Exploitdb Exploits

50,121 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-28999 EXPLOITDB MEDIUM python
Solarwinds Platform < 2024.2 - Race Condition
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.
by Elhussain Fathy
CVSS 6.4
CVE-2024-58344 EXPLOITDB MEDIUM text
Carbon Forum 5.9.0 Persistent XSS via Forum Name Field
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.
by Chokri Hammedi
CVSS 6.4
CVE-2024-58292 EXPLOITDB MEDIUM text
XMB Forum 1.9.12.06 - XSS
XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered.
by Chokri Hammedi
CVE-2024-36599 EXPLOITDB MEDIUM text
Aegon Life v1.0 - XSS
A cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at insertClient.php.
by Aslam Anwar Mahimkar
CVSS 6.1
CVE-2024-36597 EXPLOITDB HIGH text
Aegon Life v1.0 - SQL Injection
Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.
by Aslam Anwar Mahimkar
CVSS 8.8
EIP-2026-114380 EXPLOITDB text
WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
by Onur Göğebakan
EIP-2026-110635 EXPLOITDB python
PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)
by Yesith Alvarez
EIP-2026-105576 EXPLOITDB text
Boelter Blue System Management 1.3 - SQL Injection
by CBKB
CVE-2024-58283 EXPLOITDB HIGH python
Wbce Cms - Unrestricted File Upload
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
by Ahmet Ümit BAYRAM
CVSS 8.8
CVE-2024-58282 EXPLOITDB HIGH python
S9Y Serendipity - Unrestricted File Upload
Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server.
by Ahmet Ümit BAYRAM
CVSS 7.2
CVE-2024-58281 EXPLOITDB HIGH python
Dotclear - Unrestricted File Upload
Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file.
by Ahmet Ümit BAYRAM
CVSS 8.8
CVE-2024-58280 EXPLOITDB HIGH text
CMSimple 5.15 - RCE
CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server.
by Ahmet Ümit BAYRAM
CVSS 8.8
CVE-2024-58279 EXPLOITDB HIGH python
Apprain - Unrestricted File Upload
appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory.
by Ahmet Ümit BAYRAM
CVSS 8.8
EIP-2026-109571 EXPLOITDB python
Monstra CMS 3.0.4 - Remote Code Execution (RCE)
by Ahmet Ümit BAYRAM
CVE-2023-27636 EXPLOITDB MEDIUM text
Progress Sitefinity < 15.0.0 - XSS
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
by Aldi Saputra Wahyudi
CVSS 5.4
CVE-2024-58294 EXPLOITDB HIGH php
Sangoma Freepbx - OS Command Injection
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.
by Cold z3ro
CVSS 8.8
CVE-2024-58293 EXPLOITDB HIGH text
Akaunting 3.1.8 - Code Injection
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.
by tmrswrr
CVE-2024-58295 EXPLOITDB HIGH text
ElkArte Forum 1.1.9 - RCE
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory.
by tmrswrr
CVE-2025-25037 EXPLOITDB CRITICAL python
Aquatronica Controller System <= 5.1.6 - Information Disclosure
An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.
by LiquidWorm
CVE-2024-22855 EXPLOITDB MEDIUM text
ITSS iMLog <1.307 - XSS
A cross-site scripting (XSS) vulnerability in the User Maintenance section of ITSS iMLog v1.307 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Last Name parameter.
by Gabriel Felipe
CVSS 5.4
EIP-2026-105666 EXPLOITDB text
BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection
by Ivan Spiridonov
EIP-2026-104196 EXPLOITDB python
changedetection < 0.45.20 - Remote Code Execution (RCE)
by Zach Crosman (zcrosman)
EIP-2026-101583 EXPLOITDB python
Check Point Security Gateway - Information Disclosure (Unauthenticated)
by Yesith Alvarez
CVE-2024-58284 EXPLOITDB HIGH python
Popojicms - Code Injection
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.
by Ahmet Ümit BAYRAM
CVSS 7.2
CVE-2024-33559 EXPLOITDB CRITICAL text
8theme XStore <9.3.5 - SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.
by Abdualhadi khalifa
CVSS 9.3
By Source
All 50,121 Exploitdb 50,121 Writeup 46,831 Nomisec 21,202 Metasploit 3,189 Github 2,265 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,745 c 3,550 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 73 go 41 postscript 25 xml 24