Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-53953 EXPLOITDB MEDIUM text VERIFIED
WebsiteBaker 2.13.3 - Authenticated Stored Cross-Site Scripting via Page Title
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users.
by Mirabbas Ağalarov
CVSS 5.4
CVE-2023-53952 EXPLOITDB HIGH text
Dotclear 2.25.3 - Authenticated Remote Code Execution via PHAR File Upload
Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server.
by Mirabbas Ağalarov
CVSS 8.8
EIP-2026-117963 EXPLOITDB text
Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
by TOUHAMI Kasbaoui
CVE-2022-47529 EXPLOITDB MEDIUM text
RSA NetWitness <12.2 - Privilege Escalation
Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.
by hyp3rlinx
CVSS 6.7
CVE-2022-48178 EXPLOITDB MEDIUM text
X2CRM 6.6-6.9 - Stored Cross-Site Scripting via Create Action Function
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.
by Betul Denizler
CVSS 5.4
CVE-2022-48177 EXPLOITDB MEDIUM text
X2CRM 6.6-6.9 - Reflected Cross-Site Scripting via Import Records Model Parameter
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser.
by Betul Denizler
CVSS 5.4
EIP-2026-111755 EXPLOITDB text VERIFIED
Restaurant Management System 1.0 - SQL Injection
by calfcrusher
EIP-2026-110207 EXPLOITDB text
Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)
by nu11secur1ty
EIP-2026-110057 EXPLOITDB text
Online Appointment System V1.0 - Cross-Site Scripting (XSS)
by Sanjay Singh
EIP-2026-109393 EXPLOITDB text
Medicine Tracker System v1.0 - Sql Injection
by Sanjay Singh
CVE-2023-23752 EXPLOITDB MEDIUM python VERIFIED
Joomla! 4.0.0-4.2.7 - Unauthenticated Improper Access Control in Webservice Endpoints
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
by Alexandre ZANNI
CVSS 5.3
CVE-2022-24716 EXPLOITDB HIGH python
Icinga Web 2 <2.9.5 - Info Disclosure
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
by Jacob Ebben
CVSS 7.5
CVE-2022-25630 EXPLOITDB MEDIUM text
Symantec Messaging Gateway < 10.8 - Authenticated Stored Cross-Site Scripting in Admin Group Policy Page
An authenticated user can embed malicious content with XSS into the admin group policy page.
by omurugur
CVSS 5.4
CVE-2023-27167 EXPLOITDB MEDIUM text
Suprema BioStar 2 <2.8.16 - SQL Injection
Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via the values parameter at /users/absence?search_month=1.
by Yuriy (Vander) Tsarenko
CVSS 6.5
CVE-2022-0020 EXPLOITDB MEDIUM text
Cortex XSOAR 6.1.0 and < 6.2.0 build 1958888 - Authenticated Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.
by omurugur
CVSS 6.8
CVE-2023-22232 EXPLOITDB MEDIUM text
Adobe Connect <11.4.5, 12.1.5 - Auth Bypass
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction.
by h4shur
CVSS 5.3
CVE-2023-23399 EXPLOITDB HIGH text
Microsoft Excel - Remote Code Execution via Out-of-bounds Read
Microsoft Excel Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 7.8
EIP-2026-103781 EXPLOITDB ruby
Lucee Scheduled Job v1.0 - Command Execution
by Alexander Philiotis
EIP-2026-102865 EXPLOITDB text
Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
by Rafay Baloch and Muhammad Samak
CVE-2022-43939 EXPLOITDB HIGH text
Hitachi Vantara Pentaho <9.4.0.1-9.3.0.2 - SSRF
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
by dwbzn
CVSS 8.6
CVE-2023-0669 EXPLOITDB HIGH java
Fortra GoAnywhere MFT Unsafe Deserialization RCE
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
by Youssef Muhammad
CVSS 7.2
CVE-2023-28343 EXPLOITDB CRITICAL python
APSystems Energy Communication Unit Firmware C1.2.5 - OS Command Injection via Timezone Parameter
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
by Ahmed Alroky
CVSS 9.8
CVE-2023-27100 EXPLOITDB CRITICAL python
Netgate pfSense Plus <v22.05.1 - Auth Bypass
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
by FabDotNET
CVSS 9.8
CVE-2022-41333 EXPLOITDB HIGH python
FortiRecorder < 6.0.11 - Unauthenticated Denial of Service via Crafted GET Requests
An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests.
by Mohammed Adel
CVSS 7.5
CVE-2023-26692 EXPLOITDB MEDIUM text
ZCBS/ZBBS/ZPBS 4.14k - Cross-Site Scripting
ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).
by Abdulaziz Saad
CVSS 6.1
By Source
All 50,076 Writeup 62,525 Exploitdb 50,076 Nomisec 22,475 Github 3,710 Metasploit 3,315 Vulncheck_xdb 930 Inthewild 514 Gitlab 480 Gitee 415 Patchapalooza 312
By Language
text 31,386 python 6,612 ruby 6,006 c 3,635 perl 2,849 html 2,076 php 1,333 bash 462 java 371 c++ 261 javascript 231 shell 137 go 73 postscript 25 typescript 25