Exploitdb Exploits
50,135 exploits tracked across all sources.
Cmsimple - Code Injection
CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token.
by pussycat0x
CVSS 8.8
Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
by Murat
Mooveagency Select All Categories And... - XSS
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Mooveagency Redirect 404 TO Parent < 1.3.1 - XSS
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Ghuliev
Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
by Mr.Gedik
OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
by Eric Salario
Mitrastar Gpt-2541gnac-n1 Firmware - OS Command Injection
MitraStar GPT-2541GNAC-N1 (HGU) 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path".
by Leonardo Nicolas Servalli
CVSS 8.8
Supsystic Ultimate Maps < 1.2.5 - XSS
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Cozmoslabs Translatepress < 2.0.9 - XSS
The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.
by Nosa Shandy
CVSS 4.8
Supsystic Popup < 1.10.5 - XSS
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Supsystic Contact Form < 1.7.15 - XSS
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
by shinris3n
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
by LiquidWorm
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
by LiquidWorm
Ethersoftware Ether Mp3 CD Burner - Out-of-Bounds Write
Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation.
by stresser
CVSS 9.8
Cyberfox Web Browser 52.9.1 - DoS
Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash.
by Aryan Chehreghani
CVSS 7.5
XAMPP <7.2.29, <7.3.16, <7.4.4 - Command Injection
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
by Salman Asad
CVSS 8.8
WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)
by Renos Nikolaou
Library System 1.0 - 'student_id' SQL injection (Authenticated)
by Vinay Bhuria
Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers
by Michael Alamoot
SmarterTrack 7922 - Info Disclosure
SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.
by Andrei Manole
CVSS 7.5
By Source