Exploit Database

126,192 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-45806 WRITEUP MEDIUM
rrweb-snapshot <2.0.0-alpha.18 - XSS
A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 6.1
CVE-2023-33187 WRITEUP MEDIUM
Highlight - Info Disclosure
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.
CVSS 5.4
CVE-2024-34255 WRITEUP MEDIUM
jizhicms v2.5.1 - XSS
jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function.
CVSS 6.1
CVE-2024-33338 WRITEUP HIGH
Jizhicms - XSS
Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request.
CVSS 7.3
CVE-2023-50692 WRITEUP HIGH
Jizhicms - Unrestricted File Upload
File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.
CVSS 8.8
CVE-2025-50228 WRITEUP CRITICAL
Jizhicms v2.5.4 - SSRF
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.
CVSS 9.1
CVE-2025-50228 WRITEUP CRITICAL
Jizhicms v2.5.4 - SSRF
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.
CVSS 9.1
CVE-2023-31862 WRITEUP MEDIUM
jizhicms v2.4.6 - XSS
jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package.
CVSS 5.4
CVE-2023-27235 WRITEUP HIGH
Jizhicms <2.4.5 - RCE
An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file.
CVSS 7.2
CVE-2023-27234 WRITEUP MEDIUM
Jizhicms v2.4.5 - CSRF
A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application.
CVSS 6.5
CVE-2022-45278 WRITEUP HIGH
Jizhicms - SQL Injection
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component.
CVSS 8.8
CVE-2022-44140 WRITEUP HIGH
Jizhicms <2.3.3 - SQL Injection
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /Member/memberedit.html component.
CVSS 8.8
CVE-2022-36578 WRITEUP CRITICAL
jizhicms v2.3.1 - SQL Injection
jizhicms v2.3.1 has SQL injection in the background.
CVSS 9.8
CVE-2022-36577 WRITEUP HIGH
jizhicms <2.3.1 - CSRF
An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin.
CVSS 8.8
CVE-2022-31393 WRITEUP CRITICAL
Jizhicms <2.2.5 - SSRF
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php.
CVSS 9.1
CVE-2022-31390 WRITEUP CRITICAL
Jizhicms <2.2.5 - SSRF
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php.
CVSS 9.1
CVE-2022-27429 WRITEUP CRITICAL
Jizhicms - SSRF
Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.
CVSS 9.8
CVE-2020-23644 WRITEUP MEDIUM
JIZHICMS 1.7.1 - XSS
XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.
CVSS 6.1
CVE-2020-23643 WRITEUP MEDIUM
JIZHICMS 1.7.1 - XSS
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php.
CVSS 6.1
CVE-2020-21228 WRITEUP MEDIUM
Jizhicms - XSS
JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie.
CVSS 6.1
CVE-2019-17593 WRITEUP HIGH
Jizhicms - CSRF
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVSS 8.8
CVE-2025-62718 WRITEUP CRITICAL
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
CVSS 9.9
CVE-2025-63238 WRITEUP MEDIUM
LimeSurvey <6.15.11+250909 - XSS
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS 6.1
CVE-2025-63238 WRITEUP MEDIUM
LimeSurvey <6.15.11+250909 - XSS
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS 6.1
CVE-2025-70364 WRITEUP HIGH
Kiamo <8.4 - Code Injection
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.
CVSS 8.8
By Source
All 126,192 Exploitdb 50,121 Writeup 46,831 Nomisec 21,202 Metasploit 3,189 Github 2,265 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,341 ruby 5,920 python 5,745 c 3,550 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 73 go 41 postscript 25 xml 24