Text Exploits
31,386 exploits tracked across all sources.
GeoVision GeoWebServer 5.3.3 - Path Traversal and Remote Code Execution via WebStrings.srf Endpoint
GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts.
by Ken Pyle
CVSS 6.2
SonicWall NetExtender <10.2.300 - Privilege Escalation
SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.
by shinnai
CVSS 5.3
Simple Water Refilling Station Management System 1.0 - SQL Injection
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
by Matt Sorrell
CVSS 9.8
COMMAX Smart Home System - Info Disclosure
COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. Attackers can access sensitive information, including login credentials and DVR settings, by submitting a GET request to this endpoint.
by LiquidWorm
COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Unauthenticated Denial of Service via setconf Endpoint
COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. Attackers can trigger a denial-of-service scenario by sending a malformed request to the setconf endpoint.
by LiquidWorm
COMMAX Smart Home System CDP-1020n - SQL Injection
COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access.
by LiquidWorm
COMMAX CVD-Axx DVR 5.1.4 - Info Disclosure
COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the 'passkey' parameter set to '1234', allowing them to access the web control panel.
by LiquidWorm
COMMAX Biometric Access Control System 1.0.0 - Auth Bypass
COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information.
by LiquidWorm
CentOS Web Panel 0.9.8.1081 - Stored Cross-Site Scripting (XSS)
by Dinesh Mohanty
NetGear D1500 V1.0.0.21_1.0.1PE - 'Wireless Repeater' Stored Cross-Site Scripting (XSS)
by Securityium
Care2x Hospital Information Management 2.7 Alpha - XSS
Stored cross-site scripting (XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with "name_middle", "addr_str", "station", "name_maiden", "name_2", "name_3" parameters.
by securityforeveryone.com
CVSS 5.4
Simple Image Gallery System 1.0 - 'id' SQL Injection
by Azumah Foresight Xorlali
Police Crime Record Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Ömer Hasan Durmuş
Police Crime Record Management System 1.0 - 'casedetails' SQL Injection
by Ömer Hasan Durmuş
4images 1.8 - 'limitnumber' SQL Injection (Authenticated)
by Andrey Stoykov
COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
by Ashish Upsham
Altova MobileTogether Server < 7.3 SP1 - XML External Entity Injection via Workflow Management Endpoint
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
by RedTeam Pentesting GmbH
CVSS 9.1
WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL
WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft.
by Aryan Chehreghani
CVSS 6.4
CIR 2000 / Gestionale Amica Prodigy v1.7 - Privilege Escalation
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable "RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges.
by Andrea Intilangelo
CVSS 7.8
Simple Library Management System 1.0 - 'rollno' SQL Injection
by Halit AKAYDIN
Xiaomi Stock Browser 10.2.4.g - Unauthenticated Information Disclosure via Content Provider Injection
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.
by Vishwaraj Bhattrai
CVSS 5.3
CMSuno 1.7 - Authenticated Stored Cross-Site Scripting via Theme Filename Parameter
CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme.
by splint3rsec
CVSS 5.4
WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)
by Aryan Chehreghani
By Source