Exploit Database
144,390 exploits tracked across all sources.
October CMS 3.4.16 - Cross-Site Scripting via Installation dbhost Field
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
CVSS 5.4
Rite CMS 3.0 - XSS
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a payload crafted in the Home Page fields in the Administration menu.
CVSS 4.8
Rite CMS 3.0 - XSS
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a payload crafted in the Home Page fields in the Administration menu.
CVSS 4.8
Rite CMS 3.0 - XSS
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a crafted payload into the Main Menu Items in the Administration Menu.
CVSS 5.4
RiteCMS 3.0 - Stored Cross-Site Scripting in Global Content Blocks
Rite CMS 3.0 has a Cross-Site scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload into the Global Content Blocks in the Administration Menu.
CVSS 4.8
hansuncms v1.0 - SQL Injection via /ajax/ajax_login.ashx
hansun CMS v1.0 was discovered to contain a SQL injection vulnerability via the component /ajax/ajax_login.ashx.
CVSS 9.8
TV Bro <=2.0.0 - Code Execution via WebView External Intents
The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.
CVSS 9.8
Simple and Nice Shopping Cart Script <1.0 - RCE
File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.
CVSS 8.8
PostCSS < 8.4.31 - CSS Injection via Comment Parsing Bypass
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
CVSS 5.3
Zope 4.0-4.8.10 - Stored Cross-Site Scripting in Title Property
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.
CVSS 3.1
iTop < 2.7.1 - Cross-Site Scripting via Dashlet Edit AJAX Endpoint
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
CVSS 6.8
Linux Mint Xreader - Remote Code Execution via EPUB File Parsing Path Traversal
Linux Mint Xreader EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of EPUB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21897.
CVSS 7.8
Linux Mint Xreader - Remote Code Execution via CBT File Parsing Argument Injection
Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.
CVSS 7.8
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
libvpx < 1.13.1 - Denial of Service via VP9 Width Handling
VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.
CVSS 7.5
GDidees CMS 3.0 - Stored Cross-Site Scripting via Page Title
GDidees CMS 3.0 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Title.
CVSS 5.4
Concrete CMS 9.2.1 - Stored Cross-Site Scripting in SEO & Statistics Tracking Codes
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
CVSS 4.8
Concrete CMS 8.5.13 and below, 9.0.0-9.2.1 - Stored Cross-Site Scripting via Forms Data Objects
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
CVSS 5.4
By Source