Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
4,187 exploits
Nucleimedium
Google Maps by BestWebSoft < 1.3.6 - Cross-Site Scripting
The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
Testimonials by BestWebSoft < 0.1.9 - Cross-Site Scripting
The bws-testimonials plugin before 0.1.9 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
Error Log Viewer by BestWebSoft < 1.0.6 - Cross-Site Scripting
The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
Sender by BestWebSoft < 1.2.1 - Cross-Site Scripting
The sender plugin before 1.2.1 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
Updater by BestWebSoft < 1.35 - Cross-Site Scripting
The updater plugin before 1.35 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
User Role by BestWebSoft < 1.5.6 - Cross-Site Scripting
The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.
18RISK
open
Nucleicritical
WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or use
23RISK
open
Nucleimedium
Timesheet Plugin < 0.1.5 - Cross-Site Scripting
The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.
18RISK
open
Nucleimedium
WordPress Qards - Cross-Site Scripting
The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2c
18RISK
open
Nucleihigh
Graphite <=1.1.5 - Server-Side Request Forgery
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulner
23RISK
open
Nucleimedium
Formidable Forms < 2.05.02 - Cross-Site Scripting
Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting
56RISK
open
Nucleimedium
Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure
Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure
28RISK
open
Nucleimedium
FortiOS 5.4.0 to 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to exec
38RISK
open
Nucleimedium
Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthor
38RISK
open
Nucleimedium
Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthor
43RISK
open
Nucleihigh
Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
CVE-2017-3506HIGHunder attack
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supporte
100RISK
open
Nucleimedium
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
43RISK
open
Nucleimedium
McAfee Network Data Loss Prevention 9.3.x - Cross-Site Scripting
Embedding Script (XSS) in HTTP Headers vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x a
18RISK
open
Nucleihigh
NETGEAR Routers - Authentication Bypass
CVE-2017-5521HIGHunder attack
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R
100RISK
open
Nucleimedium
KMCIS CaseAware - Cross-Site Scripting
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr"
38RISK
open
Nucleicritical
Apache Struts 2 - Remote Command Execution
CVE-2017-5638CRITICALunder attackransomware
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception ha
100RISK
open
Nucleicritical
Intel Active Management - Authentication Bypass
CVE-2017-5689CRITICALunder attack
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana
100RISK
open
Nucleimedium
OpenVPN Access Server 2.1.4 - CRLF Injection
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbit
18RISK
open
Nucleimedium
Odoo <= 8.0-20160726 & 9.0 - Open Redirect
Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive in
18RISK
open
Nucleihigh
Kodi 17.1 - Local File Inclusion
Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files v
40RISK
open
Nucleicritical
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,
23RISK
open
Nucleihigh
PhpColl 2.5.1 Arbitrary File Upload
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authentica
60RISK
open
Nucleimedium
MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter).
38RISK
open
Nucleicritical
Windows Server 2003 & IIS 6.0 - Remote Code Execution
CVE-2017-7269CRITICALunder attack
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in
100RISK
open
Nucleimedium
Magmi 0.7.22 - Cross-Site Scripting
A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration o
18RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.