Exploitdb Exploits
50,135 exploits tracked across all sources.
WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
by Murat DEMİRCİ
YeaLinkSIP-T19P-E2 <v.53.84.0.15 - RCE
An issue in YeaLinkSIP-T19P-E2 v.53.84.0.15 allows a remote privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.
by tahaafarooq
CVSS 8.8
Celestialsoftware Absolutetelnet - Out-of-Bounds Write
AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive.
by Yehia Elghaly
CVSS 5.5
Celestialsoftware Absolutetelnet - Out-of-Bounds Write
AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination.
by Yehia Elghaly
CVSS 5.5
FormaLMS <= 2.4.4 - Auth Bypass
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
by Cristian \'void\' Giustini
CVSS 9.8
Apache HTTP Server < 9.2.6.0 - Path Traversal
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
by Valentin Lobstein
CVSS 9.8
Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)
by Ragavender A G
Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
by İlhami Selamet
Kmaleon 1.1.0.205 - SQL Injection
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.
by Amel BOUZIANE-LEBLOND
CVSS 7.1
WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion
by Murat DEMİRCİ
Simple Client Management System 1.0 - SQLi (Authentication Bypass)
by Sentinal920
Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
by Sentinal920
Money Transfer Management System 1.0 - Authentication Bypass
by Aryan Chehreghani
FusionPBX <4.5.30 - Info Disclosure
An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).
by Luska
CVSS 8.8
Froxlor < 0.10.30 - SQL Injection
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
by Martin Cernac
CVSS 9.8
Cleidigh Importexporttools NG - XSS
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials.
by Vulnerability-Lab
CVSS 6.1
10-strike Network Inventory Explorer - Privilege Escalation
10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions.
by Brian Rodriguez
CVSS 7.8
Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Opencart 3 Extension TMD Vendor System - Blind SQL Injection
by Muhammad Zaki Sulistya
Cinspiration RDP Manager - Resource Allocation Without Limits
RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation.
by Vulnerability-Lab
CVSS 5.5
Bdtask Isshue - XSS
Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks.
by Vulnerability-Lab
CVSS 4.8
WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Luca Schembri
WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
By Source