Exploitdb Exploits
50,135 exploits tracked across all sources.
Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
by z4nd3r
NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)
by LinxzSec
Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
by Ghuliev
Macro Expert 4.7 - Privilege Escalation
Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup.
by Mert Daş
CVSS 7.8
Dolibarr ERP-CRM 14.0.2 - XSS
Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
by Oscar Gil Gutierrez
CVSS 5.4
Sonicwall Sma 200 Firmware < 9.0.0.10-28sv - Improper Access Control
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
by Jacob Baines
CVSS 9.1
Online Motorcycle (bike) Rental System - SQL Injection
Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials.
by Chase Comardelle
CVSS 9.8
Enfold WordPress <4.8.4 - XSS
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
by David Álvarez Robles
CVSS 6.1
Myfactory Fms < 7.1-912 - XSS
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
by RedTeam Pentesting GmbH
CVSS 6.1
Awesomemotive Duplicator < 1.3.28 - Path Traversal
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
by nam3lum
CVSS 7.5
Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)
by John Jefferson Li
Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
by Aniket Deshmane
Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)
by Aniket Deshmane
Plastic SCM <10.0.16.5622 - Info Disclosure
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.
by Basavaraj Banakar
CVSS 7.5
Mitsubishi Electric Europe B.V. SmartRTU - Info Disclosure
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
by Hamit CİBO
CVSS 7.5
Mitsubishielectric Smartrtu Firmware - XSS
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
by Hamit CİBO
CVSS 6.1
Hkurl I-panel Administration System - XSS
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button.
by Forster Chiu
CVSS 6.1
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
by Mert Daş
Simple Payroll System With Dynamic Tax Bracket - SQL Injection
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
by Yash Mahajan
CVSS 9.8
Cypress Solutions CTM-200 2.7.1 - Command Injection
Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges.
by LiquidWorm
CVSS 8.8
Cypress Solutions CTM-200/CTM-ONE <1.3.6 - Code Injection
Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.
by LiquidWorm
CVSS 7.5
Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
by Hüseyin Serkan Balkanli
By Source