Exploitdb Exploits
50,076 exploits tracked across all sources.
Opencart TMD Vendor System 3.x Blind SQL Injection via product route
Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.
by Muhammad Zaki Sulistya
CVSS 8.2
RDP Manager 4.9.9.3 - Denial of Service via Oversized Connection Input Fields
RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation.
by Vulnerability-Lab
CVSS 5.5
Isshue Shopping Cart 3.5 - Stored Cross-Site Scripting in Title Input Fields
Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks.
by Vulnerability-Lab
CVSS 4.8
WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Luca Schembri
WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Vulnerability-Lab
Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection
by Vulnerability-Lab
PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
FUEL CMS < 1.4.2 - Unauthenticated Remote Code Execution via Pages Filter or Preview Data Parameter
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
by Padsala Trushal
CVSS 9.8
ForgeRock OpenAM < 13.5.1 - Unauthenticated LDAP Injection via Webfinger Protocol
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
by Charlton Trezevant
CVSS 7.5
Eclipse Jetty 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5 - Directory Traversal & Security Bypass via Encoded URI
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
by Mayank Deshmukh
CVSS 5.3
Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHPGURUKUL Employee Record Management System 1.2 - SQL Injection
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
by Anubhav Singh
CVSS 9.8
Ericsson Network Location <2021-07-31 - Command Injection
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
by AkkuS
CVSS 8.8
YouTube Downloader 1.9.9.1 - Buffer Overflow
YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port.
by stresser
CVSS 8.4
Kingdia CD Extractor 3.0.2 - Remote Code Execution via Registration Name Field Overflow
Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell.
by stresser
CVSS 9.8
Dynojet Power Core 2.3.0 - Code Injection
Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access.
by Pedro Sousa Rodrigues
CVSS 7.8
10-Strike Network Inventory Explorer Pro 9.31 - Remote Code Execution via Text File Import
10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system.
by ro0k
CVSS 9.8
i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw
by LiquidWorm
By Source