Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
71,062 exploits
GitHub PoC
CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE.
CVE-2026-45659HIGHunder attack27 May 2026
Microsoft SharePoint Remote Code Execution Vulnerability
71RISK
open
Exploit-DB
scramble - Remote Code Execution
CVE-2026-44262CRITICALwebappsphp27 May 2026
Scramble: Remote code execution via evaluation of user-controlled input in validation rules
63RISK
open
GitHub PoC
CVE-2026-45659
CVE-2026-45659HIGHunder attack27 May 2026
Microsoft SharePoint Remote Code Execution Vulnerability
71RISK
open
GitHub PoC1
Starlette Host-Header URL Confusion Lab (X41-2026-002) - CVE-2026-48710
CVE-2026-48710MEDIUM27 May 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
48RISK
open
VulnCheck XDB
info-leak
CVE-2026-26980CRITICAL27 May 2026
Ghost has a SQL Injection in its Content API
75RISK
open
GitHub PoC
lwd3c/CVE-2026-47342
CVE-2026-47342HIGH27 May 2026
Apache OFBiz: Privilege Escalation via updateOrRemove Authorization Bypass
21RISK
open
VulnCheck XDB
initial-access
CVE-2025-54123CRITICAL27 May 2026
Hoverfly vulnerable to remote code execution at `/api/v2/hoverfly/middleware` endpoint due to insecure middleware implementation
68RISK
open
GitHub PoC
thinhap/CVE-2026-9082-PoC
CVE-2026-9082CRITICALunder attack27 May 2026
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
100RISK
open
VulnCheck XDB
initial-access
CVE-2022-22965CRITICALunder attack27 May 2026
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
100RISK
open
VulnCheck XDB
initial-access
CVE-2022-22965CRITICALunder attack27 May 2026
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
100RISK
open
Exploit-DB
Casdoor 3.54.1 - Arbitrary File Write via Path Traversal
CVE-2026-6815MEDIUMwebappsgo27 May 2026
CVE-2026-6815
33RISK
open
GitHub PoC
Dungsocool/CVE-2017-10271
CVE-2017-10271HIGHunder attackransomware27 May 2026
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supporte
100RISK
open
GitHub PoC
mein-0/cve-2026-0828
CVE-2026-0828HIGH27 May 2026
Kernel driver vulnerability in Safetica Endpoint Client
41RISK
open
Exploit-DB
Linux Kernel - Local Privilege Escalation
CVE-2026-43500HIGHlocallinux27 May 2026
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
78RISK
open
GitHub PoC
CVE-2026-27771 - Draft
CVE-2026-27771HIGH27 May 2026
Gitea Composer package source links use insufficient permission checks
68RISK
open
GitHub PoC18
CVE-2026-27771 - Gitea/Forgejo Container Registry Auth Bypass Exploit PoC - Pull private container images without authentication
CVE-2026-27771HIGH27 May 2026
Gitea Composer package source links use insufficient permission checks
68RISK
open
Exploit-DB
EspoCRM 9.3.3 - SSRF
CVE-2026-33534MEDIUM27 May 2026
EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation
48RISK
open
VulnCheck XDB
info-leak
CVE-2026-9082CRITICALunder attack27 May 2026
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
100RISK
open
GitHub PoC
CVE-2026-5172: buffer overflow in extract_addresses() on crafted resource record PoC
CVE-2026-5172HIGH27 May 2026
CVE-2026-5172
41RISK
open
GitHub PoC
Generate the poc for CVE-2026-4893: broken EDNS Client Subnet validation.
CVE-2026-4893MEDIUM27 May 2026
CVE-2026-4893
33RISK
open
GitHub PoC
Passive checker for CVE-2026-9082 / SA-CORE-2026-004 (Drupal core SQL injection, PostgreSQL)
CVE-2026-9082CRITICALunder attack27 May 2026
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
100RISK
open
GitHub PoC
SSRF Discovered in Mercator
CVE-2026-49345MEDIUM27 May 2026
Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)
33RISK
open
GitHub PoC
hadhub/CVE-2026-49344-Mercator-JSON-DSL
CVE-2026-49344HIGH27 May 2026
Mercator has a Personal Identifiable Information Leak from Query Executor feature
41RISK
open
Exploit-DB
MeiG Smart FORGE_SLT711 - OS Command Injection
CVE-2026-36356CRITICALhardwarelinux27 May 2026
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthentica
53RISK
open
VulnCheck XDB
initial-access
CVE-2026-20182CRITICALunder attack26 May 2026
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
100RISK
open
GitHub PoC
xxconi/CVE-2026-6271
CVE-2026-6271CRITICAL26 May 2026
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
48RISK
open
GitHub PoC
CVE-2026-3296 is a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the Everest Forms WordPress plugin
CVE-2026-3296CRITICAL26 May 2026
Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata
48RISK
open
GitHub PoC
Dungsocool/CVE-2017-5638
CVE-2017-5638CRITICALunder attackransomware26 May 2026
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception ha
100RISK
open
VulnCheck XDB
local
CVE-2026-43284HIGH26 May 2026
xfrm: esp: avoid in-place decrypt on shared skb frags
78RISK
open
Exploit-DB
Grav CMS 2.0.0-beta.2 - Remote Code Execution
CVE-2026-42607CRITICALwebappsphp26 May 2026
Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
48RISK
open
previouspage 42 / 2,369next

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.