Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
4,187 exploits
Nucleihigh
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value
60RISK
open
Nucleimedium
IceWarp WebMail 11.3.1.5 - Cross-Site Scripting
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
18RISK
open
Nucleicritical
Hikvision - Authentication Bypass
CVE-2017-7921CRITICALunder attack
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 16
100RISK
open
Nucleicritical
Dahua Security - Configuration File Disclosure
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX,
30RISK
open
Nucleicritical
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions pri
60RISK
open
Nucleicritical
Amcrest IP Camera Web Management - Data Exposure
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative cred
40RISK
open
Nucleicritical
Joomla! <3.7.1 - SQL Injection
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspeci
60RISK
open
Nucleimedium
Reflected XSS - Telerik Reporting Module
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms
18RISK
open
Nucleimedium
WordPress Raygun4WP <=1.8.0 - Cross-Site Scripting
The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
18RISK
open
Nucleimedium
Odoo 8.0/9.0/10.0 - Local File Inclusion
Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to rea
18RISK
open
Nucleimedium
Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before
60RISK
open
Nucleicritical
Apache Struts2 S2-053 - Remote Code Execution
CVE-2017-9791CRITICALunder attack
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passe
100RISK
open
Nucleihigh
Apache Struts2 S2-052 - Remote Code Execution
CVE-2017-9805HIGHunder attack
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with a
100RISK
open
Nucleihigh
DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution
CVE-2017-9822HIGHunder attackransomware
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code e
100RISK
open
Nucleihigh
BOA Web Server 0.94.14 - Arbitrary File Access
/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read
50RISK
open
Nucleicritical
PHPUnit - Remote Code Execution
CVE-2017-9841CRITICALunder attack
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
100RISK
open
Nucleimedium
Schneider Electric Pelco VideoXpert Enterprise 2.0 - Path Traversal
An exposure of sensitive information vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2
18RISK
open
Nucleicritical
Cisco RV132W/RV134W Router - Information Disclosure
A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VP
40RISK
open
Nucleihigh
Cisco ASA - Local File Inclusion
CVE-2018-0296HIGHunder attack
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remo
100RISK
open
Nucleimedium
Jolokia 1.3.7 - Cross-Site Scripting
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute ma
23RISK
open
Nucleihigh
Jolokia Agent - JNDI Code Injection
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to
40RISK
open
Nucleicritical
Cobbler - Authentication Bypass
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibl
23RISK
open
Nucleicritical
GitList < 0.6.0 Remote Code Execution
klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in
40RISK
open
Nucleihigh
Jenkins GitHub Plugin <=1.29.1 - Server-Side Request Forgery
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCrede
40RISK
open
Nucleimedium
Sympa version =>6.2.16 - Cross-Site Scripting
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in
18RISK
open
Nucleimedium
DomainMOD 4.11.01 - Cross-Site Scripting
DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) v
18RISK
open
Nucleicritical
Jenkins - Remote Command Injection
CVE-2018-1000861CRITICALunder attack
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
100RISK
open
Nucleicritical
XiongMai uc-httpd 1.0.0 - Buffer Overflow
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE
50RISK
open
Nucleihigh
AudioCodes 420HD - Remote Code Execution
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
50RISK
open
Nucleimedium
Dolibarr <7.0.2 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script
40RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.