Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-28001 EXPLOITDB MEDIUM text
Textpattern CMS 4.8.4 - Stored Cross-Site Scripting via Comments Parameter
A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head.
by Tushar Vaidya
CVSS 5.4
CVE-2021-28295 EXPLOITDB HIGH text
Online Ordering System 1.0 - SQL Injection
Online Ordering System 1.0 is vulnerable to unauthenticated SQL injection through /onlineordering/GPST/admin/design.php, which may lead to database information disclosure.
by Suraj Bhosale
CVSS 7.5
CVE-2021-28294 EXPLOITDB CRITICAL text
Online Ordering System 1.0 - Unrestricted File Upload via initiateorder.php
Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE).
by Suraj Bhosale
CVSS 9.8
EIP-2026-113206 EXPLOITDB text
Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
by Deepak Kumar Bharti
CVE-2021-27885 EXPLOITDB HIGH text
e107 < 2.3.0 - Cross-Site Request Forgery via usersettings.php
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
by Tadjmen
CVSS 8.8
EIP-2026-109198 EXPLOITDB text
Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)
by Tushar Vaidya
EIP-2026-109197 EXPLOITDB text
Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)
by Tushar Vaidya
CVE-2020-13160 EXPLOITDB CRITICAL python VERIFIED
AnyDesk < 5.5.3 - Remote Code Execution via Format String Vulnerability
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.
by scryh
CVSS 9.8
CVE-2021-28007 EXPLOITDB MEDIUM text
Web Based Quiz System 1.0 - Cross-Site Scripting via Name Parameter
Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in register.php through the name parameter.
by P.Naveen Kumar
CVSS 6.1
CVE-2021-28006 EXPLOITDB MEDIUM text
Web Based Quiz System 1.0 - Cross-Site Scripting via options Parameter
Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in admin.php through the options parameter.
by Praharsh Kumar Singh
CVSS 6.1
CVE-2021-3291 EXPLOITDB HIGH ruby VERIFIED
Zen Cart 1.5.7b - Command Injection
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
by Mücahit Saratar
CVSS 7.2
CVE-2020-25787 EXPLOITDB CRITICAL python
Tiny Tiny RSS < 2020-09-16 - Server-Side Request Forgery via URL Validation Bypass
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
by Daniel Neagaru
CVSS 9.8
CVE-2022-3218 EXPLOITDB CRITICAL python VERIFIED
Necta WiFi Mouse Server - Remote Code Execution via Client-Side Authentication Bypass
Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution.
by H4rk3nz0
CVSS 9.8
EIP-2026-110066 EXPLOITDB python
Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)
by Christian Vierschilling
EIP-2026-106196 EXPLOITDB python
Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)
by Christian Vierschilling
CVE-2021-21972 EXPLOITDB CRITICAL python
VMware vCenter Server and Cloud Foundation - Remote Code Execution via vSphere Client Plugin
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
by Photubias
CVSS 9.8
CVE-2021-3378 EXPLOITDB CRITICAL ruby VERIFIED
FortiLogger < 5.2.0 - Arbitrary File Upload via Hotspot Logo Upload
FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
by Berkan Er
CVSS 9.8
CVE-2021-4462 EXPLOITDB CRITICAL text
Employee Records System 1.0 - Unauthenticated Unrestricted File Upload via uploadID.php
Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
by sml
CVSS 9.8
CVE-2021-27330 EXPLOITDB MEDIUM text
Triconsole Datepicker Calendar <3.77 - XSS
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.
by Akash Chathoth
CVSS 6.1
EIP-2026-119088 EXPLOITDB python
Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)
by Matthew Dunn
CVE-2021-3355 EXPLOITDB MEDIUM text
LightCMS 1.3.4 - Stored Cross-Site Scripting in Title Field to /admin/SensitiveWords
A stored-self XSS exists in LightCMS v1.3.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.
by Peithon
CVSS 5.4
CVE-2021-27822 EXPLOITDB MEDIUM text
Vehicle Parking Management System 1.0 - XSS
A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field.
by Tushar Vaidya
CVSS 4.8
EIP-2026-118284 EXPLOITDB python
ASUS Remote Link 1.1.2.13 - Remote Code Execution
by H4rk3nz0
CVE-2021-47954 EXPLOITDB HIGH text
LayerBB 1.1.4 SQL Injection via search_query Parameter
LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send POST requests to /search.php with malicious search_query values using CASE WHEN statements to extract sensitive database information.
by Görkem Haşin
CVSS 8.2
CVE-2021-47952 EXPLOITDB CRITICAL python
python jsonpickle 2.0.0 Remote Code Execution via py/repr
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.
by Adi Malyanker
CVSS 9.8