Text Exploits
31,341 exploits tracked across all sources.
Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)
by SunCSR
Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)
by Marco Catalano
Simple College Website 1.0 - 'full' Stored Cross Site Scripting
by Marco Catalano
Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)
by Marco Catalano
Tenda Ac5 Firmware - XSS
A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the Wifi Name parameter.
by Chiragh Arora
CVSS 5.4
Casap Automated Enrollment System - XSS
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
by Richard Jones
CVSS 5.4
Collabtive 3.1 - XSS
Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter.
by Deha Berkin Bir
CVSS 5.4
CASAP Automated Enrollment System 1.0 - XSS
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
by Anita Gaud
CVSS 5.4
Selea Targa IP OCR-ANPR - Path Traversal
A path traversal vulnerability exists in multiple models of Selea Targa IP OCR-ANPR cameras, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The /common/get_file.php script in the “Download Archive in Storage” page fails to properly validate user-supplied input to the file parameter. Unauthenticated remote attackers can exploit this vulnerability to read arbitrary files on the device, including sensitive system files containing cleartext credentials, potentially leading to authentication bypass and exposure of system information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
by LiquidWorm
Selea Targa IP OCR-ANPR - SSRF
A server-side request forgery (SSRF) vulnerability exists in multiple Selea Targa IP OCR-ANPR camera models, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The application fails to validate user-supplied input in JSON POST parameters such as ipnotify_address and url, which are used by internal mechanisms to perform image fetch and DNS lookups. This allows remote unauthenticated attackers to induce the system to make arbitrary HTTP requests to internal or external systems, potentially bypassing firewall policies or conducting internal service enumeration. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.
by LiquidWorm
Selea Targa IP OCR-ANPR Camera - Info Disclosure
Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password 'Selea781830' to enable configuration upload and overwrite device settings.
by LiquidWorm
CVSS 9.8
Selea Targa IP OCR-ANPR Camera - XSS
Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code. Attackers can send a POST request to /cgi-bin/get_file.php with crafted payload to execute arbitrary scripts in victim's browser session.
by LiquidWorm
CVSS 5.4
Selea Targa IP OCR-ANPR Camera - Info Disclosure
Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage.
by LiquidWorm
CVSS 5.3
Selea CarPlateServer 4.0.1.6 - RCE
Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands.
by LiquidWorm
CVSS 7.5
Selea CarPlateServer 4.0.1.6 - Privilege Escalation
Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot.
by LiquidWorm
CVSS 8.4
Online Documents Sharing Platform 1.0 - 'user' SQL Injection
by CANKAT ÇAKMAK
Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
by Matthew Aberegg
Apartment Visitors Management System 1.0 - 'email' SQL Injection
by CANKAT ÇAKMAK
Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS
by omurugur
Osticket < 1.14.3 - SSRF
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
by Talat Mehmood
CVSS 9.8
Xwiki < 12.10.3 - XSS
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
by Karan Keswani
CVSS 5.4
Life Insurance Management System 1.0 - File Upload RCE (Authenticated)
by Aitor Herrero
Life Insurance Management System 1.0 - 'client_id' SQL Injection
by Aitor Herrero
By Source