Exploitdb Exploits
50,076 exploits tracked across all sources.
NOKIA VitalSuite SPM 2020 - SQL Injection via UserName Parameter
NOKIA VitalSuite SPM 2020 is affected by SQL injection through UserName'.
by Berk Dusunur
CVSS 9.8
Eyoucms < 1.4.7 - Cross-Site Scripting via addonfieldext Parameter
Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.
by China Banking and Insurance Information Technology Management Co.
CVSS 6.1
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
by Th3GundY
Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply
Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in the content parameter to execute arbitrary scripts in users' browsers.
by China Banking and Insurance Information Technology Management Co.
CVSS 7.2
Online Marriage Registration System 1.0 - Stored Cross-Site Scripting
Online Marriage Registration System 1.0 is affected by stored cross-site scripting (XSS) vulnerabilities in multiple parameters.
by that faceless coder
CVSS 5.4
phpgurukul Online Marriage Registration System 1.0 - XSS
Cross Site Scripting (XSS) vulnerability exists in the phpgurukul Online Marriage Registration System 1.0 allows attackers to run arbitrary code via the wzipcode field.
by that faceless coder
CVSS 5.4
OXID eShop 6.x < 6.3.4 - SQL Injection via Sorting Parameter
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.
by VulnSpy
CVSS 8.2
osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting
by Matthew Aberegg
osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting
by Matthew Aberegg
LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting
by Matthew Aberegg
StreamRipper32 <2.6 - Buffer Overflow
StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application.
by Andy Bowden
CVSS 9.8
WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution
by Austin Martin
Open-AudIT 3.3.0 - Stored Cross-Site Scripting in Error Templates
Open-AudIT 3.3.0 allows an XSS attack after login.
by Kamaljeet Kumar
CVSS 5.4
Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)
by Mehmet Kelepçe
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
by Photubias
CVSS 8.8
GoldWave 5.70 - Stack-based Buffer Overflow via File Open URL Dialog
GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially crafted text file with Unicode-encoded shellcode to trigger a stack-based overflow and execute commands when the file is opened.
by Andy Bowden
CVSS 9.8
Victor CMS 1.0 - XSS
Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user via the user_name, user_firstname, or user_lastname parameter.
by Nitya Nand
CVSS 6.1
MyLittleAdmin 3.8 - Unauthenticated Remote Code Execution via Hardcoded MachineKey
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
by Metasploit
CVSS 9.8
WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
by SunCSR
Synology DiskStation Manager < 5.2-5967-5 - Authenticated Command Injection via smart.cgi Disk Field
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
by Metasploit
CVSS 8.8
Konica Minolta FTP Utility 1.0 - Buffer Overflow
Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code.
by Socket_0x03
CVSS 9.8
Konica Minolta FTP Utility 1.0 - Buffer Overflow
Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code.
by Socket_0x03
CVSS 9.8
Filetto 1.0 - Denial of Service via Oversized FEAT Command
Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP service.
by Socket_0x03
CVSS 9.8
By Source