Exploitdb Exploits

31,357 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-107784 EXPLOITDB text VERIFIED
ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition / Information Disclosure
by YEnH4ckEr
CVE-2009-3598 EXPLOITDB text VERIFIED
ecardmax.com FormXP 2007 - Cross-Site Scripting via survey_result.php sid Parameter
Cross-site scripting (XSS) vulnerability in survey_result.php in eCardMAX FormXP 2007 allows remote attackers to inject arbitrary web script or HTML via the sid parameter.
by Moudi
CVE-2009-2557 EXPLOITDB text VERIFIED
Admin News Tools 2.5 - Path Traversal
Directory traversal vulnerability in system/download.php in Admin News Tools 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the fichier parameter.
by Securitylab.ir
CVE-2009-2558 EXPLOITDB text VERIFIED
Admin News Tools 2.5 - Unauthenticated News Message Posting via Direct Request
system/message.php in Admin News Tools 2.5 does not properly restrict access, which allows remote attackers to post news messages via a direct request.
by Securitylab.ir
CVE-2009-2535 EXPLOITDB text VERIFIED
Mozilla Firefox <2.0.0.19 & 3.x <3.0.5 - DoS
Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and Thunderbird allow remote attackers to cause a denial of service (memory consumption and application crash) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692.
by Thierry Zoller
CVE-2009-3823 EXPLOITDB text VERIFIED
Mobilelib GOLD 3.0 - Path Traversal via GLOBALS[page] Parameter
Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, when magic_quotes_gpc is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the GLOBALS[page] parameter.
by Qabandi
EIP-2026-106749 EXPLOITDB text VERIFIED
eCardMAX - Multiple Cross-Site Scripting Vulnerabilities
by Moudi
EIP-2026-103239 EXPLOITDB text VERIFIED
Virtualmin < 3.703 - Multiple Local/Remote Vulnerabilities
by Filip Palian
CVE-2009-2925 EXPLOITDB text VERIFIED
DJCalendar - Path Traversal via TEMPLATE Parameter
Directory traversal vulnerability in DJcalendar.cgi in DJCalendar allows remote attackers to read arbitrary files via a .. (dot dot) in the TEMPLATE parameter.
by cibbao
CVE-2009-4750 EXPLOITDB text VERIFIED
Top Paidmailer - Remote Code Execution via home.php page Parameter
PHP remote file inclusion vulnerability in home.php in Top Paidmailer allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
by Moudi
EIP-2026-110051 EXPLOITDB text VERIFIED
onepound shop 1.x - 'products.php' SQL Injection
by Affix
CVE-2009-2593 EXPLOITDB text VERIFIED
Censura 1.16.04 - SQL Injection via itemid Parameter
SQL injection vulnerability in censura.php in Censura 1.16.04 allows remote attackers to execute arbitrary SQL commands via the itemid parameter in a details action.
by Vrs-hCk
EIP-2026-110640 EXPLOITDB text VERIFIED
PHP AdminPanel Free 1.0.5 - Remote File Disclosure
by Khashayar Fereidani
CVE-2009-2594 EXPLOITDB text VERIFIED
Censura 1.16.04 - Cross-Site Scripting via itemid Parameter
Cross-site scripting (XSS) vulnerability in censura.php in Censura 1.16.04 allows remote attackers to inject arbitrary web script or HTML via the itemid parameter in a details action.
by Vrs-hCk
CVE-2009-3752 EXPLOITDB text VERIFIED
Opial 1.0 - SQL Injection via Genres Parent Parameter
SQL injection vulnerability in home.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the genres_parent parameter.
by LMaster
CVE-2009-3751 EXPLOITDB text VERIFIED
Opial 1.0 - Cross-Site Scripting via genres_parent Parameter
Cross-site scripting (XSS) vulnerability in home.php in Opial 1.0 allows remote attackers to inject arbitrary web script or HTML via the genres_parent parameter.
by LMaster
CVE-2009-3753 EXPLOITDB text VERIFIED
Opial 1.0 - Unauthenticated Arbitrary File Upload and Remote Code Execution via User Image
Unrestricted file upload vulnerability in Opial 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension as a User Image, then accessing it via a request to the file in userimages, related to register.php.
by LMaster
EIP-2026-108301 EXPLOITDB text VERIFIED
Joomla! Component com_category - 'catid' SQL Injection
by Prince_Pwn3r
CVE-2009-3712 EXPLOITDB text VERIFIED
Ebay Clone 2009 - SQL Injection via user_id or item_id Parameter
Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php; and the item_id parameter to (2) view_full_size.php, (3) classifide_ad.php, and (4) crosspromoteitems.php.
by MizoZ
EIP-2026-106332 EXPLOITDB text VERIFIED
d.net CMS - Arbitrary Reinstall/Blind SQL Injection
by darkjoker
CVE-2009-2336 EXPLOITDB text VERIFIED
WordPress and WordPress MU < 2.8.1 - Username Enumeration via Forgotten Mail Interface
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
by Core Security
CVE-2009-2335 EXPLOITDB text VERIFIED
WordPress < 2.8.1 - Username Enumeration via Failed Login Behavior
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
by Core Security
CVE-2009-3759 EXPLOITDB HIGH text VERIFIED
Citrix XenCenterWeb - Cross-Site Request Forgery via Password Change or VM Stop
Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information.
by Secure Network
CVSS 8.8
CVE-2009-3758 EXPLOITDB text VERIFIED
Citrix XenCenterWeb - SQL Injection via login.php Username Parameter
SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.
by Secure Network
CVE-2009-3757 EXPLOITDB text VERIFIED
Citrix XenCenterWeb - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. NOTE: some of these details are obtained from third party information.
by Secure Network
By Source
All 31,357 Writeup 60,542 Exploitdb 50,033 Nomisec 21,985 Metasploit 3,232 Github 2,998 Vulncheck_xdb 909 Inthewild 514 Gitlab 455 Gitee 415 Patchapalooza 312
By Language
text 31,357 python 6,238 ruby 5,922 c 3,595 perl 2,850 html 2,059 php 1,327 bash 460 java 364 c++ 253 javascript 220 shell 101 go 65 postscript 25 xml 24