Exploit Database
125,896 exploits tracked across all sources.
CVE-2010-2075
NOMISEC
Unrealircd - Improper Input Validation
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
by Tc-XoNoR
HAProxy <3.3.6 - Request Smuggling
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
by r3verii
CVSS 4.0
FuelCMS 1.5.2 - Info Disclosure
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
CVSS 7.1
fio 3.41 - DoS
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
CVSS 7.5
Goodoneuz Pay-uz < <= 2.2.24 - Remote Code Execution
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
CVSS 9.8
Yamaha SR-B30A 2.40 - Auth Bypass
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via the Sound Bar Remote protocol
CVSS 6.5
Simple Music Cloud Community System 1.0 - SQL Injection
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.
CVSS 7.3
Simple Music Cloud Community System 1.0 - SQL Injection
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.
CVSS 7.3
Simple Music Cloud Community System 1.0 - SQL Injection
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.
CVSS 9.4
Simple Music Cloud Community System 1.0 - SQL Injection
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php.
CVSS 9.8
Simple Music Cloud Community System 1.0 - SQL Injection
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php.
CVSS 9.8
SourceCodester Vehicle Parking Area Management System 1.0 - SQL Injection
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php.
CVSS 7.2
SourceCodester Vehicle Parking Area Management System 1.0 - SQL Injection
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php.
CVSS 7.2
SourceCodester Vehicle Parking Area Management System 1.0 - SQL Injection
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php.
CVSS 7.2
SourceCodester Vehicle Parking Area Management System 1.0 - SQL Injection
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php.
CVSS 7.2
SourceCodester Vehicle Parking Area Management System 1.0 - SQL Injection
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.
CVSS 9.8
SourceCodester Payroll Management and Information System 1.0 - SQL Injection
SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.
CVSS 4.7
SourceCodester Payroll Management and Information System 1.0 - SQL Injection
SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.
CVSS 9.1
KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
CVSS 7.5
Roundcube Webmail < 1.5.8 - XSS
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
by ZaidArif47
Snipe-IT <8.3.7 - Privilege Escalation
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
by Nxvh1337
CVSS 8.8
Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
by z3r0h3ro
CVSS 9.8
Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
by keraattin
CVSS 9.8
ONLYOFFICE DesktopEditors <9.3.0 - Privilege Escalation
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
CVSS 6.2
Ascensio Onlyoffice DocumentServer < 9.3.0 - Information Disclosure
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
CVSS 5.0
By Source