Exploitdb Exploits
50,135 exploits tracked across all sources.
Vehicle Parking Tracker System 1.0 - 'Owner Name' Stored Cross-Site Scripting
by Anmol K Sachan
Park Ticketing Management System 1.0 - 'viewid' SQL Injection
by Zeyad Azima
Klogserver Klog Server < 2.4.1 - OS Command Injection
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
by Metin Yunus Kandemir
CVSS 8.8
BloofoxCMS 0.5.2.1 - XSS
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
by LiPeiYi
CVSS 6.4
Online Grading System - SQL Injection
A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.
by Ruchi Tiwari
CVSS 9.8
Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal
by Lyghtnox
Simple Public Chat Room 1.0 - Authentication Bypass SQLi
by Richard Jones
Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting
by Richard Jones
Opensolution Quick.cart < 6.7 - Code Injection
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
by mari0x00
CVSS 7.2
Hide Thread Content - Incorrect Authorization
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
by 0xB9
CVSS 7.5
SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)
by Darren Martyn
Egavilanmedia Phpcrud - XSS
Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the 'Add New Record Feature'.
by Mahendra Purbia
CVSS 5.4
OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)
by Alexandre ZANNI
FUEL CMS 1.4.1 - RCE
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
by Alexandre ZANNI
CVSS 9.8
Cmsuno - Code Injection
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server.
by Alexandre ZANNI
CVSS 8.8
Rapid7 Metasploit < 4.19.0 - Command Injection
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
by Justin Steven
CVSS 7.0
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)
by Alexandre ZANNI
Stvs Provision - Path Traversal
STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. Attackers can send GET requests to /archive/download with directory traversal sequences to read sensitive system files like /etc/passwd.
by LiquidWorm
CVSS 6.5
STVS ProVision 5.9.10 - CSRF
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.
by LiquidWorm
CVSS 8.8
Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)
by SunCSR
By Source