Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
CVE-2019-20361HIGH26 Jul 2020
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to b
78RISK
open
Exploit-DB
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
CVE-2019-19985MEDIUM26 Jul 2020
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file downloa
70RISK
open
Exploit-DB
pfSense 2.4.4-p3 - Cross-Site Request Forgery
CVE-2019-1666726 Jul 2020
diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executi
35RISK
open
Exploit-DB
INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution
CVE-2020-1549226 Jul 2020
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe we
28RISK
open
Exploit-DB
Bio Star 2.8.2 - Local File Inclusion
CVE-2020-1505026 Jul 2020
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary fi
50RISK
open
Exploit-DB
Rails 5.0.1 - Remote Code Execution
CVE-2020-816326 Jul 2020
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the
60RISK
open
Exploit-DB
Bludit 3.9.2 - Directory Traversal
CVE-2019-1611326 Jul 2020
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .j
60RISK
open
Exploit-DB
Docsify.js 4.11.4 - Reflective Cross-Site Scripting
CVE-2020-768022 Jul 2020
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters a
23RISK
open
Exploit-DB
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
CVE-2020-1536322 Jul 2020
The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
23RISK
open
Exploit-DB
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
CVE-2020-1536422 Jul 2020
The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS.
23RISK
open
Exploit-DB
CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
CVE-2020-1560017 Jul 2020
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
23RISK
open
Exploit-DB
SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
CVE-2020-1504615 Jul 2020
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to
23RISK
open
Exploit-DB
Zyxel Armor X1 WAP6806 - Directory Traversal
CVE-2020-1446115 Jul 2020
Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI.
23RISK
open
Exploit-DB
BSA Radar 1.6.7234.24750 - Local File Inclusion
CVE-2020-1494614 Jul 2020
downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and e
23RISK
open
Exploit-DB
Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)
CVE-2020-860514 Jul 2020
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitr
60RISK
open
Exploit-DB
Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution
CVE-2020-711510 Jul 2020
The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon succ
35RISK
open
Exploit-DB
CompleteFTP Professional 12.1.3 - Remote Code Execution
CVE-2019-1611609 Jul 2020
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file.
23RISK
open
Exploit-DB
BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
CVE-2020-1494408 Jul 2020
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can all
23RISK
open
Exploit-DB
SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
CVE-2020-1504608 Jul 2020
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to
23RISK
open
Exploit-DB
Exhibitor Web UI 1.7.1 - Remote Code Execution
CVE-2019-5029CRITICAL07 Jul 2020
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7
60RISK
open
Exploit-DB
Grafana 7.0.1 - Denial of Service (PoC)
CVE-2020-1337906 Jul 2020
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows
60RISK
open
Exploit-DB
RSA IG&L Aveksa 7.1.1 - Remote Code Execution
CVE-2019-3759MEDIUM06 Jul 2020
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 cont
33RISK
open
Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution
CVE-2020-5902CRITICALunder attackransomware06 Jul 2020
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RISK
open
Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC)
CVE-2020-5902CRITICALunder attackransomware05 Jul 2020
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RISK
open
Exploit-DB
OCS Inventory NG 2.7 - Remote Code Execution
CVE-2020-1494702 Jul 2020
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php bec
28RISK
open
Exploit-DB
mySCADA myPRO 7 - Hardcoded Credentials
CVE-2018-1131125 Jun 2020
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attack
28RISK
open
Exploit-DB
Lansweeper 7.2 - Incorrect Access Control
CVE-2020-1401123 Jun 2020
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin accoun
28RISK
open
Exploit-DB
FileRun 2019.05.21 - Reflected Cross-Site Scripting
CVE-2019-1290522 Jun 2020
FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman&section=do&page=up URI. This issue has been fixed
23RISK
open
Exploit-DB
WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
CVE-2019-1246022 Jun 2020
Web Port 1.19.1 allows XSS via the /access/setup type parameter.
23RISK
open
Exploit-DB
WebPort 1.19.1 - Reflected Cross-Site Scripting
CVE-2019-1246122 Jun 2020
Web Port 1.19.1 allows XSS via the /log type parameter.
38RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.