Exploitdb Exploits

50,135 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-47840 EXPLOITDB HIGH javascript
Moeditor 0.2.0 - XSS
Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system.
by TaurusOmar
CVSS 7.2
CVE-2021-47839 EXPLOITDB HIGH javascript
Marky 0.0.1 - XSS
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution.
by TaurusOmar
CVSS 7.2
CVE-2021-47838 EXPLOITDB HIGH javascript
Markright 1.0 - XSS
Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system.
by TaurusOmar
CVSS 7.2
CVE-2021-47837 EXPLOITDB HIGH javascript
Markdownify 1.2.0 - XSS
Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution.
by TaurusOmar
CVSS 7.2
CVE-2021-47836 EXPLOITDB MEDIUM javascript
Markdown Explorer 0.1.1 - XSS
Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access.
by Taurus Omar
CVSS 6.1
CVE-2021-47835 EXPLOITDB HIGH javascript
Freeter 1.2.1 - XSS
Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution.
by TaurusOmar
CVSS 7.2
EIP-2026-111911 EXPLOITDB text
Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting
by strider
EIP-2026-104158 EXPLOITDB javascript
Anote 1.0 - Persistent Cross-Site Scripting
by TaurusOmar
EIP-2026-107883 EXPLOITDB python
Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)
by argenestel
CVE-2021-47860 EXPLOITDB MEDIUM python
GetSimple CMS Custom JS 0.1 - CSRF
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
by boku
CVSS 5.3
EIP-2026-114702 EXPLOITDB bash
GitLab Community Edition (CE) 13.10.3 - User Enumeration
by 4D0niiS
EIP-2026-114701 EXPLOITDB text
GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration
by 4D0niiS
EIP-2026-113149 EXPLOITDB text
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)
by Syed Sheeraz Ali
CVE-2021-27973 EXPLOITDB HIGH python
Piwigo <11.4.0 - SQL Injection
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
by nu11secur1ty
CVSS 7.2
CVE-2019-3810 EXPLOITDB MEDIUM text
Moodle < 3.1.15 - XSS
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
by Fariskhi Vidyan
CVSS 6.1
CVE-2016-4971 EXPLOITDB HIGH python
GNU wget <1.18 - Code Injection
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
by liewehacksie
CVSS 8.8
CVE-2021-47746 EXPLOITDB HIGH python
NodeBB Plugin Emoji 3.2.1 - Path Traversal
NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.
by 1F98D
CVSS 7.5
EIP-2026-107172 EXPLOITDB text
FOGProject 1.5.9 - File Upload RCE (Authenticated)
by sml
CVE-2020-14295 EXPLOITDB HIGH python
Cacti - SQL Injection
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
by Leonardo Paiva
CVSS 7.2
CVE-2021-29460 EXPLOITDB HIGH text
Kirby < 3.5.4 - XSS
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints.
by Sreenath Raghunathan
CVSS 7.6
EIP-2026-109574 EXPLOITDB text
Montiorr 1.7.6m - Persistent Cross-Site Scripting
by Ahmad Shakla
EIP-2026-109005 EXPLOITDB text
Kimai 1.14 - CSV Injection
by Mohammed Aloraimi
EIP-2026-104687 EXPLOITDB python
WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
by Dolev Farhi
CVE-2021-47770 EXPLOITDB HIGH python
OpenPLC v3 - Authenticated RCE
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution.
by Fellipe Oliveira
CVSS 8.8
CVE-2021-47748 EXPLOITDB CRITICAL python
Hasura Graphql Engine - OS Command Injection
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
by Dolev Farhi
CVSS 9.8
By Source
All 50,135 Writeup 51,238 Exploitdb 50,135 Nomisec 21,376 Metasploit 3,228 Github 2,576 Vulncheck_xdb 901 Inthewild 518 Gitlab 441 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,959 python 5,914 c 3,576 perl 2,854 html 2,056 php 1,334 bash 459 java 362 javascript 260 c++ 250 shell 95 go 52 postscript 25 xml 24