Exploitdb Exploits
50,076 exploits tracked across all sources.
MyBB Delete Account Plugin 1.4 - XSS
MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.
by 0xB9
CVSS 6.1
MyBB Trending Widget Plugin 1.2 - XSS
MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.
by 0xB9
CVSS 6.1
MyBB Thread Redirect Plugin 0.2.1 - XSS
MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.
by 0xB9
CVSS 6.1
Vehicle Parking Tracker System 1.0 - 'Owner Name' Stored Cross-Site Scripting
by Anmol K Sachan
Park Ticketing Management System 1.0 - 'viewid' SQL Injection
by Zeyad Azima
klog_server < 2.4.1 - Authenticated OS Command Injection via async.php Source Parameter
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
by Metin Yunus Kandemir
CVSS 8.8
Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
by Lyghtnox
CVSS 7.5
BloofoxCMS 0.5.2.1 - Authenticated Stored Cross-Site Scripting in Articles Text Parameter
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
by LiPeiYi
CVSS 6.4
Sourcecodester Online Grading System 1.0 - SQL Injection via uname Parameter
A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.
by Ruchi Tiwari
CVSS 9.8
Simple Public Chat Room 1.0 - Authentication Bypass SQLi
by Richard Jones
Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting
by Richard Jones
OpenSolution Quick.CMS and Quick.Cart < 6.7 - Authenticated Remote Code Execution via Language Tab Input
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
by mari0x00
CVSS 7.2
Hide-Thread-Content Plugin through 2021-01-27 for MyBB - Unauthenticated Information Disclosure via Reply or Quote
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
by 0xB9
CVSS 7.5
SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)
by Darren Martyn
phpcrud - Stored Cross-Site Scripting via First Name or Last Name Parameter
Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the 'Add New Record Feature'.
by Mahendra Purbia
CVSS 5.4
OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)
by Alexandre ZANNI
FUEL CMS < 1.4.2 - Unauthenticated Remote Code Execution via Pages Filter or Preview Data Parameter
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
by Alexandre ZANNI
CVSS 9.8
CMSuno 1.6.2 - Authenticated Remote Code Execution via Username Parameter
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server.
by Alexandre ZANNI
CVSS 8.8
Metasploit < 4.19.0 - Command Injection via Malicious APK File
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
by Justin Steven
CVSS 7.0
By Source