Exploitdb Exploits

50,130 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-47879 EXPLOITDB HIGH text
Jedox - Code Injection
A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.
by Team Syslifters
CVSS 7.5
CVE-2022-47877 EXPLOITDB MEDIUM text
Jedox - XSS
A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module 'log'.
by Team Syslifters
CVSS 5.4
CVE-2022-47876 EXPLOITDB HIGH text
Jedox GmbH Jedox <2020.2.5 - Command Injection
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.
by Team Syslifters
CVSS 8.8
CVE-2022-47878 EXPLOITDB HIGH text
Jedox - Unrestricted File Upload
Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.
by Team Syslifters
CVSS 8.8
CVE-2022-47874 EXPLOITDB MEDIUM text
Jedox Cloud - Incorrect Authorization
Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class 'com.jedox.etl.mngr.Connections' and method 'getGlobalConnection'.
by Team Syslifters
CVSS 6.5
CVE-2023-29809 EXPLOITDB CRITICAL text VERIFIED
Companymaps - SQL Injection
SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.
by Lucas Noki (0xPrototype)
CVSS 9.8
CVE-2023-53943 EXPLOITDB MEDIUM python
GLPI 9.5.7 - Info Disclosure
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
by Rafael B.
CVSS 5.3
CVE-2023-53931 EXPLOITDB MEDIUM text
Revive Adserver 5.4.1 - XSS
Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page.
by Mirabbas Ağalarov
CVSS 6.1
CVE-2023-53930 EXPLOITDB HIGH text VERIFIED
ProjectSend r1605 - Info Disclosure
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php.
by Mirabbas Ağalarov
CVSS 7.5
CVE-2023-53929 EXPLOITDB HIGH text
phpMyFAQ 3.1.12 - Code Injection
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.
by Mirabbas Ağalarov
CVSS 8.8
CVE-2023-53928 EXPLOITDB MEDIUM text
PHPFusion 9.10.30 - XSS
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.
by Mirabbas Ağalarov
CVSS 5.4
CVE-2023-53927 EXPLOITDB MEDIUM text
PHPJabbers Simple CMS 5.0 - XSS
PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution.
by Ahmet Ümit BAYRAM
CVSS 5.4
CVE-2023-53926 EXPLOITDB CRITICAL text
PHPJabbers Simple CMS 5.0 - SQL Injection
PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or modify database information.
by Ahmet Ümit BAYRAM
CVSS 9.8
CVE-2023-25438 EXPLOITDB HIGH text
Genomedics Millegpg - Incorrect Permission Assignment
An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.
by Andrea Intilangelo
CVSS 7.8
EIP-2026-116739 EXPLOITDB text
Advanced Host Monitor v12.56 - Unquoted Service Path
by Mr Empy
CVE-2023-30330 EXPLOITDB CRITICAL bash
Softexpert Excellence Suite < 2.1.3 - Untrusted Search Path
SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.
by Felipe Alcantara
CVSS 9.8
EIP-2026-111998 EXPLOITDB text
Serendipity 2.4.0 - File Inclusion RCE
by nu11secur1ty
EIP-2026-110751 EXPLOITDB text
PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting
by Or4nG.M4N
EIP-2026-110300 EXPLOITDB python
OpenEMR v7.0.1 - Authentication credentials brute force
by abhhi (Abhishek Birdawade)
CVE-2023-29983 EXPLOITDB MEDIUM text
Companymaps - XSS
Cross Site Scripting vulnerability found in Maximilian Vogt cmaps v.8.0 allows a remote attacker to execute arbitrary code via the auditlog tab in the admin panel.
by Lucas Noki (0xPrototype)
CVSS 5.4
EIP-2026-104957 EXPLOITDB text
admidio v4.2.5 - CSV Injection
by Mirabbas Ağalarov
CVE-2023-30350 EXPLOITDB HIGH python
FS S3900-24T4S - Privilege Escalation
FS S3900-24T4S devices allow authenticated attackers with guest access to escalate their privileges and reset the admin password.
by Daniele Linguaglossa
CVSS 8.8
CVE-2023-53947 EXPLOITDB HIGH text
OCS Inventory NG <2.3.0.0 - Privilege Escalation
OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges.
by msd0pe
CVSS 8.4
CVE-2023-53946 EXPLOITDB HIGH text
Arcsoft PhotoStudio 6.0.0.172 - Privilege Escalation
Arcsoft PhotoStudio 6.0.0.172 contains an unquoted service path vulnerability in the ArcSoft Exchange Service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions.
by msd0pe
CVSS 8.4
EIP-2026-118156 EXPLOITDB text
Wondershare Filmora 12.2.9.2233 - Unquoted Service Path
by msd0pe
By Source
All 50,130 Exploitdb 50,130 Writeup 46,870 Nomisec 21,221 Metasploit 3,189 Github 2,316 Vulncheck_xdb 900 Inthewild 518 Gitlab 439 Gitee 415 Patchapalooza 312
By Language
text 31,346 ruby 5,920 python 5,770 c 3,560 perl 2,854 html 2,055 php 1,334 bash 459 java 360 javascript 260 c++ 247 shell 74 go 43 postscript 25 xml 24