Text Exploits

CVE-2021-47898 EXPLOITDB HIGH text

Epson USB Display <1.6.0.0 - Privilege Escalation

Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access.

by Hector Gerbacio

CVSS 7.8

View

CVE-2021-46005 EXPLOITDB MEDIUM text

Sourcecodester Car Rental Management System 1.0 - XSS

Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.

by Naved Shaikh

CVSS 5.4

View

CVE-2023-22232 EXPLOITDB MEDIUM text

Adobe Connect <11.4.5, 12.1.5 - Auth Bypass

Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction.

by h4shur

CVSS 5.3

View

CVE-2020-37246 EXPLOITDB MEDIUM text

WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.

by Erik David Martin

CVSS 6.2

View

CVE-2020-37245 EXPLOITDB HIGH text

WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited.

by Erik David Martin

CVSS 7.5

View

CVE-2020-37244 EXPLOITDB HIGH text

WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx

Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques.

by Erik David Martin

CVSS 8.2

View

CVE-2020-37243 EXPLOITDB HIGH text

WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables.

by Erik David Martin

CVSS 8.2

View

CVE-2020-37242 EXPLOITDB HIGH text

WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx

Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information.

by Erik David Martin

CVSS 8.2

View

CVE-2021-47899 EXPLOITDB MEDIUM text

YetiShare File Hosting Script 5.1.0 - SSRF

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol.

by numan türle

CVSS 4.0

View

CVE-2020-18723 EXPLOITDB MEDIUM text

MDaemon Webmail < 20.0.1 - Stored Cross-Site Scripting in File Attachment Field

Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.

by Kailash Bohara

CVSS 5.4

View

CVE-2020-18724 EXPLOITDB MEDIUM text

MDaemon Webmail < 20.0.1 - Authenticated Stored Cross-Site Scripting in Contact Name Field

Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list.

by Kailash Bohara

CVSS 5.4

View

CVE-2021-3394 EXPLOITDB HIGH text VERIFIED

Millewin 13.39.028 13.39.28.3342 13.39.146.1 - Local Privilege Escalation via Insecure Folder Permissions

Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.

by Andrea Intilangelo

CVSS 8.8

View

EIP-2026-116778 EXPLOITDB text

AMD Fuel Service - 'Fuel.service' Unquote Service Path

by Hector Gerbacio

View

EIP-2026-114188 EXPLOITDB text

WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection

by Erik David Martin

View

EIP-2026-114100 EXPLOITDB text

WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection

by Erik David Martin

View

EIP-2026-114097 EXPLOITDB text

WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities

by Erik David Martin

View

EIP-2026-114096 EXPLOITDB text

WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities

by Erik David Martin

View

EIP-2026-104438 EXPLOITDB text

SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS

by LiquidWorm

View

CVE-2021-26723 EXPLOITDB MEDIUM text

Jenzabar 9.2.0-9.2.2 - Cross-Site Scripting via Search Query Parameter

Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.

by y0ung_dst

CVSS 6.1

View

EIP-2026-103815 EXPLOITDB text VERIFIED

SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution

by LiquidWorm

View

EIP-2026-103814 EXPLOITDB text VERIFIED

SmartFoxServer 2X 2.17.0 - Credentials Disclosure

by LiquidWorm

View

CVE-2021-47903 EXPLOITDB HIGH text

LiteSpeed Web Server Enterprise 5.4.11 - Command Injection

LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection.

by SunCSR

CVSS 8.8

View

CVE-2021-26762 EXPLOITDB HIGH text

PHPGurukul Student Record System 4.0 - SQL Injection via edit-course.php cid Parameter

SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the cid parameter to edit-course.php.

by Jannick Tiger

CVSS 8.8

View

CVE-2021-3380 EXPLOITDB MEDIUM text

ICREM H8 SSRMS - Insecure Direct Object Reference via Print Invoice Functionality

Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.

by Mohammed Farhan

CVSS 6.5

View

CVE-2021-47905 EXPLOITDB MEDIUM text

MyBB Delete Account Plugin 1.4 - XSS

MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.

by 0xB9

CVSS 6.1

View