Exploitdb Exploits
50,135 exploits tracked across all sources.
Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)
by Vulnerability-Lab
Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
by Vulnerability-Lab
Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection
by Vulnerability-Lab
PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
by Vulnerability-Lab
FUEL CMS 1.4.1 - RCE
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
by Padsala Trushal
CVSS 9.8
Forgerock Openam < 13.5.1 - Injection
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
by Charlton Trezevant
CVSS 7.5
Eclipse Jetty < 9.4.43 - Information Disclosure
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
by Mayank Deshmukh
CVSS 5.3
Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
by Vulnerability-Lab
PHPGURUKUL Employee Record Management System 1.2 - SQL Injection
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
by Anubhav Singh
CVSS 9.8
Ericsson Network Location <2021-07-31 - Command Injection
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
by AkkuS
CVSS 8.8
YouTube Downloader 1.9.9.1 - Buffer Overflow
YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port.
by stresser
CVSS 8.4
Kingdia CD Extractor 3.0.2 - RCE
Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell.
by stresser
CVSS 9.8
Dynojet Power Core 2.3.0 - Code Injection
Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access.
by Pedro Sousa Rodrigues
CVSS 7.8
10-strike Network Inventory Explorer - Out-of-Bounds Write
10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system.
by ro0k
CVSS 9.8
i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw
by LiquidWorm
Ericsson Network Location <2021-07-31 - Command Injection
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
by AkkuS
CVSS 8.8
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43339. Reason: This candidate is a duplicate of CVE-2021-43339. Notes: All CVE users should reference CVE-2021-43339 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
by AkkuS
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)
by P4p4_M4n3
Umbraco Cms - SSRF
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.
by NgoAnhDuc
CVSS 5.3
Automatedlogic Webctrl < 6.5 - XSS
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization.
by 3ndG4me
CVSS 6.1
By Source