Exploitdb Exploits

50,130 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-109393 EXPLOITDB text
Medicine Tracker System v1.0 - Sql Injection
by Sanjay Singh
CVE-2023-23752 EXPLOITDB MEDIUM python VERIFIED
Joomla! < 4.2.8 - Improper Access Control
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
by Alexandre ZANNI
CVSS 5.3
CVE-2022-24716 EXPLOITDB HIGH python
Icinga Web 2 <2.9.5 - Info Disclosure
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
by Jacob Ebben
CVSS 7.5
CVE-2022-25630 EXPLOITDB MEDIUM text
Symantec Messaging Gateway < 10.8 - XSS
An authenticated user can embed malicious content with XSS into the admin group policy page.
by omurugur
CVSS 5.4
CVE-2023-27167 EXPLOITDB MEDIUM text
Suprema BioStar 2 <2.8.16 - SQL Injection
Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via the values parameter at /users/absence?search_month=1.
by Yuriy (Vander) Tsarenko
CVSS 6.5
CVE-2022-0020 EXPLOITDB MEDIUM text
Paloaltonetworks Cortex Xsoar - XSS
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.
by omurugur
CVSS 6.8
CVE-2023-22232 EXPLOITDB MEDIUM text
Adobe Connect <11.4.5, 12.1.5 - Auth Bypass
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction.
by h4shur
CVSS 5.3
CVE-2023-23399 EXPLOITDB HIGH text
Microsoft 365 Apps - Out-of-Bounds Read
Microsoft Excel Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 7.8
EIP-2026-103781 EXPLOITDB ruby
Lucee Scheduled Job v1.0 - Command Execution
by Alexander Philiotis
EIP-2026-102865 EXPLOITDB text
Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
by Rafay Baloch and Muhammad Samak
CVE-2022-43939 EXPLOITDB HIGH text
Hitachi Vantara Pentaho <9.4.0.1-9.3.0.2 - SSRF
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
by dwbzn
CVSS 8.6
CVE-2023-0669 EXPLOITDB HIGH java
Fortra GoAnywhere MFT Unsafe Deserialization RCE
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
by Youssef Muhammad
CVSS 7.2
CVE-2023-28343 EXPLOITDB CRITICAL python
Apsystems Energy Communication Unit Firmware - OS Command Injection
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
by Ahmed Alroky
CVSS 9.8
CVE-2023-27100 EXPLOITDB CRITICAL python
Netgate pfSense Plus <v22.05.1 - Auth Bypass
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
by FabDotNET
CVSS 9.8
CVE-2022-41333 EXPLOITDB HIGH python
FortiRecorder <6.4.3 - DoS
An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests.
by Mohammed Adel
CVSS 7.5
CVE-2023-26692 EXPLOITDB MEDIUM text
ZCBS/ZPBS/ZBBS 4.14k - XSS
ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).
by Abdulaziz Saad
CVSS 6.1
CVE-2022-30076 EXPLOITDB MEDIUM text
Entab Erp - Brute Force
ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.
by Deb Prasad Banerjee
CVSS 5.3
CVE-2023-27010 EXPLOITDB HIGH text
Wondershare Dr.Fone <12.9.6 - Privilege Escalation
Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.
by Thurein Soe
CVSS 7.8
EIP-2026-111818 EXPLOITDB text
Rukovoditel 3.3.1 - Remote Code Execution (RCE)
by Mirabbas Ağalarov
CVE-2023-24788 EXPLOITDB HIGH python
NotrinosERP v0.7 - SQL Injection
NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php.
by Arvandy
CVSS 8.8
CVE-2023-24787 EXPLOITDB python
Rejected
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-24685. Reason: This record is a duplicate of CVE-2023-24685. Notes: All CVE users should reference CVE-2023-24685 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
by Arvandy
CVE-2022-47986 EXPLOITDB CRITICAL python
IBM Aspera Faspex < 4.4.1 - Insecure Deserialization
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
by Maurice Lambert
CVSS 9.8
CVE-2023-27290 EXPLOITDB CRITICAL python
IBM Instana - Info Disclosure
Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force ID: 248737.
by Shahid Parvez (zippon)
CVSS 9.1
CVE-2021-27825 EXPLOITDB HIGH text
Mercury MAC1200R - Path Traversal
A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL.
by Chunlei Shang_ Jiangsu Public Information Co._ Ltd.
CVSS 7.5
CVE-2020-35391 EXPLOITDB CRITICAL python
Tenda N300 F3 12.01.01.48 - Info Disclosure
Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.
by @h454nsec
CVSS 9.6
By Source
All 50,130 Exploitdb 50,130 Writeup 46,870 Nomisec 21,221 Metasploit 3,189 Github 2,316 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,920 python 5,770 c 3,560 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 74 go 43 postscript 25 xml 24