Exploitdb Exploits
50,076 exploits tracked across all sources.
Openfire < 4.6.0 - Stored Cross-Site Scripting via NodeJS Plugin Path Parameter
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.
by j5s
CVSS 6.4
EGavilan Barcodes generator 1.0 - Stored Cross-Site Scripting via index.php
EGavilan Barcodes generator 1.0 is affected by: Cross Site Scripting (XSS) via the index.php. An Attacker is able to inject the XSS payload in the web application each time a user visits the website.
by Nikhil Kumar
CVSS 6.1
OpenCart 3.0.3.6 - Cross-Site Request Forgery in Cart Option
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
by Mahendra Purbia
CVSS 3.5
WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
by Ilca Lucian Florin
Library Management System 2.0 - Auth Bypass SQL Injection
by Manish Solanki
VestaCP 0.9.8-26 - Incorrect Authorization via LoginAs Session Token Manipulation
VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.
by Vulnerability-Lab
CVSS 9.8
Flexense DupScout Enterprise 10.0.18 - Buffer Overflow
A buffer overflow in the web server of Flexense DupScout Enterprise 10.0.18 allows a remote anonymous attacker to execute code as SYSTEM by overflowing the sid parameter via a GET /settings&sid= attack.
by Andrés Roldán
CVSS 9.8
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
by 1F98D
CVSS 9.8
Huawei HedEx Lite 200R006C00SPC005 - Path Traversal
by Vulnerability-Lab
Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution
by Saeed Bala Ahmed
Task Management System 1.0 - 'First Name and Last Name' Stored XSS
by Saeed Bala Ahmed
VestaCP 0.9.8-26 - 'backup' Information Disclosure
by Vulnerability-Lab
Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
by Tess Sluyter
Online Bus Ticket Reservation 1.0 - SQL Injection via Login Username and Password Fields
SQL Injection in the login page in Online Bus Ticket Reservation 1.0 allows attackers to execute arbitrary SQL commands and bypass authentication via the username and password fields.
by Sakshi Sharma
CVSS 9.8
Employee Performance Evaluation System 1.0 - Stored Cross-Site Scripting in Admin Portal Task and Description Fields
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields.
by Ritesh Gohil
CVSS 4.8
Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path
by Ismael Nava
Phpgurukul Cyber Cafe Management System 1.0 - Cross-Site Scripting via Admin Username Parameter
Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the admin username parameter.
by Pruthvi Nekkanti
CVSS 6.1
Rumble Mail Server 0.51.3135 - Buffer Overflow
An Unquoted Service Path vulnerablility exists in Rumble Mail Server 0.51.3135 via via a specially crafted file in the RumbleService executable service path.
by Mohammed Alshehri
CVSS 7.8
Kite 1.2020.1119.0 - Code Injection
Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system.
by Ismael Nava
CVSS 7.8
TapinRadio 2.13.7 - Denial of Service via Proxy Settings Input Overflow
TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation.
by Ismael Nava
CVSS 7.5
Savsoft Quiz v5.0 - Stored Cross-Site Scripting via Skype ID Field
A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field.
by Dipak Panchal
CVSS 6.1
Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow
by 0rbz_
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
by 1F98D
CVSS 7.8
By Source