Exploitdb Exploits
50,076 exploits tracked across all sources.
Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation
by Cristian \'void\' Giustini
Progress WhatsUp Gold < 21.1.0 - Unauthenticated Stored Cross-Site Scripting
In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
by Andreas Finstad
CVSS 6.1
Cyber Cafe Management System Project v1.0 - SQL Injection
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.
by Sanjay Singh
CVSS 9.8
CMSimple 5.4 - Authenticated Remote Code Execution via Template Editing
CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token.
by pussycat0x
CVSS 8.8
Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
by Murat
Select All Categories and Taxonomies < 1.3.2 - Reflected XSS via Tab Parameter
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting via Tab Parameter
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Ghuliev
Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Mr.Gedik
OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
by Eric Salario
MitraStar GPT-2541GNAC-N1 Firmware - Authenticated OS Command Injection via DeviceInfo Path Parameter
MitraStar GPT-2541GNAC-N1 (HGU) 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path".
by Leonardo Nicolas Servalli
CVSS 8.8
Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site Scripting via Tab Parameter
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting via Insufficient String Sanitization
The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.
by Nosa Shandy
CVSS 4.8
Popup by Supsystic < 1.10.5 - Reflected Cross-Site Scripting via Tab Parameter
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site Scripting via Tab Parameter
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
by shinris3n
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
by LiquidWorm
Ether MP3 CD Burner 1.3.8 - Remote Code Execution via Registration Name Field Buffer Overflow
Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation.
by stresser
CVSS 9.8
Cyberfox Web Browser 52.9.1 - Denial of Service via Search Bar Overflow
Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash.
by Aryan Chehreghani
CVSS 7.5
XAMPP <7.2.29, <7.3.16, <7.4.4 - Command Injection
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
by Salman Asad
CVSS 8.8
By Source