Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
Trixbox 2.8.0.4 - 'lang' Path Traversal
CVE-2017-1453728 May 2021
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter
50RISK
open
Exploit-DB
Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
CVE-2017-1453528 May 2021
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
50RISK
open
Exploit-DB
WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)
CVE-2021-2430828 May 2021
LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile
23RISK
open
Exploit-DB
Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)
CVE-2020-2960726 May 2021
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access
35RISK
open
Exploit-DB
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
CVE-2015-330626 May 2021
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and
60RISK
open
Exploit-DB
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)
CVE-2018-1942326 May 2021
Codiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
28RISK
open
Exploit-DB
WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)
CVE-2021-2429924 May 2021
ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
23RISK
open
Exploit-DB
Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
CVE-2020-14871CRITICALunder attack21 May 2021
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported ve
100RISK
open
Exploit-DB
DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
CVE-2021-21551HIGHunder attack21 May 2021
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privile
98RISK
open
Exploit-DB
Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)
CVE-2021-26855CRITICALunder attackransomware21 May 2021
Microsoft Exchange Server Remote Code Execution Vulnerability
100RISK
open
Exploit-DB
WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
CVE-2021-2424519 May 2021
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
38RISK
open
Exploit-DB
Microsoft Exchange 2019 - Unauthenticated Email Download
CVE-2021-26855CRITICALunder attackransomware18 May 2021
Microsoft Exchange Server Remote Code Execution Vulnerability
100RISK
open
Exploit-DB
Subrion CMS 4.2.1 - Arbitrary File Upload
CVE-2018-1942217 May 2021
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, beca
50RISK
open
Exploit-DB
Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free
CVE-2013-3893HIGHunder attack17 May 2021
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 throug
100RISK
open
Exploit-DB
IPFire 2.25 - Remote Code Execution (Authenticated)
CVE-2021-3339317 May 2021
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It
50RISK
open
Exploit-DB
Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
CVE-2021-31933HIGH14 May 2021
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a paramete
46RISK
open
Exploit-DB
ZeroShell 3.9.0 - Remote Command Execution
CVE-2019-1272513 May 2021
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web ap
60RISK
open
Exploit-DB
Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free
CVE-2020-0674HIGHunder attack13 May 2021
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet
93RISK
open
Exploit-DB
Firefox 72 IonMonkey - JIT Type Confusion
CVE-2019-17026HIGHunder attack13 May 2021
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are
83RISK
open
Exploit-DB
Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)
CVE-2020-2833710 May 2021
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to g
28RISK
open
Exploit-DB
b2evolution 7-2-2 - 'cf_name' SQL Injection
CVE-2021-2824206 May 2021
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive dat
23RISK
open
Exploit-DB
Piwigo 11.3.0 - 'language' SQL
CVE-2021-2797303 May 2021
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
28RISK
open
Exploit-DB
Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
CVE-2019-3810MEDIUM30 Apr 2021
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported vers
38RISK
open
Exploit-DB
GNU Wget < 1.18 - Arbitrary File Upload (2)
CVE-2016-497130 Apr 2021
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F
35RISK
open
Exploit-DB
Cacti 1.2.12 - 'filter' SQL Injection
CVE-2020-1429529 Apr 2021
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead
60RISK
open
Exploit-DB
Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)
CVE-2021-29460HIGH28 Apr 2021
Cross-site scripting (XSS) from unsanitized uploaded SVG files
41RISK
open
Exploit-DB
SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)
CVE-2021-2841926 Apr 2021
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads
28RISK
open
Exploit-DB
DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)
CVE-2021-331823 Apr 2021
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.
23RISK
open
Exploit-DB
RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
CVE-2021-3003922 Apr 2021
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-repo
23RISK
open
Exploit-DB
RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
CVE-2021-3004222 Apr 2021
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Cont
23RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.