Exploitdb Exploits

31,346 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-14944 EXPLOITDB CRITICAL text
Global RADAR BSA Radar <1.6.7234.24750 - Privilege Escalation
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, and GetUser.
by William Summerhill
CVSS 9.8
EIP-2026-119667 EXPLOITDB text
Microsoft Windows mshta.exe 2019 - XML External Entity Injection
by hyp3rlinx
EIP-2026-110177 EXPLOITDB text
Online Shopping Portal 3.1 - 'email' SQL Injection
by gh1mau
EIP-2026-108909 EXPLOITDB text
Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
by Mehmet Kelepçe
CVE-2020-14945 EXPLOITDB HIGH text
Global RADAR BSA Radar <1.6.7234.24750 - Privilege Escalation
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.
by William Summerhill
CVSS 8.8
CVE-2019-5029 EXPLOITDB CRITICAL text
Exhibitor Web UI <1.7.1 - Command Injection
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
by Logan Sanderson
CVSS 9.8
CVE-2020-23934 EXPLOITDB HIGH text VERIFIED
RiteCMS 2.2.1 - Command Injection
An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.
by Enes Özeser
CVSS 8.8
EIP-2026-109824 EXPLOITDB text
Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
by Basim Alabdullah
EIP-2026-107083 EXPLOITDB text
File Management System 1.1 - Persistent Cross-Site Scripting
by KeopssGroup0day_Inc
CVE-2019-3759 EXPLOITDB MEDIUM text
Dell Rsa Identity Governance And Lifecycle - Code Injection
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.
by Jakub Palaczynski
CVSS 6.4
CVE-2020-5902 EXPLOITDB CRITICAL text
BIG-IP <15.2 - RCE
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
by Budi Khoirudin
CVSS 9.8
CVE-2020-14947 EXPLOITDB HIGH text
OCS Inventory NG <2.7 - RCE
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
by Askar
CVSS 8.8
CVE-2020-37035 EXPLOITDB HIGH text
e-Learning PHP Script 0.1.0 - SQL Injection
e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information.
by KeopssGroup0day_Inc
CVSS 8.2
EIP-2026-110814 EXPLOITDB text
PHP-Fusion 9.03.60 - PHP Object Injection
by coiffeur
EIP-2026-110178 EXPLOITDB text
Online Shopping Portal 3.1 - Authentication Bypass
by Ümit Yalçın
CVE-2020-15599 EXPLOITDB MEDIUM text
Victor Cms < 2019-02-28 - XSS
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
by Anushree Priyadarshini
CVSS 6.1
EIP-2026-111740 EXPLOITDB text
Reside Property Management 3.0 - 'profile' SQL Injection
by Behzad Khalifeh
EIP-2026-118118 EXPLOITDB text
Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
by Ethan Seow
EIP-2026-117386 EXPLOITDB text
KiteService 1.2020.618.0 - Unquoted Service Path
by Marcos Antonio León
EIP-2026-110293 EXPLOITDB text
OpenEMR 5.0.1 - 'controller' Remote Code Execution
by Emre ÖVÜNÇ
EIP-2026-107079 EXPLOITDB text
FHEM 6.0 - Local File Inclusion
by Emre ÖVÜNÇ
CVE-2018-11311 EXPLOITDB CRITICAL text
Myscada Mypro - Hard-coded Credentials
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
by Emre ÖVÜNÇ
CVSS 9.1
CVE-2020-14943 EXPLOITDB MEDIUM text
Global RADAR BSA Radar <1.6.7234.24750 - XSS
The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile.
by William Summerhill
CVSS 5.4
CVE-2020-14011 EXPLOITDB CRITICAL text
Lansweeper <7.2.x - Command Injection
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features.
by Amel BOUZIANE-LEBLOND
CVSS 9.8
EIP-2026-111752 EXPLOITDB text
Responsive Online Blog 1.0 - 'id' SQL Injection
by Eren Şimşek
By Source
All 31,346 Exploitdb 50,130 Writeup 46,871 Nomisec 21,233 Metasploit 3,221 Github 2,353 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,952 python 5,785 c 3,564 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 78 go 45 postscript 25 xml 24