Exploitdb Exploits
50,186 exploits tracked across all sources.
cPanel 1.0 - SQL Injection
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
by Mayur Parmar
CVSS 9.8
Online Birth Certificate System Project V 1.0 - XSS
Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the View Detail of Application section from the admin panel, the attacker can able to steal the cookie according to the crafted payload.
by Sagar Banwa
CVSS 6.1
Paessler Prtg Network Monitor - XSS
XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map properties. An attacker with Read/Write privileges can create a map, and then use the Map Designer Properties screen to insert JavaScript code. This can be exploited against any user with View Maps or Edit Maps access.
by Amin Rawah
CVSS 5.4
IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
by Manuel Alvarez
WordPress File Manager Unauthenticated Remote Code Execution
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
by Mansoor R
CVSS 10.0
Wondercms - SSRF
A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.
by zetc0de
CVSS 9.8
Wondercms - OS Command Injection
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
by zetc0de
CVSS 9.8
WonderCMS 3.1.3 - XSS
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload.
by Hemant Patidar
CVSS 5.4
Pharmacy Store Management System 1.0 - 'id' SQL Injection
by Aydın Baran Ertemir
Car Rental Management System 1.0 - SQL Injection / Local File include
by Mosaaed
Anuko Time Tracker <1.19.23.5311 - Info Disclosure
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
by Mufaddal Masalawala
CVSS 9.8
Anuko Time Tracker <1.19.23.5311 - DoS
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
by Mufaddal Masalawala
CVSS 7.5
Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
by Parshwa Bhavsar
NewsLister - Authenticated Persistent Cross-Site Scripting
by Emre Aslan
Local Service Search Engine Management System 1.0 - Auth Bypass
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
by Aditya Wakhlu
CVSS 9.8
ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)
by Mufaddal Masalawala
Artworks Gallery IN Php, Css, Javascr... - Unrestricted File Upload
The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
by Shahrukh Iqbal Mirza
CVSS 8.8
Artworks Gallery IN Php, Css, Javascr... - Unrestricted File Upload
The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
by Shahrukh Iqbal Mirza
CVSS 8.8
Mitel ICP VoIP 3100 - Info Disclosure
An issue was discovered on Mitel ICP VoIP 3100 devices. When a remote user attempts to log in via TELNET during the login wait time and an external call comes in, the system incorrectly divulges information about the call and any SMDR records generated by the system. The information provided includes the service type, extension number and other parameters, related to the call activity.
by Andrea Intilangelo
CVSS 5.6
Acer Global Registration Service 1.0.0.3 - Code Injection
Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Acer\Registration\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup.
by Emmanuel Lujan
CVSS 7.8
EPSON Status Monitor 3 <8.0 - RCE
EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious executables and escalate privileges.
by SamAlucard
CVSS 7.8
Tendenci 12.3.1 - Code Injection
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
by Mufaddal Masalawala
CVSS 9.8
By Source