Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
CVE-2021-3436914 Jun 2021
portlets/contact/ref/refContactDetail.do in Accela Civic Platform through 20.1 allows remote attackers to obtain sensiti
23RISK
open
Exploit-DB
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
CVE-2018-1513914 Jun 2021
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
28RISK
open
Exploit-DB
Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
CVE-2021-3437014 Jun 2021
Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS. NOTE: the vendor states "there are
38RISK
open
Exploit-DB
GLPI 9.4.5 - Remote Code Execution (RCE)
CVE-2020-11060HIGH14 Jun 2021
Remote Code Execution in GLPI
46RISK
open
Exploit-DB
Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
CVE-2021-3390411 Jun 2021
In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS. NOTE: The
43RISK
open
Exploit-DB
OpenEMR 5.0.0 - Remote Code Execution (Authenticated)
CVE-2017-938011 Jun 2021
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code
28RISK
open
Exploit-DB
Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)
CVE-2021-31950HIGH11 Jun 2021
Microsoft SharePoint Server Spoofing Vulnerability
41RISK
open
Exploit-DB
Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
CVE-2019-2504611 Jun 2021
The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document.
23RISK
open
Exploit-DB
WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
CVE-2021-2417411 Jun 2021
Database Backups <= 1.2.2.6 - CSRF to Backup Download
23RISK
open
Exploit-DB
Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
CVE-2021-3240309 Jun 2021
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mecha
23RISK
open
Exploit-DB
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
CVE-2020-24186CRITICAL08 Jun 2021
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo
85RISK
open
Exploit-DB
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
CVE-2020-24186CRITICAL07 Jun 2021
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo
85RISK
open
Exploit-DB
Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
CVE-2021-2291107 Jun 2021
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
60RISK
open
Exploit-DB
Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)
CVE-2021-29440HIGH07 Jun 2021
Twig allowing dangerous PHP functions by default
53RISK
open
Exploit-DB
IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
CVE-2013-498807 Jun 2021
Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCoun
50RISK
open
Exploit-DB
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
CVE-2018-638304 Jun 2021
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but
28RISK
open
Exploit-DB
CHIYU IoT Devices - Denial of Service (DoS)
CVE-2021-3164203 Jun 2021
A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including B
35RISK
open
Exploit-DB
CHIYU IoT Devices - 'Telnet' Authentication Bypass
CVE-2021-3125103 Jun 2021
An authentication bypass in telnet server in BF-430 and BF431 232/422 TCP/IP Converter, BF-450M and SEMAC from CHIYU Tec
35RISK
open
Exploit-DB
FUDForum 3.1.0 - 'srch' Reflected XSS
CVE-2021-2751903 Jun 2021
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "
38RISK
open
Exploit-DB
Seo Panel 4.8.0 - 'from_time' Reflected XSS
CVE-2021-2842003 Jun 2021
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and th
23RISK
open
Exploit-DB
4Images 1.8 - 'redirect' Reflected XSS
CVE-2021-2730803 Jun 2021
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to in
23RISK
open
Exploit-DB
FUDForum 3.1.0 - 'author' Reflected XSS
CVE-2021-2752003 Jun 2021
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "
38RISK
open
Exploit-DB
Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution
CVE-2020-13927CRITICALunder attack02 Jun 2021
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but th
100RISK
open
Exploit-DB
Products.PluggableAuthService 2.6.0 - Open Redirect
CVE-2021-21337MEDIUM02 Jun 2021
URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService
33RISK
open
Exploit-DB
Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution
CVE-2020-11978HIGHunder attack02 Jun 2021
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was disco
100RISK
open
Exploit-DB
GetSimple CMS 3.3.4 - Information Disclosure
CVE-2014-872202 Jun 2021
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<user
28RISK
open
Exploit-DB
Seo Panel 4.8.0 - 'category' Reflected XSS
CVE-2021-2841802 Jun 2021
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and
23RISK
open
Exploit-DB
Seo Panel 4.8.0 - 'search_name' Reflected XSS
CVE-2021-2841702 Jun 2021
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and t
23RISK
open
Exploit-DB
LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
CVE-2018-1616701 Jun 2021
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
60RISK
open
Exploit-DB
Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
CVE-2017-1453528 May 2021
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
50RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.