Exploitdb Exploits
50,076 exploits tracked across all sources.
Axigen Mail Server < 10.5.7 - Cross-Site Scripting via serverName_input Parameter
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
by Vincent McRae_ Mesut Cetin
CVSS 9.6
GL-iNet Firmware - Unauthenticated Sensitive Information Exposure via File Download Commands
An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information. This affects MT6000 4.5.5, XE3000 4.4.4, X3000 4.4.5, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, XE300 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-v2 4.3.10, X300B 3.217, S1300 3.216, SF1200 3.216, MV1000 3.216, N300 3.216, B2200 3.216, and X1200 3.203.
by Bandar Alharbi
CVSS 7.5
Casdoor < 1.331.0 - Cross-Site Request Forgery via Password Reset Endpoint
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
by Van Lam Nguyen
CVSS 6.5
Mikrotik RouterOS 6.40.5-6.49.10 - DoS
Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445.
by ice-wzl
CVSS 7.5
Purei CMS 1.0 - SQL Injection via getAllParks.php and events-ajax.php Endpoints
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
by Number 7
Siklu MultiHaul TG series < 2.0.0 - Unauthenticated Credential Disclosure via Port 12777
Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.
by semaja2
liveSite 2019.1 - Remote Code Execution via edit_designer_region.php or add_email_campaign.php
liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php.
by tmrswrr
CVSS 9.8
WinRAR version 6.22 - Remote Code Execution via ZIP archive
by E1 Coders
Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)
by Sean Pesce
Dell Security Management Server <1.9.0 - Local Privilege Escalation
by Amirhossein Bahramizadeh
Phpgurukul Tourism Management System 2.0 - Unrestricted Upload of File with Dangerous Type via Change Image Endpoint
Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image.
by SoSPiro
CVSS 8.1
SPA-CART CMS 1.9.0.3 - Authenticated Stored Cross-Site Scripting via Product Description Parameter
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.
by Eren Sen
CVSS 7.5
Lime Survey CE <v.5.3.32+220817 - XSS
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
by Subhankar Singh
CVSS 6.1
Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS
by Hakkı TOKLU
Craft CMS 4.4.14 - Unauthenticated Remote Code Execution
by Olivier Lasne
minaliC 2.0.0 - Denial of Service via Oversized GET Request
minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption.
by Fernando Mengali
CSZCMS 1.3.0 - Authenticated SQL Injection via Members View Parameter
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.
by Abdulaziz Almetairy
CVSS 8.8
phpgurukul Teacher Subject Allocation Management System 1.0 - SQL Injection via searchdata Parameter
SQL Injection vulnerability in index.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to run arbitrary SQL commands and obtain sensitive information via the 'searchdata' parameter.
by Ersin Erenler
CVSS 7.5
By Source