Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
3,462 exploits
Metasploit600
WSO2 Arbitrary File Upload to RCE
CVE-2022-29464CRITICALunder attackransomware01 Apr 2022
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /file
100RISK
open
Metasploit0
Spring Framework Class property RCE (Spring4Shell)
CVE-2022-22965CRITICALunder attack31 Mar 2022
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
100RISK
open
Metasploit600
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
CVE-2022-1329HIGH29 Mar 2022
Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution
78RISK
open
Metasploit600
Spring Cloud Function SpEL Injection
CVE-2022-22963CRITICALunder attack29 Mar 2022
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is po
100RISK
open
Metasploit500
io_uring Same Type Object Reuse Priv Esc
CVE-2022-104322 Mar 2022
A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to cor
18RISK
open
Metasploit600
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
CVE-2022-2463718 Mar 2022
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, wh
60RISK
open
Metasploit600
User Profile Arbitrary Junction Creation Local Privilege Elevation
CVE-2022-26904HIGHunder attack17 Mar 2022
Windows User Profile Service Elevation of Privilege Vulnerability
66RISK
open
Metasploit300
WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
CVE-2022-016914 Mar 2022
Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection
60RISK
open
Metasploit500
Watch Queue Out of Bounds Write
CVE-2022-099514 Mar 2022
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This
18RISK
open
Metasploit600
MyBB Admin Control Code Injection RCE
CVE-2022-24734HIGH09 Mar 2022
Remote code execution in mybb
78RISK
open
Metasploit600
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
CVE-2022-2498907 Mar 2022
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskst
30RISK
open
Metasploit600
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
CVE-2022-24990CRITICALunder attackransomware07 Mar 2022
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agen
100RISK
open
Metasploit300
Wordpress BookingPress bookingpress_front_get_category_services SQLi
CVE-2022-073928 Feb 2022
BookingPress < 1.0.11 - Unauthenticated SQL Injection
30RISK
open
Metasploit600
Webmin File Manager RCE
CVE-2022-0824HIGH26 Feb 2022
Improper Access Control to Remote Code Execution in webmin/webmin
78RISK
open
Metasploit300
GitLab GraphQL API User Enumeration
CVE-2021-4191MEDIUM25 Feb 2022
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Priv
70RISK
open
Metasploit600
pfSense Diag Routes Web Shell Upload
CVE-2021-4128223 Feb 2022
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data abo
40RISK
open
Metasploit600
Dirty Pipe Local Privilege Escalation via CVE-2022-0847
CVE-2022-0847HIGHunder attack20 Feb 2022
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in cop
100RISK
open
Metasploit600
Sourcegraph gitserver sshCommand RCE
CVE-2022-23642HIGH18 Feb 2022
Code Injection in Sourcegraph
78RISK
open
Metasploit300
Wordpress MasterStudy Admin Account Creation
CVE-2022-044118 Feb 2022
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
60RISK
open
Metasploit600
Redis Lua Sandbox Escape
CVE-2022-0543CRITICALunder attack18 Feb 2022
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
100RISK
open
Metasploit300
Strapi CMS Unauthenticated Password Reset
CVE-2019-1881809 Feb 2022
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/s
60RISK
open
Metasploit300
CVE-2022-21999 SpoolFool Privesc
CVE-2022-21999HIGHunder attackransomware08 Feb 2022
Windows Print Spooler Elevation of Privilege Vulnerability
98RISK
open
Metasploit200
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
CVE-2022-3491807 Feb 2022
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buff
38RISK
open
Metasploit600
Docker cgroups Container Escape
CVE-2022-0492HIGHunder attack04 Feb 2022
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. Th
86RISK
open
Metasploit400
Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
CVE-2022-20699CRITICALunder attack02 Feb 2022
Cisco Small Business RV Series Routers Vulnerabilities
100RISK
open
Metasploit400
Zyxel Unauthenticated LAN Remote Code Execution
CVE-2023-28769CRITICAL01 Feb 2022
The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v
43RISK
open
Metasploit600
Zyxel chained RCE using LFI and weak password derivation algorithm
CVE-2023-28770HIGH01 Feb 2022
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa
48RISK
open
Metasploit300
Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
CVE-2025-34076MEDIUM30 Jan 2022
Microweber CMS Authenticated Local File Inclusion via Backup API
28RISK
open
Metasploit400
vmwgfx Driver File Descriptor Handling Priv Esc
CVE-2022-22942HIGH28 Jan 2022
The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to f
36RISK
open
Metasploit600
Spring Cloud Gateway Remote Code Execution
CVE-2022-22947CRITICALunder attack26 Jan 2022
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack whe
100RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.