Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,810GitHub PoC 13,116VulnCheck XDB 8,069Nuclei 4,188Metasploit 3,462✓ verified onlyrecentpopularrisk
13,086 exploits
GitHub PoC
bogdanrotariu/cve-2026-29204-whmcs-clientarea-addonid
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using anoth
48RISK
open ↗GitHub PoC
OOB verifier for GHSA-c4j6-fc7j-m34r / CVE-2026-44578 (Next.js WebSocket-upgrade SSRF)
Next.js: Server-side request forgery in applications using WebSocket upgrades
68RISK
open ↗GitHub PoC
A tiny explanation + PoC for CVE-2026-43284
xfrm: esp: avoid in-place decrypt on shared skb frags
78RISK
open ↗GitHub PoC
copy-fail-CVE-2026-31431
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗GitHub PoC
CVE-2026-44277
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticat
48RISK
open ↗GitHub PoC
SessionReaper-CVE-2025-54236
Adobe Commerce | Improper Input Validation (CWE-20)
100RISK
open ↗GitHub PoC
CVE-2026-0001. Do with your own risk
SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API
100RISK
open ↗GitHub PoC
Checker and fixer for all 13 vulnerabilities in the Next.js May 2026 security release (CVE-2026-23870)
A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpo
41RISK
open ↗GitHub PoC
Reproduced the fileless LPE CVE‑2026‑31431 (“Copy Fail”) on Kali Linux, then built auditd, Sigma & YARA detections to catch this stealthy kernel exploit that leaves no disk footprint.
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗GitHub PoC★ 3
A Bash implementation of copyfail (CVE-2026-31431)
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗GitHub PoC
this little script blocks the new splice-ram-privlilleg ecalation fastly befor the contributers do it ( CVE-2026-31431) (CopyFail fix)
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗GitHub PoC★ 7
🚀 CVE-2026-0073 - Android ADB Wireless Debugging Exploit (CVSS 8.8) 🔓 Zero-click authentication bypass via TLS type confusion. Gain interactive shell, execute commands, scan networks. Educational red-team tool. 🐚⚡
In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic err
41RISK
open ↗GitHub PoC★ 1
First CTF successfully completed! This repo documents my walkthrough of TryHackMe's Simple CTF. It covers network reconnaissance (Nmap), web exploitation (CVE-2019-9053), and credential cracking. As a dev, it was great to pivot from SQLi to a Root shell by leveraging Sudo misconfigurations. Educational purposes only.
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve
35RISK
open ↗GitHub PoC
Bencodin/CVE-2026-23918-poc
Apache HTTP Server: http2: double free and possible RCE on early reset
53RISK
open ↗GitHub PoC★ 1
Analísis - POC - Mitigación
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗GitHub PoC★ 254
Full exploit code for CVE-2026-40369 - A Windows kernel arbitrary write vulnerability that allows browser sandbox escape from all browsers render process sandbox
Windows Kernel Elevation of Privilege Vulnerability
41RISK
open ↗GitHub PoC★ 6
🚀 CVE-2026-41940 cPanel/WHM Auth Bypass Exploit - Best Flow 💥 CRLF injection leads to auth bypass, session hijacking & account leak. ✅ Proxy, custom UA, keep-alive, retries, SSL verify, colored output, file save support. ⚡ Advanced PoC for pentesters.
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open ↗GitHub PoC
Working POC of CVE-2026-6664 written by Sonnet 4.6
PgBouncer integer overflow in PgBouncer network packet parsing
41RISK
open ↗GitHub PoC★ 1
rootdirective-sec/CVE-2026-5718-Lab
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
56RISK
open ↗GitHub PoC
vutiendat323/CVE-2021-44228_Log4Shell
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
100RISK
open ↗GitHub PoC
y0naldez/CVE-2024-28397-Js2Py-RCE
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a
48RISK
open ↗GitHub PoC
lamaper/CVE-2026-52200
An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax
28RISK
open ↗GitHub PoC★ 2
CVE-2026-29000 – pac4j-jwt Authentication Bypass (🔥 CVSS 10.0). One-click admin forge via public key JWE wrapping. Leaks configs, users, secrets. Keep-alive, proxy, custom JWKS.⚙️ Educational PoC Exploit tool.
pac4j-jwt JwtAuthenticator Authentication Bypass
48RISK
open ↗GitHub PoC
Cybersecurity demo exploiting CVE-2026-35455 with automatic API key generation and exfiltration
immich has Stored XSS via OCR Text in 360° Panorama Viewer
41RISK
open ↗GitHub PoC
CSRF (Cross-Site Request Forgery) vulnerability in gpEasy 1.5-16.3
Cross-site request forgery (CSRF) vulnerability in gpEasy CMS 1.6.2, 1.6.1, and earlier allows remote attackers to hijac
23RISK
open ↗GitHub PoC
Are you get Tanstack Supply chain attack attack of 5/11? CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx
Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
78RISK
open ↗GitHub PoC
Quick mitigation and patch script for CVE-2026-31431 (Copy Fail) on Ubuntu/Debian VPS
crypto: algif_aead - Revert to operating out-of-place
100RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.