Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,810GitHub PoC 13,116VulnCheck XDB 8,069Nuclei 4,188Metasploit 3,462✓ verified onlyrecentpopularrisk
4,188 exploits
Nucleimedium
PacsOne Server <7.1.1 - Cross-Site Scripting
PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS).
18RISK
open ↗Nucleicritical
Alumni Management System 1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypa
18RISK
open ↗Nucleicritical
Car Rental Management System 1.0 - Local File Inclusion
An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack
23RISK
open ↗Nucleicritical
74CMS - Remote File Inclusion
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 7
30RISK
open ↗Nucleicritical
Zeroshell 3.9.3 - Command Injection
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that co
30RISK
open ↗Nucleimedium
Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
43RISK
open ↗Nucleimedium
Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)
The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 befor
23RISK
open ↗Nucleicritical
ZyXel USG - Hardcoded Credentials
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The p
100RISK
open ↗Nucleicritical
IncomCMS 2.0 - Arbitrary File Upload
IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows un
60RISK
open ↗Nucleicritical
Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Path Traversal Vulnerability
85RISK
open ↗Nucleihigh
Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability
100RISK
open ↗Nucleicritical
Cockpit CMS 0.6.1 - Remote Code Execution
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCrite
30RISK
open ↗Nucleihigh
SMTP WP Plugin Directory Listing
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in De
30RISK
open ↗Nucleicritical
Wireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection
The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier
23RISK
open ↗Nucleicritical
OpenTSDB <=2.4.0 - Remote Code Execution
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. Th
60RISK
open ↗Nucleihigh
SearchBlox <9.2.2 - Local File Inclusion
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated us
23RISK
open ↗Nucleihigh
Advanced Comment System 1.0 - Local File Inclusion
ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=.
43RISK
open ↗Nucleicritical
Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new passw
50RISK
open ↗Nucleicritical
Klog Server <=2.41 - Unauthenticated Command Injection
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
60RISK
open ↗Nucleihigh
GateOne 1.1 - Local File Inclusion
GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.
23RISK
open ↗Nucleihigh
WordPress Simple Job Board <2.9.4 - Local File Inclusion
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2
50RISK
open ↗Nucleimedium
twitter-server Cross-Site Scripting
server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configu
40RISK
open ↗Nucleimedium
Cisco ASA/FTD Software - Cross-Site Scripting
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities
100RISK
open ↗Nucleicritical
Agentejo Cockpit < 0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
40RISK
open ↗Nucleicritical
Agentejo Cockpit <0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
60RISK
open ↗Nucleicritical
Agentejo Cockpit <0.12.0 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
60RISK
open ↗Nucleicritical
Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbit
65RISK
open ↗Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticate
18RISK
open ↗Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticate
18RISK
open ↗Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authe
18RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.