Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-47825 EXPLOITDB HIGH text
Acer Updater Service 1.2.3500.0 - Privilege Escalation
Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup.
by Emmanuel Lujan
CVSS 7.8
EIP-2026-116822 EXPLOITDB text
ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path
by Alejandra Sánchez
CVE-2021-33470 EXPLOITDB CRITICAL text
COVID19 Testing Management System 1.0 - SQL Injection
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.
by Rohit Burke
CVSS 9.8
CVE-2021-33469 EXPLOITDB MEDIUM text
COVID19 Testing Management System 1.0 - XSS
COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter.
by Rohit Burke
CVSS 4.8
CVE-2021-47827 EXPLOITDB HIGH python
WebSSH for iOS 14.16.10 - Denial of Service via MashREPL Input Buffer Overflow
WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash.
by Luis Martínez
CVSS 7.5
EIP-2026-118069 EXPLOITDB powershell
Visual Studio Code 1.47.1 - Denial of Service (PoC)
by H.H.A.Ravindu Priyankara
CVE-2021-24245 EXPLOITDB MEDIUM text
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting via Blocked Request Output
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
by Hosein Vita
CVSS 6.1
EIP-2026-104321 EXPLOITDB python
ManageEngine ADSelfService Plus 6.1 - CSV Injection
by Metin Yunus Kandemir
CVE-2021-27828 EXPLOITDB CRITICAL text
In4Suite ERP <3.2.74.1370 - SQL Injection
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
by Gulab Mondal
CVSS 9.1
CVE-2021-47956 EXPLOITDB HIGH text
EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information.
by Dimitrios Mitakos
CVSS 8.2
CVE-2021-26855 EXPLOITDB CRITICAL python
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by Gonzalo Villegas
CVSS 9.1
CVE-2021-47950 EXPLOITDB MEDIUM text
Advanced Guestbook 2.4.4 Persistent XSS via Smilies
Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.
by Abdulkadir AYDOGAN
CVSS 6.4
CVE-2021-45411 EXPLOITDB CRITICAL text
Printable Staff ID Card Creator System 1.0 - Authenticated Remote Code Execution via Arbitrary File Upload
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
by bwnz
CVSS 9.8
CVE-2013-3893 EXPLOITDB HIGH javascript
Microsoft Internet Explorer 6-11 - Remote Code Execution via SetMouseCapture Use-After-Free
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
by SlidingWindow
CVSS 8.8
CVE-2018-19422 EXPLOITDB HIGH python
Subrion CMS < 4.2.2 - Remote Code Execution via .pht or .phar File Upload
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
by Fellipe Oliveira
CVSS 7.2
EIP-2026-112069 EXPLOITDB text
Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
by Vani K G
EIP-2026-106420 EXPLOITDB text
Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
by Reza Afsahi
EIP-2026-106418 EXPLOITDB text
Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
by Reza Afsahi
EIP-2026-106287 EXPLOITDB text
Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
by Vani K G
EIP-2026-105480 EXPLOITDB text
Billing Management System 2.0 - Union based SQL injection (Authenticated)
by Mohammad Koochaki
CVE-2021-33393 EXPLOITDB HIGH python
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
by Mücahit Saratar
CVSS 8.8
CVE-2021-47968 EXPLOITDB MEDIUM text
Podcast Generator 3.1 Persistent Cross-Site Scripting via long_description
Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description parameter. Attackers can inject script tags through episode creation or editing requests to execute arbitrary JavaScript when other users view the episode details.
by Ayşenur KARAASLAN
CVSS 6.4
CVE-2021-33371 EXPLOITDB MEDIUM text
Student Management System v1.0 - XSS
A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.
by mohsen khashei
CVSS 5.4
CVE-2021-31933 EXPLOITDB HIGH python VERIFIED
Chamilo <= 1.11.14 - Authenticated Remote Code Execution via File Upload Parameter
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
by M. Cory Billington
CVSS 7.2
CVE-2020-0674 EXPLOITDB HIGH javascript
Internet Explorer - Remote Code Execution via Scripting Engine Memory Corruption
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
by Forrest Orr
CVSS 7.5