Exploit Database

146,553 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-30167 EXPLOITDB MEDIUM go
Atlona ATOMERX21 - Authenticated Command Injection
/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
by rizzziom
CVSS 6.3
CVE-2026-24061 EXPLOITDB CRITICAL python
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
by aliguliyev
CVSS 9.8
CVE-2025-12744 EXPLOITDB HIGH python
Red Hat ABRT - Command Injection via Mount Information
A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.
by Chris
CVSS 8.8
CVE-2026-24421 EXPLOITDB MEDIUM text
phpmyfaq < 4.0.17 - Authenticated Missing Authorization in Setup Backup Endpoint
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
by contact
CVSS 6.5
CVE-2026-22241 EXPLOITDB HIGH python
Openeclass < 4.1 - Unrestricted File Upload
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
by unico007x
CVSS 7.2
CVE-2025-60751 EXPLOITDB HIGH python
GeographicLib 2.5 - Buffer Overflow
GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode.
by rosario
CVSS 7.5
CVE-2025-69210 EXPLOITDB MEDIUM text
FacturaScripts < 2025.7 - Authenticated Stored Cross-Site Scripting via XML File Upload
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.
by uvettrivel007
CVSS 5.4
CVE-2025-32432 EXPLOITDB CRITICAL python
CraftCMS - Remote Code Execution
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
by banyamer
CVSS 10.0
CVE-2026-6770 GITHUB MEDIUM html
Mozilla Firefox and Thunderbird 140.10 and 150 - IndexedDB Information Disclosure
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
by nightcorefan94
CVSS 6.5
CVE-2026-3854 GITHUB HIGH
GitHub Enterprise Server RCE via Git Push Option Injection
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
by LACHHAB-Anas
CVSS 8.8
CVE-2026-41462 GITHUB CRITICAL python
ProjeQtor < 12.4.4 Unauthenticated SQL Injection via Login
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.
by 0xBlackash
CVSS 9.8
CVE-2026-3854 GITHUB HIGH
GitHub Enterprise Server RCE via Git Push Option Injection
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
by 5kr1pt
CVSS 8.8
CVE-2026-6807 GITHUB MEDIUM python
NSA GRASSMARLIN Improper Restriction of XML External Entity Reference
A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.
by SecTestAnnaQuinn
CVSS 5.5
CVE-2025-60887 WRITEUP MEDIUM
Cista <= 0.15 - Information Disclosure via Insecure Deserialization
An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.
CVSS 5.3
CVE-2025-60889 WRITEUP CRITICAL
StellarGroup HPX 1.11.0 - Deserialization
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
CVSS 9.8
CVE-2026-27760 WRITEUP HIGH
OpenCATS PHP Code Injection via installer AJAX endpoint
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
CVSS 8.1
CVE-2026-38651 WRITEUP HIGH
Netmaker < 1.5.0 - Authentication Bypass via JWT Signature Verification Failure
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
CVSS 8.2
CVE-2026-38948 WRITEUP MEDIUM
FUEL CMS <= 1.5.2 - Authenticated Stored Cross-Site Scripting via SVG Upload
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
CVSS 5.4
CVE-2026-38948 WRITEUP MEDIUM
FUEL CMS <= 1.5.2 - Authenticated Stored Cross-Site Scripting via SVG Upload
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
CVSS 5.4
CVE-2026-7271 WRITEUP MEDIUM
DV0x creative-ad-agent creative-ad-agent-server sdk-server.ts path traversal
A vulnerability was detected in DV0x creative-ad-agent up to 751b9e5146604dc65049bd0f62dcbdad6212f8a3. Impacted is an unknown function of the file server/sdk-server.ts of the component creative-ad-agent-server. Performing a manipulation of the argument req.params results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3d255865a957f3740b8724dd914502c0f44d4970. Applying a patch is the recommended action to fix this issue.
CVSS 5.3
CVE-2025-56537 GITHUB MEDIUM
OpenNebula < 7.0.0 - Stored Cross-Site Scripting via Virtual Network Template Parameter
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.
by MarkArtamonov
CVSS 6.1
CVE-2025-56536 GITHUB MEDIUM
opennebula < 7.0.0 - Stored Cross-Site Scripting via User Information Parameter
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.
by MarkArtamonov
CVSS 6.1
CVE-2025-56535 GITHUB MEDIUM
OpenNebula < 7.0.0 - Cross-Site Scripting via Zone Attribute Parameter
A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
by MarkArtamonov
CVSS 6.1
CVE-2025-56534 GITHUB MEDIUM
opennebula < 7.0.0 - Cross-Site Scripting via Custom Authenticator Driver
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by MarkArtamonov
CVSS 6.1
CVE-2026-42208 NOMISEC CRITICAL
LiteLLM: SQL injection in Proxy API key verification
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
by imjdl
CVSS 9.8