Exploitdb Exploits
50,186 exploits tracked across all sources.
Midasolutions Eframework < 2.9.0 - OS Command Injection
There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required.
by elbae
CVSS 9.8
BigTree CMS <4.4.10 - Command Injection
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
by SunCSR
CVSS 8.8
BigTree CMS <4.4.10 - XSS
A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update.
by SunCSR
CVSS 5.4
BigTree CMS <4.4.10 - SQL Injection
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
by SunCSR
CVSS 8.8
Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
by Sinem Şahin
B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
by LiquidWorm
B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
by LiquidWorm
Projectworlds Visitor Management System - XSS
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.
by Rahul Ramkumar
CVSS 6.1
Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)
by Aporlorxl23
Online Food Ordering System 1.0 - Remote Code Execution
by Eren Şimşek
Flatpress - XSS
FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.
by Alperen Ergel
CVSS 4.8
Comodo UTM Firewall <2.7.0 - RCE
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
by Milad Fadavvi
CVSS 9.8
ForensiT AppX Management Service 2.2.0.4 - Privilege Escalation
ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
by Burhanettin Ozgenc
CVSS 7.8
Blackcat-cms Blackcat Cms < 1.4 - CSRF
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
by Noth
CVSS 8.8
B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
by LiquidWorm
Midasolutions Eframework < 2.9.0 - Authentication Bypass
Mida eFramework through 2.9.0 has a back door that permits a change of the administrative password and access to restricted functionalities, such as Code Execution.
by elbae
CVSS 9.8
Mantisbt < 1.3.20 - OS Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
by Nikolas Geiselman
CVSS 7.2
Titanhq Spamtitan - Code Injection
An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request.
by Felipe Molina
CVSS 8.8
Microsoft Sql Server - Insecure Deserialization
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
by West Shepherd
CVSS 8.8
Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
by hyp3rlinx
Piwigo - XSS
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
by Iridium
CVSS 5.4
Thinkadmin - Path Traversal
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
by Hzllaga
CVSS 7.5
SourceCodester Tailor Management System v1.0 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing.
by boku
CVSS 6.4
By Source