Exploitdb Exploits
50,186 exploits tracked across all sources.
BloodX 1.0 - SQL Injection
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
by BKpatron
CVSS 9.8
SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)
by V1n1v131r4
Savsoft Quiz <5.5 - XSS
TechKshetra Info Solutions Pvt. Ltd Savsoft Quiz 5.5 and earlier has XSS which can result in an attacker injecting the XSS payload in the User Registration section and each time the admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie via crafted payload.
by Hemant Patidar
CVSS 6.1
SourceCodester Stock Management System <v1.0 - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability in changeUsername.php in SourceCodester Stock Management System v1.0 allows remote attackers to deny future logins by changing an authenticated victim's username when they visit a third-party site.
by boku
CVSS 7.1
Rukovoditel - Path Traversal
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
by danyx07
CVSS 9.8
Maracms - Unrestricted File Upload
An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated (admin/manager) session and make a codebase/dir.php?type=filenew request to upload PHP code to codebase/handler.php.
by 0blio_
CVSS 7.2
moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)
by Abdulkadir Kaya
Online Book Store - SQL Injection
SQL injection vulnerability in sourcecodester online-book-store 1.0 allows remote attackers to view sensitive information via the id paremeter in application URL.
by Moaaz Taha
CVSS 7.5
Thedaylightstudio Fuel Cms - SQL Injection
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
by c0mpu7er
CVSS 9.8
BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)
by emalp
Mara CMS 7.5 - XSS
Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
by George Tsimpidas
CVSS 6.1
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
by Luis Noriega
Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation
Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication.
by LiquidWorm
CVSS 9.8
Online Shopping Alphaware - SQL Injection
The id paramater in Online Shopping Alphaware 1.0 has been discovered to be vulnerable to an Error-Based blind SQL injection in the /alphaware/details.php path. This allows an attacker to retrieve all databases.
by Moaaz Taha
CVSS 7.5
Symphony - XSS
Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php
by SunCSR
CVSS 5.4
Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting
by Jinson Varghese Behanan
ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)
by Paras Bhatia
Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)
by SunCSR Team
Midasolutions Eframework < 2.9.0 - OS Command Injection
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
by elbae
CVSS 9.8
Eibiz i-Media Server Digital Signage 3.8.0 - Path Traversal
Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server's root directory. Attackers can exploit the 'oldfile' GET parameter to view sensitive configuration files like web.xml and system files such as win.ini.
by LiquidWorm
CVSS 7.5
Ericom Access Server x64 9.2.0 - Server-Side Request Forgery
by hyp3rlinx
LimeSurvey 4.3.10 - XSS
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
by Matthew Aberegg
CVSS 5.4
EIBIZ i-Media Server Digital Signage 3.8.0 - Info Disclosure
EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information.
by LiquidWorm
CVSS 7.5
Eibiz i-Media Server Digital Signage 3.8.0 - Auth Bypass
Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls.
by LiquidWorm
CVSS 7.5
Sourcecodester Complaint Management System - SQL Injection
An SQL Injection vulnerability exists in Sourcecodester Complaint Management System 1.0 via the cid parameter in complaint-details.php.
by Mohamed Elobeid
CVSS 9.8
By Source