Text Exploits
31,386 exploits tracked across all sources.
Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
by Sinem Şahin
B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
by LiquidWorm
B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
by LiquidWorm
Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)
by Aporlorxl23
Online Food Ordering System 1.0 - Remote Code Execution
by Eren Şimşek
FlatPress 1.0.3 - Stored Cross-Site Scripting in Blog Content
FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.
by Alperen Ergel
CVSS 4.8
ForensiT AppX Management Service 2.2.0.4 - Privilege Escalation
ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Burhanettin Ozgenc
CVSS 7.8
BlackCat CMS < 1.4 - Cross-Site Request Forgery Bypass
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
by Noth
CVSS 8.8
Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
by hyp3rlinx
Piwigo 2.10.1 - Stored Cross-Site Scripting via pwg.images.setInfo File Parameter
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
by Iridium
CVSS 5.4
ThinkAdmin v6 - Unauthenticated Path Traversal via GET Request Encode Parameter
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
by Hzllaga
CVSS 7.5
SourceCodester Tailor Management System v1.0 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing.
by boku
CVSS 6.4
pago_commerce 2.5.9.0 - Authenticated SQL Injection via filter_published Parameter
The paGO Commerce plugin 2.5.9.0 for Joomla! allows SQL Injection via the administrator/index.php?option=com_pago&view=comments filter_published parameter.
by Mehmet Kelepçe
CVSS 8.8
Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
by LiquidWorm
Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path
by Jok3r
RAD SecFlow-1v os-image SF_0290_2.3.01.26 - CSRF
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
by Jonatan Schor
CVSS 8.8
RAD SecFlow-1v Firmware - Authenticated Stored Cross-Site Scripting via OVPN File Upload
A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259.
by Jonatan Schor
CVSS 6.1
Tea LaTeX 1.0 - Unauthenticated Remote Code Execution via /api.php tex2png Action
Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action.
by nepska
CVSS 9.8
Input Director 1.4.3 - Privilege Escalation
Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
by TOUHAMI Kasbaoui
CVSS 7.8
Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)
by V1n1v131r4
ShareMouse 5.0.43 - Privilege Escalation
ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup.
by alacerda
CVSS 7.8
arachnys/cabot < 0.11.16 - Cross-Site Scripting via Endpoint Column
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
by Abhiram V
CVSS 8.2
By Source