Exploitdb Exploits

50,130 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-111977 EXPLOITDB text
Senayan Library Management System v9.5.0 - SQL Injection
by nu11secur1ty
EIP-2026-111816 EXPLOITDB text
rukovoditel 3.2.1 - Cross-Site Scripting (XSS)
by nu11secur1ty
EIP-2026-110182 EXPLOITDB text VERIFIED
Online shopping system advanced 1.0 - Multiple Vulnerabilities
by Rafael Pedrero
EIP-2026-109587 EXPLOITDB text
Moodle LMS 4.0 - Cross-Site Scripting (XSS)
by Saud Alenazi
EIP-2026-107708 EXPLOITDB text
iBooking v1.0.8 - Arbitrary File Upload
by d1z1n370/oPty
CVE-2022-3552 EXPLOITDB HIGH text VERIFIED
Boxbilling < 0.0.1 - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1.
by zetc0de
CVSS 7.2
EIP-2026-105436 EXPLOITDB text
Beauty-salon v1.0 - Remote Code Execution (RCE)
by nu11secur1ty
CVE-2022-24082 EXPLOITDB CRITICAL text
Pega Platform - Code Injection
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
by Marcin Wolak
CVSS 9.8
CVE-2022-32272 EXPLOITDB CRITICAL python
Opswat Metadefender < 5.1.2 - Improper Privilege Management
OPSWAT MetaDefender Core before 5.1.2, MetaDefender ICAP before 4.12.1, and MetaDefender Email Gateway Security before 5.6.1 have incorrect access control, resulting in privilege escalation.
by Ulascan Yildirim
CVSS 9.8
CVE-2022-38580 EXPLOITDB CRITICAL text
Zalando Skipper <0.13.236 - SSRF
Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).
by Hosein Vita
CVSS 9.8
EIP-2026-103919 EXPLOITDB text
Hashicorp Consul v1.0 - Remote Command Execution (RCE)
by GatoGamer1155
CVE-2022-42953 EXPLOITDB HIGH text
ZKTeco <8.88 - Info Disclosure
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).
by RedTeam Pentesting GmbH
CVSS 7.5
CVE-2022-37255 EXPLOITDB HIGH text
Tp-link Tapo C310 Firmware - Hard-coded Credentials
TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.
by dsclee1
CVSS 7.5
CVE-2022-41441 EXPLOITDB MEDIUM text
ReQlogic v11.3 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters.
by Okan Kurtulus
CVSS 6.1
CVE-2023-53975 EXPLOITDB HIGH text
Atom CMS 2.0 - SQL Injection
Atom CMS 2.0 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries through unvalidated parameters. Attackers can inject malicious SQL code in the 'id' parameter of the admin index page to execute time-based blind SQL injection attacks.
by Hubert Wojciechowski
CVSS 7.5
CVE-2023-53972 EXPLOITDB HIGH text
WebTareas 2.4 - SQL Injection
WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data.
by Hubert Wojciechowski
CVSS 7.5
CVE-2023-53971 EXPLOITDB HIGH text
WebTareas 2.4 - File Upload
WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path.
by Hubert Wojciechowski
CVSS 8.8
CVE-2023-53774 EXPLOITDB CRITICAL text
MiniDVBLinux 5.4 - RCE
MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely.
by LiquidWorm
CVSS 9.8
CVE-2023-53773 EXPLOITDB MEDIUM text
MiniDVBLinux 5.4 - Info Disclosure
MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication.
by LiquidWorm
CVSS 5.3
CVE-2023-53772 EXPLOITDB HIGH python
MiniDVBLinux 5.4 - Info Disclosure
MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device.
by LiquidWorm
CVSS 7.5
CVE-2023-53771 EXPLOITDB CRITICAL text
MiniDVBLinux 5.4 - Auth Bypass
MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials.
by LiquidWorm
CVSS 9.8
CVE-2023-53770 EXPLOITDB HIGH text
MiniDVBLinux 5.4 - Info Disclosure
MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials.
by LiquidWorm
CVSS 7.5
CVE-2025-25038 EXPLOITDB CRITICAL python
MiniDVBLinux <5.4 - Command Injection
An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.
by LiquidWorm
CVSS 9.8
CVE-2023-54341 EXPLOITDB MEDIUM text
Webgrind < 1.1 - XSS
Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs.
by Rafael Pedrero
CVSS 6.1
CVE-2023-54339 EXPLOITDB CRITICAL text
Webgrind < 1.1 - OS Command Injection
Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system.
by Rafael Pedrero
CVSS 9.8
By Source
All 50,130 Exploitdb 50,130 Writeup 46,871 Nomisec 21,233 Metasploit 3,221 Github 2,353 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,952 python 5,785 c 3,564 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 78 go 45 postscript 25 xml 24