Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-47905 EXPLOITDB MEDIUM text
MyBB Delete Account Plugin 1.4 - XSS
MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.
by 0xB9
CVSS 6.1
CVE-2018-25132 EXPLOITDB MEDIUM text
MyBB Trending Widget Plugin 1.2 - XSS
MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.
by 0xB9
CVSS 6.1
CVE-2018-25116 EXPLOITDB MEDIUM text
MyBB Thread Redirect Plugin 0.2.1 - XSS
MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.
by 0xB9
CVSS 6.1
EIP-2026-114643 EXPLOITDB text
Zoo Management System 1.0 - 'anid' SQL Injection
by Zeyad Azima
CVE-2019-89242 EXPLOITDB python
WordPress 5.0.0 - Image Remote Code Execution
by OUSSAMA RAHALI
EIP-2026-113045 EXPLOITDB text
Vehicle Parking Tracker System 1.0 - 'Owner Name' Stored Cross-Site Scripting
by Anmol K Sachan
EIP-2026-112923 EXPLOITDB text
User Management System 1.0 - 'uid' SQL Injection
by Zeyad Azima
EIP-2026-111803 EXPLOITDB python
Roundcube Webmail 1.2 - File Disclosure
by stonepresto
EIP-2026-110481 EXPLOITDB text VERIFIED
Park Ticketing Management System 1.0 - 'viewid' SQL Injection
by Zeyad Azima
CVE-2021-3317 EXPLOITDB HIGH python
klog_server < 2.4.1 - Authenticated OS Command Injection via async.php Source Parameter
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
by Metin Yunus Kandemir
CVSS 8.8
CVE-2021-47942 EXPLOITDB HIGH python
Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
by Lyghtnox
CVSS 7.5
CVE-2021-47906 EXPLOITDB MEDIUM text
BloofoxCMS 0.5.2.1 - Authenticated Stored Cross-Site Scripting in Articles Text Parameter
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
by LiPeiYi
CVSS 6.4
CVE-2021-31650 EXPLOITDB CRITICAL text
Sourcecodester Online Grading System 1.0 - SQL Injection via uname Parameter
A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.
by Ruchi Tiwari
CVSS 9.8
EIP-2026-112138 EXPLOITDB text
Simple Public Chat Room 1.0 - Authentication Bypass SQLi
by Richard Jones
EIP-2026-112137 EXPLOITDB text
Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting
by Richard Jones
CVE-2020-35754 EXPLOITDB HIGH python
OpenSolution Quick.CMS and Quick.Cart < 6.7 - Authenticated Remote Code Execution via Language Tab Input
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
by mari0x00
CVSS 7.2
CVE-2021-3337 EXPLOITDB HIGH text
Hide-Thread-Content Plugin through 2021-01-27 for MyBB - Unauthenticated Information Disclosure via Reply or Quote
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
by 0xB9
CVSS 7.5
EIP-2026-102020 EXPLOITDB python
SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)
by Darren Martyn
CVE-2020-36115 EXPLOITDB MEDIUM text
phpcrud - Stored Cross-Site Scripting via First Name or Last Name Parameter
Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the 'Add New Record Feature'.
by Mahendra Purbia
CVSS 5.4
EIP-2026-114092 EXPLOITDB text
WordPress Plugin SuperForms 4.9 - Arbitrary File Upload
by ABDO10
EIP-2026-110295 EXPLOITDB ruby
OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)
by Alexandre ZANNI
CVE-2018-16763 EXPLOITDB CRITICAL ruby
FUEL CMS < 1.4.2 - Unauthenticated Remote Code Execution via Pages Filter or Preview Data Parameter
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
by Alexandre ZANNI
CVSS 9.8
CVE-2020-25557 EXPLOITDB HIGH ruby
CMSuno 1.6.2 - Authenticated Remote Code Execution via Username Parameter
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server.
by Alexandre ZANNI
CVSS 8.8
CVE-2020-7384 EXPLOITDB HIGH python
Metasploit < 4.19.0 - Command Injection via Malicious APK File
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
by Justin Steven
CVSS 7.0
EIP-2026-103527 EXPLOITDB html
jQuery UI 1.12.1 - Denial of Service (DoS)
by Rafael Cintra Lopes