Exploitdb Exploits
49,989 exploits tracked across all sources.
Saltos - SQL Injection
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.
by Ihsan Sencan
CVSS 9.8
Saltos - Information Disclosure
SaltOS 3.1 r8126 contains a database download vulnerability.
by Ihsan Sencan
CVSS 6.5
Saltos Rhinos - CSRF
RhinOS 3.0 build 1190 allows CSRF.
by Ihsan Sencan
CVSS 6.5
Pointofsales - SQL Injection
Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
by Ihsan Sencan
CVSS 9.8
Tubigan Welcome TO Our Resort - SQL Injection
The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection via index.php?p=accomodation&q=[SQL], index.php?p=rooms&q=[SQL], or admin/login.php.
by Ihsan Sencan
CVSS 9.8
MTGAS MOGG Web Simulator Script - SQL Injection
by Meisam Monsef
K-iwi - SQL Injection
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
by Ihsan Sencan
CVSS 9.8
Bsen Ordering Software - SQL Injection
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
by Ihsan Sencan
CVSS 9.8
Curriculum Evaluation System - SQL Injection
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
by Ihsan Sencan
CVSS 9.8
Card Payment 1.0 - Cross-Site Request Forgery (Update Admin)
by Ihsan Sencan
Bakeshop Inventory System - SQL Injection
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
by Ihsan Sencan
CVSS 9.8
Paramiko <2.4.1 - RCE
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
by Adam Brown
CVSS 9.8
Canonical Ubuntu Linux < 240 - Race Condition
A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.
by Google Security Research
CVSS 7.0
Canonical Ubuntu Linux < 239 - Insecure Deserialization
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
by Google Security Research
CVSS 7.8
EIP-2026-100655
EXPLOITDB
Library Management System 1.0 - 'frmListBooks' SQL Injection
by Ihsan Sencan
Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection
by Ihsan Sencan
Oracle WebLogic Server <12.2.1.3 - RCE
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
by allyshka
CVSS 9.8
Phptpoint Pharmacy Management System - SQL Injection
PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter.
by Boumediene KADDOUR
CVSS 9.8
Adult Filter 1.0 - Buffer Overflow
Adult Filter 1.0 has a Buffer Overflow via a crafted Black Domain List file.
by AkkuS
CVSS 7.8
Cisco Webex Meetings Desktop < 33.6.4 - OS Command Injection
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
by Metasploit
CVSS 7.8
Cisco Webex Meetings Desktop < 33.6.4 - OS Command Injection
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
by Metasploit
CVSS 7.8
By Source