Exploitdb Exploits

50,083 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-113873 EXPLOITDB text
WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion
by Ali S. Ahmad
EIP-2026-113565 EXPLOITDB text
WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion (PoC)
by Ali S. Ahmad
EIP-2026-108101 EXPLOITDB text
Job Portal 3.1 - 'job_submit' SQL Injection
by Mehmet EMIROGLU
CVE-2019-6965 EXPLOITDB MEDIUM text
i-doit Open 1.12 - Cross-Site Scripting via QR URL Parameter
An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/qr/qr.php url parameter.
by BlackFog Team
CVSS 6.1
EIP-2026-105470 EXPLOITDB text
BigTree 4.3.4 CMS - Multiple SQL Injection
by Mehmet EMIROGLU
CVE-2019-9692 EXPLOITDB MEDIUM ruby VERIFIED
CMS Made Simple < 2.2.10 - Unrestricted File Upload via Watermark Image Extension Bypass
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
by Metasploit
CVSS 6.5
CVE-2015-4852 EXPLOITDB CRITICAL ruby VERIFIED
Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0 - Remote Code Execution via T3 Protocol Deserialization
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
by Metasploit
CVSS 9.8
EIP-2026-102615 EXPLOITDB text VERIFIED
gnutls 3.6.6 - 'verify_crt()' Use-After-Free
by Google Security Research
CVE-2019-25488 EXPLOITDB HIGH text
Jettweb Hazir Rent A Car Scripti V4 - SQL Injection
Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into the 'tur', 'id', and 'ozellikdil' parameters of the admin/index.php endpoint to extract sensitive database information or cause denial of service.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25524 EXPLOITDB HIGH text
XooGallery Latest - Unauthenticated SQL Injection via 'p' Parameter
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to bypass authentication, extract sensitive data, or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25523 EXPLOITDB HIGH text
XooGallery Latest - Unauthenticated SQL Injection via cat_id Parameter
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to cat.php with malicious cat_id values to bypass authentication, extract sensitive data, or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25522 EXPLOITDB HIGH text
XooGallery Latest - Unauthenticated SQL Injection via photo_id Parameter
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication, or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25521 EXPLOITDB HIGH text
XooGallery Latest - Unauthenticated SQL Injection via gal_id Parameter
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. Attackers can send GET requests to gal.php with malicious gal_id values to extract sensitive database information or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25509 EXPLOITDB HIGH text
XooDigital Latest - Unauthenticated SQL Injection via 'p' Parameter
XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25508 EXPLOITDB HIGH text
Jettweb Php Hazir Ilan Sitesi Scripti V2 - SQL Injection
Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. Attackers can send GET requests to the katgetir.php endpoint with malicious 'kat' values to extract sensitive database information.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25502 EXPLOITDB MEDIUM text
simplejobscript < 1.66 - Unauthenticated Stored Cross-Site Scripting via Job Type Value Parameter
Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the job_type_value parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim browsers and steal session cookies or perform unauthorized actions.
by Ahmet Ümit BAYRAM
CVSS 6.1
CVE-2019-25501 EXPLOITDB HIGH text
Simple Job Script - SQL Injection
Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. Attackers can send POST requests to delete_application_ajax.php with crafted payloads to extract sensitive data, bypass authentication, or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25500 EXPLOITDB HIGH text
Simple Job Script - SQL Injection
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to extract sensitive data or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25499 EXPLOITDB HIGH text
simplejobscript < 1.66 - Unauthenticated SQL Injection via job_id Parameter
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send POST requests to get_job_applications_ajax.php with malicious job_id values to bypass authentication, extract sensitive data, or modify database contents.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-25498 EXPLOITDB HIGH text
Simple Job Script - SQL Injection
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication and extract sensitive database information.
by Ahmet Ümit BAYRAM
CVSS 8.2
CVE-2019-10009 EXPLOITDB MEDIUM text
Titan FTP Server 2019 Build 3505 - Path Traversal
A Directory Traversal issue was discovered in the Web GUI in Titan FTP Server 2019 Build 3505. When an authenticated user attempts to preview an uploaded file (through PreviewHandler.ashx) by using a \..\..\ technique, arbitrary files can be loaded in the server response outside the root directory.
by Kevin Randall
CVSS 6.5
CVE-2019-0808 EXPLOITDB HIGH text
Windows 7 and Windows Server 2008 - Local Privilege Escalation in Win32k Component
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.
by ze0r
CVSS 7.8
CVE-2019-7400 EXPLOITDB MEDIUM text
Rukovoditel < 2.4.1 - Cross-Site Scripting
Rukovoditel before 2.4.1 allows XSS.
by Javier Olmedo
CVSS 6.1
CVE-2019-9791 EXPLOITDB CRITICAL javascript VERIFIED
Thunderbird <60.6-Firefox <66 - Memory Corruption
The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
by Google Security Research
CVSS 9.8
CVE-2019-9810 EXPLOITDB HIGH html
Firefox < 66.0.1 and ESR < 60.6.1 - Memory Corruption via IonMonkey JIT Compiler
Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
by xuechiyaobai
CVSS 8.8