Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
4,188 exploits
Nucleimedium
PacsOne Server <7.1.1 - Cross-Site Scripting
PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS).
18RISK
open
Nucleicritical
Alumni Management System 1.0 - SQL Injection
SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypa
18RISK
open
Nucleicritical
Car Rental Management System 1.0 - Local File Inclusion
An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack
23RISK
open
Nucleicritical
74CMS - Remote File Inclusion
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 7
30RISK
open
Nucleicritical
Zeroshell 3.9.3 - Command Injection
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that co
30RISK
open
Nucleimedium
Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
43RISK
open
Nucleimedium
Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)
The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 befor
23RISK
open
Nucleicritical
ZyXel USG - Hardcoded Credentials
CVE-2020-29583CRITICALunder attack
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The p
100RISK
open
Nucleicritical
IncomCMS 2.0 - Arbitrary File Upload
IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows un
60RISK
open
Nucleicritical
Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Path Traversal Vulnerability
85RISK
open
Nucleihigh
Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
CVE-2020-3452HIGHunder attack
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability
100RISK
open
Nucleicritical
Cockpit CMS 0.6.1 - Remote Code Execution
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCrite
30RISK
open
Nucleihigh
SMTP WP Plugin Directory Listing
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in De
30RISK
open
Nucleicritical
Wireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection
The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier
23RISK
open
Nucleicritical
OpenTSDB <=2.4.0 - Remote Code Execution
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. Th
60RISK
open
Nucleihigh
SearchBlox <9.2.2 - Local File Inclusion
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated us
23RISK
open
Nucleihigh
Advanced Comment System 1.0 - Local File Inclusion
ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=.
43RISK
open
Nucleicritical
Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new passw
50RISK
open
Nucleicritical
Klog Server <=2.41 - Unauthenticated Command Injection
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
60RISK
open
Nucleihigh
GateOne 1.1 - Local File Inclusion
GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.
23RISK
open
Nucleihigh
WordPress Simple Job Board <2.9.4 - Local File Inclusion
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2
50RISK
open
Nucleimedium
twitter-server Cross-Site Scripting
server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configu
40RISK
open
Nucleimedium
Cisco ASA/FTD Software - Cross-Site Scripting
CVE-2020-3580MEDIUMunder attackransomware
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities
100RISK
open
Nucleicritical
Agentejo Cockpit < 0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
40RISK
open
Nucleicritical
Agentejo Cockpit <0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
60RISK
open
Nucleicritical
Agentejo Cockpit <0.12.0 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
60RISK
open
Nucleicritical
Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbit
65RISK
open
Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticate
18RISK
open
Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticate
18RISK
open
Nucleimedium
Rukovoditel <= 2.7.2 - Cross Site Scripting
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authe
18RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.