Exploit Database
125,958 exploits tracked across all sources.
School-management-system 1.0 - XSS
In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter.
CVSS 6.1
uppy 0.25.6 - Type Confusion
An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
CVSS 9.8
uppy 0.25.6 - Type Confusion
An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
CVSS 9.8
LibreNMS 22.11.0-23-gd091788f2 - LFI
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.
CVSS 6.5
Hostbill 2025-11-24/2025-12-01 - Privilege Escalation
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
CVSS 9.8
Storage Unit Rental Management System 1.0 - SQL Injection
SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php.
CVSS 2.7
Storage Unit Rental Management System 1.0 - SQL Injection
SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.
CVSS 2.7
Storage Unit Rental Management System 1.0 - SQL Injection
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php.
CVSS 2.7
Storage Unit Rental Management System 1.0 - SQL Injection
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php.
CVSS 2.7
Online Employees Work From Home Attendance System 1.0 - SQL Injection
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php.
CVSS 2.7
Online Employees Work From Home Attendance System 1.0 - SQL Injection
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.
CVSS 2.7
Online Employees Work From Home Attendance System 1.0 - SQL Injection
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php.
CVSS 2.7
Online Employees Work From Home Attendance System 1.0 - SQL Injection
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
CVSS 2.7
Online Employees Work From Home Attendance System 1.0 - SQL Injection
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
CVSS 2.7
Patient Appointment Scheduler System 1.0 - RCE
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
CVSS 2.7
Patient Appointment Scheduler System 1.0 - SQL Injection
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
CVSS 2.7
Patient Appointment Scheduler System 1.0 - SQL Injection
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
CVSS 2.7
Patient Appointment Scheduler System 1.0 - SQL Injection
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
CVSS 2.7
Webkul Krayin CRM 2.2.x - Authenticated RCE
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVSS 9.9
Webkul Krayin CRM 2.2.x - SSRF
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
CVSS 8.5
Krayin CRM v2.2.x - SQL Injection
Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
CVSS 7.1
Webkul Krayin CRM 2.2.x - Auth Bypass
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
CVSS 8.8
Webkul Krayin CRM 2.2.x - BOLA
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
CVSS 8.1
Webkul Krayin CRM 2.2.x - Auth Bypass
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
CVSS 8.1
Webkul Krayin CRM 2.2.x - BOLA
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
CVSS 8.1
By Source