
Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges.
by LiquidWorm
CVSS 8.8
Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
by Hüseyin Serkan Balkanli
Simple Issue Tracker System 1.0 - SQLi Authentication Bypass
by Bekir Bugra TURKOGLU
Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass
by Blackhan
By Source