Exploitdb Exploits

50,076 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-36883 EXPLOITDB HIGH text
SpinetiX Fusion Digital Signage <3.4.8 - Path Traversal
SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests.
by LiquidWorm
CVSS 8.1
CVE-2020-25990 EXPLOITDB CRITICAL text
WebsiteBaker 2.12.2 - SQL Injection via Display Name Parameter
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
by Roel van Beurden
CVSS 9.8
CVE-2020-25985 EXPLOITDB HIGH text
MonoCMS Blog 1.0 - Authenticated Arbitrary File Deletion
MonoCMS Blog 1.0 is affected by: Arbitrary File Deletion. Any authenticated user can delete files on and off the webserver (php files can be unlinked and not deleted).
by Shahrukh Iqbal Mirza
CVSS 8.1
CVE-2020-37010 EXPLOITDB CRITICAL python
BearShare Lite 5.2.5 - Buffer Overflow
BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field.
by Christian Vierschilling
CVSS 9.8
CVE-2018-6892 EXPLOITDB CRITICAL python
CloudMe Sync < 1.10.9 - Unauthenticated Remote Buffer Overflow via Port 8888
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
by boku
CVSS 9.8
EIP-2026-113352 EXPLOITDB python
WebsiteBaker 2.12.2 - Remote Code Execution
by Enesdex
CVE-2020-17382 EXPLOITDB HIGH c
MSI AmbientLink MsIo64 driver 1.0.0.8 - Buffer Overflow
The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054).
by Matteo Malvica
CVSS 7.8
CVE-2020-15930 EXPLOITDB MEDIUM text
Joplin 1.0.190-1.0.245 - Cross-Site Scripting via HTML Embed Tag
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
by Ademar Nowasky Junior
CVSS 6.1
CVE-2020-15922 EXPLOITDB CRITICAL python
Mida eFramework < 2.9.0 - Authenticated Remote Code Execution via OS Command Injection
There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required.
by elbae
CVSS 9.8
CVE-2020-26670 EXPLOITDB HIGH text
BigTree CMS <4.4.10 - Command Injection
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
by SunCSR
CVSS 8.8
CVE-2020-26669 EXPLOITDB MEDIUM text
BigTree CMS < 4.4.10 - Authenticated Stored Cross-Site Scripting via Page Content
A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update.
by SunCSR
CVSS 5.4
CVE-2020-26668 EXPLOITDB HIGH text
BigTree CMS <4.4.10 - SQL Injection
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
by SunCSR
CVSS 8.8
EIP-2026-105171 EXPLOITDB text
Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
by Sinem Şahin
EIP-2026-104180 EXPLOITDB text
B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
by LiquidWorm
EIP-2026-104179 EXPLOITDB text
B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
by LiquidWorm
CVE-2020-25761 EXPLOITDB MEDIUM python
Projectworlds Visitor Management System 1.0 - Cross-Site Scripting via myform.php Request Parameters
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.
by Rahul Ramkumar
CVSS 6.1
EIP-2026-112121 EXPLOITDB text
Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)
by Aporlorxl23
EIP-2026-110104 EXPLOITDB text
Online Food Ordering System 1.0 - Remote Code Execution
by Eren Şimşek
CVE-2020-35241 EXPLOITDB MEDIUM text
FlatPress 1.0.3 - Stored Cross-Site Scripting in Blog Content
FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.
by Alperen Ergel
CVSS 4.8
CVE-2018-17431 EXPLOITDB CRITICAL python
Comodo Unified Threat Management Firewall < 2.7.0 - Unauthenticated Remote Code Execution
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
by Milad Fadavvi
CVSS 9.8
CVE-2020-36989 EXPLOITDB HIGH text
ForensiT AppX Management Service 2.2.0.4 - Privilege Escalation
ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Burhanettin Ozgenc
CVSS 7.8
EIP-2026-111963 EXPLOITDB text
Seat Reservation System 1.0 - 'id' SQL Injection
by Augkim
EIP-2026-110172 EXPLOITDB text
Online Shop Project 1.0 - 'p' SQL Injection
by Augkim
CVE-2020-25453 EXPLOITDB HIGH text
BlackCat CMS < 1.4 - Cross-Site Request Forgery Bypass
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
by Noth
CVSS 8.8
EIP-2026-104181 EXPLOITDB python
B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
by LiquidWorm