Text Exploits
31,386 exploits tracked across all sources.
Custom Global Variables 1.0.5 - Stored Cross-Site Scripting via vars[0][name] Field
Stored cross-site scripting (XSS) in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars[0][name] field.
by Swapnil Subhash Bodekar
CVSS 5.4
PrestaShop 1.7.7.0 - SQL Injection via Product Comments Module id_products[] Parameter
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
by Jaimin Gondaliya
CVSS 9.8
Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting
by Mesut Cetin
EyesOfNetwork 5.3 - RCE & PrivEsc
by Audencia Business SCHOOL Red Team
Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting
by Ramazan Mert GÖKTEN
Online Doctor Appointment System 1.0 - Authenticated Stored Cross-Site Scripting in Update Profile Module
Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.
by Mohamed habib Smidi
CVSS 5.4
Life Insurance Management System 1.0 - Multiple Stored XSS
by Arnav Tripathy
Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)
by Metin Yunus Kandemir
EVOLUCARE ECSIMAGING < 6.21.5 - SQL Injection via Login and Password Reset Forms
EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer
by shoxxdj
CVSS 9.8
Cockpit < 0.6.1 - Remote Code Execution via registerCriteriaFunction
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
by Rafael Resende
CVSS 9.8
Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution
by Saeed Bala Ahmed
iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information)
by h4cks1n
WordPress Plugin WP24 Domain Check 1.6.2 Stored XSS
WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.
by Mehmet Kelepçe
CVSS 6.4
dirsearch 0.4.1 - CSV Injection via Redirect Endpoint Path
Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.
by Dolev Farhi
CVSS 9.8
IObit Uninstaller 10 Pro - Privilege Escalation
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup.
by Mayur Parmar
CVSS 7.8
WinAVR <20100110 - Privilege Escalation
WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory.
by Mohammed Alshehri
CVSS 8.8
Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery via My Additional Contact Page
Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page.
by Rahul Ramakant Singh
CVSS 4.3
WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting
by Nhat Ha
Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)
by Arnav Tripathy
Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
by Kshitiz Raj
Responsive E-Learning System 1.0 - Stored Cross Site Scripting
by Kshitiz Raj
By Source