Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,810GitHub PoC 13,116VulnCheck XDB 8,069Nuclei 4,188Metasploit 3,462✓ verified onlyrecentpopularrisk
71,062 exploits
VulnCheck XDB
initial-access
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISK
open ↗VulnCheck XDB
initial-access
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗GitHub PoC
HAERIN-L/POC_CVE-2026-46716
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
48RISK
open ↗GitHub PoC
CVE-2026-0257 - PAN-OS
PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
100RISK
open ↗Exploit-DB
Notepad++ 8.9.6 - Arbitrary Code Execution
Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter
41RISK
open ↗Exploit-DB
YAMCS yamcs-core 5.12.7 - LDAP Injection
Yamcs Vulnerable to LDAP Injection in LdapAuthModule
33RISK
open ↗GitHub PoC★ 1
POC_CVE-2026-42589
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
63RISK
open ↗GitHub PoC
CVE-2026-39987 - Draft
marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
100RISK
open ↗VulnCheck XDB
initial-access
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
63RISK
open ↗GitHub PoC
This exploit is based on CVE-2023-27350 and was built upon the original exploit by horizon3ai and the Metasploit module.
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Bui
100RISK
open ↗GitHub PoC★ 7
CVE-2025-38352 kernel exploit for LG webOS Smart TVs (ARM64). Achieves persistent root on real consumer hardware with novel exploitation techniques. Responsibly disclosed to LG.
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
71RISK
open ↗GitHub PoC
Auditoría de seguridad y análisis de vulnerabilidades (CVE-2014-3566 y CVE-2010-2333) en la infraestructura de red local y router residencial.
LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scrip
50RISK
open ↗VulnCheck XDB
initial-access
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗VulnCheck XDB
initial-access
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗GitHub PoC
CVE-2025-5947 WordPress Service Finder Bookings ≤ 6.0 Exploit
Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie
63RISK
open ↗GitHub PoC★ 7
Notepad++ RCE via config.xml commandLineInterpreter
Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter
41RISK
open ↗GitHub PoC
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗VulnCheck XDB
initial-access
Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie
63RISK
open ↗GitHub PoC
SourceCodester Pharmacy Sales and Inventory System 1.0 - Vulnerable source code for CVE-2026-7392 SQL Injection
SourceCodester Pharmacy Sales and Inventory System ajax.php delete_supplier sql injection
33RISK
open ↗GitHub PoC★ 2
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗GitHub PoC
kavin-jindal/CVE-2026-48778-PoC
Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter
41RISK
open ↗GitHub PoC★ 2
CVE-2026-8732 | WP Maps Pro <= 6.1.0 | Unauthenticated Privilege Escalation
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RISK
open ↗VulnCheck XDB
local
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
71RISK
open ↗GitHub PoC
Testing a List of IP address incase they are vulnerable to CVE-2024-3400
PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
100RISK
open ↗GitHub PoC
Dungsocool/CVE-2018-7600
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbi
100RISK
open ↗GitHub PoC
Dhananjayasj/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Microsoft Outlook Remote Code Execution Vulnerability
100RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.