Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
4,188 exploits
Nucleimedium
Traefik - Open Redirect
Open redirect in Traefik
28RISK
open
Nucleicritical
Yii 2 < 2.0.38 - Remote Code Execution
Unsafe deserialization in Yii 2
58RISK
open
Nucleicritical
Nette Framework - Remote Code Execution
Remote Code Execution vulnerability
68RISK
open
Nucleicritical
DrayTek Vigor - Command Injection
CVE-2020-15415CRITICALunder attack
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote
95RISK
open
Nucleimedium
TileServer GL <=3.0.0 - Cross-Site Scripting
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected u
43RISK
open
Nucleicritical
MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution
CVE-2020-15505CRITICALunder attack
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
100RISK
open
Nucleicritical
TerraMaster TOS <.1.29 - Remote Code Execution
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic cla
43RISK
open
Nucleimedium
RosarioSIS 6.7.2 - Cross-Site Scripting
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php sc
38RISK
open
Nucleihigh
Gogs 0.5.5 - 0.12.2 - Remote Code Execution
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privile
40RISK
open
Nucleimedium
D-Link DIR-816L 2.x - Cross-Site Scripting
An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no outp
18RISK
open
Nucleicritical
Tiki Wiki CMS GroupWare - Authentication Bypass
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
23RISK
open
Nucleicritical
Mida eFramework <=2.9.0 - Remote Command Execution
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Executi
60RISK
open
Nucleihigh
Cisco Unified IP Conference Station 7937G - Denial-of-Service
A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the de
40RISK
open
Nucleimedium
Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this mi
18RISK
open
Nucleicritical
SaltStack <=3002 - Shell Injection
CVE-2020-16846CRITICALunder attack
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH clien
100RISK
open
Nucleihigh
Microsoft SharePoint - Remote Code Execution
Microsoft SharePoint Remote Code Execution Vulnerability
58RISK
open
Nucleimedium
Nova Lite < 1.3.9 - Cross-Site Scripting
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
18RISK
open
Nucleimedium
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
43RISK
open
Nucleicritical
SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi pa
60RISK
open
Nucleicritical
Fuel CMS 1.4.7 - SQL Injection
CVE-2020-17463CRITICALunder attack
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
100RISK
open
Nucleicritical
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
CVE-2020-17496CRITICALunder attack
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe
100RISK
open
Nucleihigh
Artica Web Proxy 4.30 - OS Command Injection
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter i
40RISK
open
Nucleicritical
Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator p
60RISK
open
Nucleihigh
Apache Flink 1.5.1 - Local File Inclusion
Apache Flink directory traversal attack: remote file writing through the REST API
50RISK
open
Nucleihigh
Apache Flink - Local File Inclusion
CVE-2020-17519CRITICALunder attack
Apache Flink directory traversal attack: reading remote files through the REST API
100RISK
open
Nucleihigh
Apache Airflow <1.10.14 - Authentication Bypass
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a maliciou
23RISK
open
Nucleicritical
Apache Struts 2.0.0-2.5.25 - Remote Code Execution
CVE-2020-17530CRITICALunder attack
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected
100RISK
open
Nucleimedium
Z-Blog <=1.5.2 - Open Redirect
Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect"
18RISK
open
Nucleimedium
Jeesns 1.4.2 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in Jeesns 1.4.2 allows attackers to execute arbitrary web scripts o
18RISK
open
Nucleimedium
Jeesns 1.4.2 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the /newVersion component of Jeesns 1.4.2 allows attackers to ex
18RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.