Exploitdb Exploits
49,996 exploits tracked across all sources.
Nagios XI <5.4.13 - SQL Injection
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
by Jared Arave
CVSS 9.8
Nagios XI <5.4.13 - Auth Bypass
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
by Jared Arave
CVSS 9.8
WebDorado Form Maker by WD <1.12.24 - Code Injection
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.
by Sairam Jetty
CVSS 7.8
Nagios XI <5.4.13 - Privilege Escalation
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
by Jared Arave
CVSS 8.8
Drupal < 7.59 - Code Injection
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
by SixP4ck3r
CVSS 9.8
Apple TV < 11.4 - Memory Corruption
An issue was discovered in certain Apple products. iOS before 11.3.1 is affected. macOS before 10.13.4 Security Update 2018-001 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Crash Reporter" component. It allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app that replaces a privileged port name.
by Google Security Research
CVSS 7.8
Apple Mac OS X < 10.13.4 - Memory Corruption
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
by Google Security Research
CVSS 7.8
Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH
Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with junk data, NSEH bypass, SEH handler address, and shellcode that triggers the overflow when pasted into the License Name field and the Register button is clicked, resulting in code execution.
by T3jv1l
CVSS 7.8
October CMS Users <1.4.5 - XSS
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
by 0xB9
CVSS 6.1
Threads to Link plugin 1.3 - MyBB - XSS
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
by 0xB9
CVSS 5.4
Frog CMS 0.9.5 - XSS
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
by Wenming Jiang
CVSS 4.8
Sickrage < 9.2.101 - Insufficiently Protected Credentials
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
by Sven Fassbender
CVSS 9.8
JFrog Artifactory <4.16 - RCE
Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file.
by Alessio Sergi
CVSS 9.8
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot
by Wadeek
Shopy Point of Sale <1.0 - Code Injection
A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
HRSALE The Ultimate HRM 1.0.2 - LFI
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
by 8bitsec
CVSS 8.8
HRSALE The Ultimate HRM <1.0.2 - Command Injection
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
HRSALE The Ultimate HRM <1.0.2 - XSS
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
by 8bitsec
CVSS 5.4
HRSALE The Ultimate HRM <1.0.2 - SQL Injection
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.
by 8bitsec
CVSS 8.8
Drupal < 7.59 - Code Injection
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
by Blaklis
CVSS 9.8
clustercoding Blog Master Pro v1.0 - Command Injection
A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
by 8bitsec
CVSS 8.8
By Source