Suggest Exploit

Explore Vulnerabilities


Explore all Exploits:

SuperStoreFinder – Multiple Vulnerabilities

SuperStoreFinder is a PHP/Javascript/MySQL store locator script with Google Maps API integration. A vulnerability exists in the 'USERNAME' parameter in the 'localhost/admin/index.php' file, allowing unauthenticated SQL Injection attacks including boolean-based blind, error-based, and time-based blind attacks.

Lot Reservation Management System Unauthenticated File Disclosure Vulnerability

The Lot Reservation Management System, version 1.0, allows unauthenticated users to disclose files on the server. This vulnerability can be exploited by an attacker to access sensitive information stored on the system without proper authorization. However, no CVE has been assigned to this vulnerability yet.

Simple Student Attendance System – Time Based Blind SQL Injection

The Simple Student Attendance System is vulnerable to a Time-Based Blind SQL Injection in the delete_student function of actions.class.php. An attacker can manipulate the 'id' parameter to execute malicious SQL queries, potentially leading to unauthorized data retrieval or modification. The vulnerability has been tested using sqlmap tool with a time-based blind technique.


The Comments Like Dislike plugin for WordPress <= 1.2.0 allows unauthorized modification of data due to a missing capability check on the restore_settings function. This vulnerability enables authenticated attackers with minimal permissions to reset the plugin's settings, as the nonce is accessible to subscriber-level users.

Maxima Max Pro Power BLE Traffic Replay (Unauthenticated)

An attacker can send crafted HEX values to the GATT Charactristic handle on the Maxima Max Pro Power watch to perform unauthorized actions like changing time display format, updating time, and notifications. Due to lack of integrity check, an attacker can sniff values on one smartwatch and replay them on another, leading to unauthorized actions.

Petrol Pump Management Software v.1.0 – Stored Cross Site Scripting via SVG file

An attacker can exploit a Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 by injecting malicious code through a crafted payload into the image parameter in the profile.php component. By uploading a specially crafted xss.svg file, the attacker can execute arbitrary code. The content of the xss.svg file includes a script that triggers an alert message.

AC Repair and Services System v1.0 – Multiple SQL Injection

The AC Repair and Services System v1.0 is vulnerable to multiple SQL Injection attacks. An attacker can exploit this by manipulating the input fields to execute arbitrary SQL commands. This can lead to unauthorized access, data leakage, and potential data manipulation.

Juniper SRX Firewalls & EX Switches PreAuth RCE

The vulnerability allows an attacker to execute the phpinfo() function on the login page of the target device, enabling them to inspect the PHP configuration. The exploit also provides an option to save the phpinfo() output to a file for further analysis. This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845.

RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC

The RoyalTSX application crashes when a specific function is handling the SecureGatewayHost object in the RoyalTSXNativeUI due to a heap memory corruption issue. This occurs when a hostname with an array of approximately 1600 bytes is provided, leading to an instant crash when the 'Test Connection' feature is used.

Electrolink FM/DAB/TV Transmitter Credentials Disclosure

Electrolink FM/DAB/TV Transmitter devices are prone to a credentials disclosure vulnerability. Attackers can exploit this issue to gain unauthorized access to sensitive information, potentially leading to further attacks.

Recent Exploits: