Exploitdb Exploits
50,076 exploits tracked across all sources.
Faculty Evaluation System v1.0 - SQL Injection
by Andrey Stoykov
Microsoft Outlook - Remote Code Execution
Microsoft Outlook Remote Code Execution Vulnerability
by nu11secur1ty
CVSS 8.8
Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
by Okan Kurtulus
Lost and Found Information System v1.0 - SQL Injection
Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.
by Amirhossein Bahramizadeh
CVSS 9.8
Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
by Omer Shaik
Microsoft Edge Chromium < 114.0.1823.51 - Information Disclosure
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
by nu11secur1ty
CVSS 6.5
Alkacon OpenCMS 15.0 - Arbitrary File Upload and Remote Code Execution via PNG File
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
by tmrswrr
CVSS 6.1
WebsiteBaker 2.13.3 - Authenticated Stored Cross-Site Scripting via SVG File Upload
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
by Mirabbas Ağalarov
CVSS 5.4
WebsiteBaker 2.13.3 - Path Traversal
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
by Mirabbas Ağalarov
CVSS 6.5
WBCE CMS 1.6.1 - Stored Cross-Site Scripting via CSS Keylogging
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
by Mirabbas Ağalarov
CVSS 5.4
Spip 4.1.10 - Stored Cross-Site Scripting via Malicious SVG Upload
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.
by nu11secur1ty
CVSS 8.8
PodcastGenerator 3.2.9 - Server-Side Request Forgery via Episode Upload Shortdesc Parameter
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
by Mirabbas Ağalarov
CVSS 9.8
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Application Copyright Text
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
Rukovoditel 3.4.1 - Authenticated Stored Cross-Site Scripting via Project Task Comments
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
by Mirabbas Ağalarov
CVSS 5.4
D-Link DAP-1325 1.01 - Info Disclosure
D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information by directly accessing the export settings script.
by ieduardogoncalves
CVSS 7.5
WP AutoComplete Search < 1.0.4 - Unauthenticated SQL Injection via AJAX Parameter
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection
by matitanium
CVSS 9.8
Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)
by CraCkEr
POS Codekop v2.0 - Reflected Cross-Site Scripting via nm_member Parameter
POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.
by Amirhossein Bahramizadeh
CVSS 6.1
POS Codekop v2.0 - Authenticated RCE
POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter.
by yuyudhn
CVSS 8.8
FuguHub < 8.1 - Remote Code Execution via CMS Docs Component
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.
by redfire359
CVSS 8.8
By Source