Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
71,062 exploits
GitHub PoC6
SimpleHelp OIDC Authentication Bypass PoC
CVE-2026-48558CRITICAL02 Jul 2026
SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification
48RISK
open
VulnCheck XDB
initial-access
CVE-2025-57819CRITICALunder attack02 Jul 2026
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
100RISK
open
GitHub PoC
BastianXploited/CVE-2026-0740-mass
CVE-2026-0740CRITICAL02 Jul 2026
Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
75RISK
open
VulnCheck XDB
remote-with-credentials
CVE-2026-52813CRITICAL02 Jul 2026
Gogs: Path Traversal in organization name results in RCE through Git hooks
48RISK
open
VulnCheck XDB
info-leak
CVE-2026-8451HIGH02 Jul 2026
Insufficient input validation leading to memory overread
41RISK
open
GitHub PoC
This repository contains a proof-of-concept (PoC) exploit for CVE-2026-38751, affecting OpenSTAManager ≤ 2.10. The vulnerability allows an authenticated attacker to upload a malicious module via the module update functionality, leading to arbitrary file upload and remote code execution (RCE).
CVE-2026-38751HIGH02 Jul 2026
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionali
41RISK
open
GitHub PoC
DESIGN AND IMPLEMENTATION OF A VULNERABILITY SCANNER FOR CVE-2026-45498 IN MICROSOFT DEFENDER
CVE-2026-45498MEDIUMunder attack02 Jul 2026
Microsoft Defender Denial of Service Vulnerability
75RISK
open
VulnCheck XDB
initial-access
CVE-2021-27877HIGHunder attackransomware02 Jul 2026
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authenticat
98RISK
open
VulnCheck XDB
initial-access
CVE-2026-48558CRITICAL02 Jul 2026
SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification
48RISK
open
GitHub PoC
FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168
CVE-2026-12166MEDIUM02 Jul 2026
CVE-2026-12166
33RISK
open
GitHub PoC
Gogs has Path Traversal in organization name that results in RCE through Git hooks
CVE-2026-52813CRITICAL02 Jul 2026
Gogs: Path Traversal in organization name results in RCE through Git hooks
48RISK
open
GitHub PoC
CVE-2026-48907 PoC
CVE-2026-48907CRITICALunder attack01 Jul 2026
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
100RISK
open
VulnCheck XDB
denial-of-service
CVE-2026-42945CRITICAL01 Jul 2026
NGINX ngx_http_rewrite_module vulnerability
60RISK
open
GitHub PoC
do4choo/CVE-2026-53694-NoMachine-LPE
CVE-2026-53694HIGH01 Jul 2026
Potential local privileges escalation through argument injection in the nxchmod.sh script
41RISK
open
GitHub PoC
pedit COW
CVE-2026-46331HIGH01 Jul 2026
net/sched: fix pedit partial COW leading to page cache corruption
41RISK
open
GitHub PoC
Pivotal CRM's patch for an initial deserialization vulnerability was incomplete. The fix switched from BinaryFormatter to JSON.NET but left TypeNameHandling set to 4 without implementing SerializationBinder, allowing attackers to execute arbitrary code through malicious $type payloads. Fixed in 6.6.5.10 and Patch_CWE502_20260316.zip
CVE-2026-51947CRITICAL01 Jul 2026
An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 a
48RISK
open
VulnCheck XDB
initial-access
CVE-2026-10520CRITICAL01 Jul 2026
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote
85RISK
open
VulnCheck XDB
initial-access
CVE-2020-5902CRITICALunder attackransomware01 Jul 2026
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RISK
open
VulnCheck XDB
initial-access
CVE-2025-57819CRITICALunder attack01 Jul 2026
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
100RISK
open
GitHub PoC
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
CVE-2026-55488HIGH01 Jul 2026
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
41RISK
open
GitHub PoC
Safari 跨域信息读取
CVE-2026-43735HIGH01 Jul 2026
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS
41RISK
open
GitHub PoC
A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution
CVE-2026-42945CRITICAL01 Jul 2026
NGINX ngx_http_rewrite_module vulnerability
60RISK
open
GitHub PoC
OpenSTAManager RCE Exploit (CVE-2026-38751)
CVE-2026-38751HIGH01 Jul 2026
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionali
41RISK
open
GitHub PoC8
CVE-2026-6307 PoC: Longinus - 2 Boundaries in One Bug https://nebusec.ai/research/v8-cve-2026-6307-writeup/)
CVE-2026-6307HIGH01 Jul 2026
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code
41RISK
open
GitHub PoC
rootdirective-sec/CVE-2026-56011-Lab
CVE-2026-56011HIGH01 Jul 2026
WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerability
41RISK
open
GitHub PoC
emilliewatson96/spryCVE-2026-10520
CVE-2026-10520CRITICAL01 Jul 2026
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote
85RISK
open
VulnCheck XDB
client-side
CVE-2026-56011HIGH01 Jul 2026
WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerability
41RISK
open
GitHub PoC48
Google Chrome CVE-2026-6307 PoC
CVE-2026-6307HIGH01 Jul 2026
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code
41RISK
open
GitHub PoC
CVE-2026-46490 — samlify <2.13.0 SAML AttributeValue XML injection -> signed-assertion privilege escalation. Self-contained PoC, verified e2e.
CVE-2026-46490HIGH30 Jun 2026
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
41RISK
open
GitHub PoC
Safari 跨域读取视频
CVE-2026-43700MEDIUM30 Jun 2026
A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS
33RISK
open
previouspage 11 / 2,369next

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.