Exploitdb Exploits

31,369 exploits tracked across all sources.

Sort: Activity Stars
CVE-2009-4672 EXPLOITDB text VERIFIED
WP-Lytebox 1.3 - Path Traversal via pg Parameter
Directory traversal vulnerability in main.php in the WP-Lytebox plugin 1.3 for WordPress allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pg parameter.
by TurkGuvenligi
CVE-2009-4666 EXPLOITDB text VERIFIED
Webradev Download Protect 1.0 - RCE
Multiple PHP remote file inclusion vulnerabilities in Webradev Download Protect 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[RootPath] parameter to (1) Framework/EmailTemplates.class.php, (2) Customers/PDPEmailReplaceConstants.class.php, and (3) Admin/ResellersManager.class.php in includes/DProtect/.
by asL-Sabia
CVE-2009-4667 EXPLOITDB text VERIFIED
WebMember 1.0 - Authenticated SQL Injection via formID Parameter
SQL injection vulnerability in form.php in WebMember 1.0 allows remote authenticated users to execute arbitrary SQL commands via the formID parameter.
by KIM
EIP-2026-113025 EXPLOITDB text VERIFIED
vBulletin vbBux/vbPlaza 2.x - 'vbplaza.php' Blind SQL Injection
by Cold Zero
CVE-2009-4671 EXPLOITDB text VERIFIED
RoomPHPlanning 1.6 - Unauthenticated Authentication Bypass via Cookie Manipulation
Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass authentication and obtain administrative access by setting the room_phplanning cookie to a value associated with the admin account.
by ThE g0bL!N
CVE-2009-1850 EXPLOITDB text VERIFIED
phpBugTracker 1.0.3 - SQL Injection via Password Parameter
SQL injection vulnerability in index.php in phpBugTracker 1.0.3 allows remote attackers to execute arbitrary SQL commands via the password parameter.
by ByALBAYX
CVE-2009-1852 EXPLOITDB text VERIFIED
Graphiks MyForum 1.3 - SQL Injection via Username or Password Field
Multiple SQL injection vulnerabilities in Graphiks MyForum 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.
by ThE g0bL!N
EIP-2026-109765 EXPLOITDB text VERIFIED
MyFirstCMS 1.0.2 - Arbitrary File Delete
by darkjoker
CVE-2009-4673 EXPLOITDB text VERIFIED
Mole Group Adult Portal Script - SQL Injection
SQL injection vulnerability in profile.php in Mole Group Adult Portal Script allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
by Qabandi
EIP-2026-109489 EXPLOITDB text VERIFIED
minitwitter 0.3-beta - SQL Injection / Cross-Site Scripting
by YEnH4ckEr
CVE-2009-1853 EXPLOITDB text VERIFIED
Kensei Board < 2.0.0b - SQL Injection via f and t Parameters
Multiple SQL injection vulnerabilities in index.php in Kensei Board 2.0 BETA (aka 2.0.0b) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) f and (2) t parameters in a showforum action.
by cOndemned
EIP-2026-108520 EXPLOITDB text VERIFIED
Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor Access
by Jan Van Niekerk
EIP-2026-108258 EXPLOITDB text VERIFIED
Joomla! Component Com_Agora 3.0.0 RC1 - Arbitrary File Upload
by ByALBAYX
CVE-2009-2290 EXPLOITDB text VERIFIED
Boy Scout Advancement <0.3 - SQL Injection
SQL injection vulnerability in the Boy Scout Advancement (com_bsadv) component 0.3 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) account or (2) event task to index.php.
by YEnH4ckEr
EIP-2026-107113 EXPLOITDB text VERIFIED
Flash Image Gallery 1.1 - Arbitrary Configuration File Disclosure
by DarkbiteX
EIP-2026-107015 EXPLOITDB text VERIFIED
eZoneScripts Hotornot2 Script - (Authentication Bypass) Multiple Remote Vulnerabilities
by sniper code
CVE-2009-1960 EXPLOITDB text VERIFIED
DokuWiki 2009-02-14, rc2009-02-06, rc2009-01-30 - Remote Code Execution via config_cascade Parameter
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
by Nine:Situations:Group
CVE-2009-1960 EXPLOITDB text VERIFIED
DokuWiki 2009-02-14, rc2009-02-06, rc2009-01-30 - Remote Code Execution via config_cascade Parameter
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
by girex
CVE-2009-2302 EXPLOITDB text VERIFIED
Aardvark Topsites PHP <= 5.2.1 - Cross-Site Scripting via Search q Parameter
Cross-site scripting (XSS) vulnerability in index.php in Aardvark Topsites PHP 5.2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action. NOTE: it was later reported that 5.2.1 is also affected.
by anonymous
EIP-2026-103970 EXPLOITDB text VERIFIED
Lighttpd < 1.4.23 (BSD/Solaris) - Source Code Disclosure
by venatir
CVE-2009-0689 EXPLOITDB text VERIFIED
K-Meleon 1.5.3 - Heap-Based Buffer Overflow via Large Precision Value in printf Format Argument
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
by Maksymilian Arciemowicz
EIP-2026-101457 EXPLOITDB text VERIFIED
SonicWALL Global VPN Client 4.0 - Log File Remote Format String
by lofi42
CVE-2009-4665 EXPLOITDB text VERIFIED
CuteSoft Components Cute Editor - Path Traversal
Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.ashx in CuteSoft Components Cute Editor for ASP.NET allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Securitylab.ir
CVE-2009-2289 EXPLOITDB text VERIFIED
arcade_trade_script 1.0 beta - Cross-Site Scripting via q Parameter in gamelist Action
Cross-site scripting (XSS) vulnerability in index.php in Arcade Trade Script 1.0 beta allows remote attackers to inject arbitrary web script or HTML via the q parameter in a gamelist action.
by SmOk3
CVE-2009-1203 EXPLOITDB text VERIFIED
Cisco Adaptive Security Appliance - Credential Phishing via WebVPN Login Screen Spoofing
WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 does not properly distinguish its own login screen from the login screens it produces for third-party (1) FTP and (2) CIFS servers, which makes it easier for remote attackers to trick a user into sending WebVPN credentials to an arbitrary server via a URL associated with that server, aka Bug ID CSCsy80709.
by David Byrne
By Source
All 31,369 Writeup 60,604 Exploitdb 50,056 Nomisec 21,994 Metasploit 3,232 Github 3,016 Vulncheck_xdb 909 Inthewild 514 Gitlab 461 Gitee 415 Patchapalooza 312
By Language
text 31,369 python 6,253 ruby 5,922 c 3,599 perl 2,850 html 2,059 php 1,327 bash 460 java 364 c++ 253 javascript 221 shell 105 go 65 postscript 25 xml 24