Exploitdb Exploits
50,076 exploits tracked across all sources.
Hikvision IP Camera Unauthenticated Command Injection
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
by bashis
CVSS 9.8
Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
by Sam Ferguson
Clinic Management System 1.0 - SQL injection to Remote Code Execution
by Pablo Santiago
Eclipse Jetty - Information Disclosure
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
by Mayank Deshmukh
CVSS 5.3
Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
by z4nd3r
NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)
by LinxzSec
Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
by Ghuliev
Macro Expert 4.7 - Privilege Escalation
Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup.
by Mert Daş
CVSS 7.8
Dolibarr ERP/CRM 14.0.2 - Stored Cross-Site Scripting in Ticket Creation Module
Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
by Oscar Gil Gutierrez
CVSS 5.4
SonicWall SMA 200/210/400/410/500v < 9.0.0.10-28sv - Unauthenticated Arbitrary File Deletion via Path Traversal Bypass
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
by Jacob Baines
CVSS 9.1
Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection via Login Portal
Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials.
by Chase Comardelle
CVSS 9.8
Enfold < 4.8.4 - Reflected Cross-Site Scripting via Avia Page Builder
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
by David Álvarez Robles
CVSS 6.1
myfactory FMS < 7.1-912 - Cross-Site Scripting via Error Parameter
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
by RedTeam Pentesting GmbH
CVSS 6.1
Duplicator < 1.3.28 and < 3.8.7.1 - Directory Traversal via File Parameter
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
by nam3lum
CVSS 7.5
Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)
by John Jefferson Li
Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Plastic SCM <10.0.16.5622 - Info Disclosure
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.
by Basavaraj Banakar
CVSS 7.5
Mitsubishi Electric Europe B.V. SmartRTU - Info Disclosure
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
by Hamit CİBO
CVSS 7.5
Mitsubishi Electric SmartRTU Firmware - Cross-Site Scripting via Login Username Parameter or PATH_INFO
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
by Hamit CİBO
CVSS 6.1
i-Panel Administration System 2.0 - Reflected Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button.
by Forster Chiu
CVSS 6.1
TextPattern CMS 4.8.7 Remote Code Execution via File Upload
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function.
by Mert Daş
CVSS 8.8
By Source