Text Exploits

31,386 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-47968 EXPLOITDB MEDIUM text
Podcast Generator 3.1 Persistent Cross-Site Scripting via long_description
Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description parameter. Attackers can inject script tags through episode creation or editing requests to execute arbitrary JavaScript when other users view the episode details.
by Ayşenur KARAASLAN
CVSS 6.4
CVE-2021-33371 EXPLOITDB MEDIUM text
Student Management System v1.0 - XSS
A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.
by mohsen khashei
CVSS 5.4
EIP-2026-106419 EXPLOITDB text
Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
by Mesut Cetin
EIP-2026-106417 EXPLOITDB text
Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)
by Mesut Cetin
CVE-2021-31721 EXPLOITDB MEDIUM text
Chevereto < 3.17.1 - Cross-Site Scripting via Image Title Upload
Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage.
by Akıner Kısa
CVSS 6.1
EIP-2026-117716 EXPLOITDB text
Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path
by 1F98D
CVE-2020-37250 EXPLOITDB HIGH text
TFTP Broadband 4.3.0.1465 Unquoted Service Path Privilege Escalation
TFTP Broadband 4.3.0.1465 contains an unquoted service path vulnerability in the tftpt.exe service binary that allows local attackers to execute arbitrary code with system privileges. Attackers can place a malicious executable in the Program Files directory path that will be executed during service startup or system reboot with LocalSystem privileges.
by Erick Galindo
CVSS 7.8
CVE-2021-47967 EXPLOITDB MEDIUM text
PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.
by Tyler Butler
CVSS 6.1
CVE-2021-47829 EXPLOITDB HIGH text
DHCP Broadband 4.1.0.1503 - Code Injection
DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions.
by Erick Galindo
CVSS 7.8
CVE-2021-47828 EXPLOITDB HIGH text
BOOTP Turbo <2.0.0.1253 - Code Injection
BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot.
by Erick Galindo
CVSS 7.8
EIP-2026-107673 EXPLOITDB text
Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)
by Reza Afsahi
CVE-2021-47966 EXPLOITDB HIGH text
PHP Timeclock 1.04 SQL Injection via login.php
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE conditional statements to dump sensitive database information including employee names and credentials.
by Tyler Butler
CVSS 8.2
CVE-2021-47833 EXPLOITDB HIGH text
WifiHotSpot 1.0.0.0 - Code Injection
WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
by Erick Galindo
CVSS 7.8
CVE-2021-47739 EXPLOITDB HIGH text
Epic Games Easy Anti-Cheat 4.0 - Code Injection
Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path that would execute with LocalSystem privileges during application startup.
by LiquidWorm
CVSS 8.4
EIP-2026-117890 EXPLOITDB text
Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path
by Erick Galindo
EIP-2026-117133 EXPLOITDB text
Epic Games Rocket League 1.95 - Stack Buffer Overrun
by LiquidWorm
EIP-2026-113148 EXPLOITDB text
Voting System 1.0 - Remote Code Execution (Unauthenticated)
by secure77
EIP-2026-113146 EXPLOITDB text
Voting System 1.0 - Authentication Bypass (SQLI)
by secure77
CVE-2021-47965 EXPLOITDB CRITICAL text
WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload
WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Attackers can upload arbitrary files through the filemanager upload endpoint to achieve remote code execution and complete system compromise.
by h4shur
CVSS 9.8
CVE-2021-47964 EXPLOITDB HIGH text
Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension.
by Eren Saraç
CVSS 8.8
CVE-2021-47834 EXPLOITDB MEDIUM text
Schlix CMS 2.2.6-6 - Authenticated Stored Cross-Site Scripting in Category Title
Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users.
by Emircan Baş
CVSS 6.4
CVE-2021-47962 EXPLOITDB MEDIUM text
Savsoft Quiz 5.0 Persistent Cross-Site Scripting via User Settings
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit_user endpoint, which execute in the browsers of users viewing the affected profile after submission.
by strider
CVSS 6.4
EIP-2026-114701 EXPLOITDB text
GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration
by 4D0niiS
EIP-2026-113149 EXPLOITDB text
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)
by Syed Sheeraz Ali
CVE-2019-3810 EXPLOITDB MEDIUM text
moodle 3.1.0-3.1.15 3.6.0-3.6.1 - Cross-Site Scripting in User Profile Image Hover Text
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
by Fariskhi Vidyan
CVSS 6.1
By Source
All 31,386 Writeup 62,282 Exploitdb 50,076 Nomisec 22,409 Github 3,626 Metasploit 3,312 Vulncheck_xdb 927 Inthewild 514 Gitlab 479 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,570 ruby 6,003 c 3,626 perl 2,849 html 2,075 php 1,333 bash 462 java 371 c++ 261 javascript 229 shell 131 go 73 postscript 25 typescript 25