Exploitdb Exploits
50,076 exploits tracked across all sources.
Acer Updater Service 1.2.3500.0 - Privilege Escalation
Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup.
by Emmanuel Lujan
CVSS 7.8
ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path
by Alejandra Sánchez
COVID19 Testing Management System 1.0 - SQL Injection
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.
by Rohit Burke
CVSS 9.8
COVID19 Testing Management System 1.0 - XSS
COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter.
by Rohit Burke
CVSS 4.8
WebSSH for iOS 14.16.10 - Denial of Service via MashREPL Input Buffer Overflow
WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash.
by Luis Martínez
CVSS 7.5
Visual Studio Code 1.47.1 - Denial of Service (PoC)
by H.H.A.Ravindu Priyankara
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting via Blocked Request Output
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
by Hosein Vita
CVSS 6.1
ManageEngine ADSelfService Plus 6.1 - CSV Injection
by Metin Yunus Kandemir
In4Suite ERP <3.2.74.1370 - SQL Injection
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
by Gulab Mondal
CVSS 9.1
EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information.
by Dimitrios Mitakos
CVSS 8.2
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by Gonzalo Villegas
CVSS 9.1
Advanced Guestbook 2.4.4 Persistent XSS via Smilies
Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.
by Abdulkadir AYDOGAN
CVSS 6.4
Printable Staff ID Card Creator System 1.0 - Authenticated Remote Code Execution via Arbitrary File Upload
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
by bwnz
CVSS 9.8
Microsoft Internet Explorer 6-11 - Remote Code Execution via SetMouseCapture Use-After-Free
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
by SlidingWindow
CVSS 8.8
Subrion CMS < 4.2.2 - Remote Code Execution via .pht or .phar File Upload
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
by Fellipe Oliveira
CVSS 7.2
Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
by Vani K G
Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
by Reza Afsahi
Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
by Reza Afsahi
Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
by Vani K G
Billing Management System 2.0 - Union based SQL injection (Authenticated)
by Mohammad Koochaki
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
by Mücahit Saratar
CVSS 8.8
Podcast Generator 3.1 Persistent Cross-Site Scripting via long_description
Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description parameter. Attackers can inject script tags through episode creation or editing requests to execute arbitrary JavaScript when other users view the episode details.
by Ayşenur KARAASLAN
CVSS 6.4
Student Management System v1.0 - XSS
A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.
by mohsen khashei
CVSS 5.4
Chamilo <= 1.11.14 - Authenticated Remote Code Execution via File Upload Parameter
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
by M. Cory Billington
CVSS 7.2
Internet Explorer - Remote Code Execution via Scripting Engine Memory Corruption
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
by Forrest Orr
CVSS 7.5
By Source