Exploitdb Exploits
50,076 exploits tracked across all sources.
Aegon Life Insurance Management System 1.0 - Cross-Site Scripting via insertClient.php Name Parameter
A cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at insertClient.php.
by Aslam Anwar Mahimkar
CVSS 6.1
Aegon Life v1.0 - SQL Injection via client_id Parameter
Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.
by Aslam Anwar Mahimkar
CVSS 8.8
WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
by Onur Göğebakan
PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)
by Yesith Alvarez
WBCE CMS 1.6.2 - Authenticated Remote Code Execution via Elfinder File Upload
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
by Ahmet Ümit BAYRAM
CVSS 8.8
Serendipity 2.5.0 - Authenticated Remote Code Execution via Media Upload
Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server.
by Ahmet Ümit BAYRAM
CVSS 7.2
Dotclear 2.29 - Authenticated Remote Code Execution via Media Upload
Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file.
by Ahmet Ümit BAYRAM
CVSS 8.8
CMSimple 5.15 - Authenticated Remote Command Execution via Extensions Configuration
CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server.
by Ahmet Ümit BAYRAM
CVSS 8.8
appRain CMF 4.0.5 - Authenticated Remote Code Execution via Filemanager Upload
appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory.
by Ahmet Ümit BAYRAM
CVSS 8.8
Monstra CMS 3.0.4 - Remote Code Execution (RCE)
by Ahmet Ümit BAYRAM
Progress Sitefinity < 15.0.0 - Authenticated Cross-Site Scripting via Content Form
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
by Aldi Saputra Wahyudi
CVSS 5.4
FreePBX 16 - Authenticated Remote Code Execution via API Module Generatedocs Endpoint
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.
by Cold z3ro
CVSS 8.8
Akaunting 3.1.8 - Authenticated Server-Side Template Injection via Form Input Fields
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.
by tmrswrr
ElkArte Forum 1.1.9 - Authenticated Remote Code Execution via Theme Upload
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory.
by tmrswrr
Aquatronica Controller System <= 5.1.6 - Information Disclosure
An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.
by LiquidWorm
ITSS iMLog < 1.308 - Stored Cross-Site Scripting via User Maintenance Last Name Parameter
A cross-site scripting (XSS) vulnerability in the User Maintenance section of ITSS iMLog v1.307 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Last Name parameter.
by Gabriel Felipe
CVSS 5.4
BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection
by Ivan Spiridonov
changedetection < 0.45.20 - Remote Code Execution (RCE)
by Zach Crosman (zcrosman)
Check Point Security Gateway - Information Disclosure (Unauthenticated)
by Yesith Alvarez
PopojiCMS 2.0.1 - Authenticated Remote Code Execution via Metadata Settings
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.
by Ahmet Ümit BAYRAM
CVSS 7.2
8theme XStore <9.3.5 - SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.
by Abdualhadi khalifa
CVSS 9.3
Rocketsoft Rocket LMS 1.9 - Stored Cross-Site Scripting in Course Creation Interface
A cross-site scripting (XSS) vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications.
by Sergio Medeiros
CVSS 4.8
GLPI htmLawed php command injection
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
by Miguel Redondo
CVSS 9.8
Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
by Ahmet Ümit BAYRAM
By Source