Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
YOURLS 1.8.2 - Cross-Site Request Forgery (CSRF)
CVE-2022-0088LOW02 Dec 2025
Cross-Site Request Forgery (CSRF) in yourls/yourls
28RISK
open
Exploit-DB
Piwigo 13.6.0 - SQL Injection
CVE-2023-33362CRITICAL02 Dec 2025
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
48RISK
open
Exploit-DB
phpIPAM 1.6 - Reflected Cross-Site Scripting (XSS)
CVE-2024-41358MEDIUM02 Dec 2025
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
33RISK
open
Exploit-DB
phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
CVE-2022-3766HIGH02 Dec 2025
Cross-site Scripting (XSS) - Reflected in thorsten/phpmyfaq
56RISK
open
Exploit-DB
Flowise 3.0.4 - Remote Code Execution (RCE)
CVE-2025-59528CRITICAL31 Oct 2025
Flowise has Remote Code Execution vulnerability
85RISK
open
Exploit-DB
Casdoor 2.95.0 - Cross-Site Request Forgery (CSRF)
CVE-2023-3492729 Oct 2025
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
23RISK
open
Exploit-DB
Mbed TLS 3.6.4 - Use-After-Free
CVE-2025-47917HIGH16 Sep 2025
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance wit
41RISK
open
Exploit-DB
HTMLDOC 1.9.13 - Stack Buffer Overflow
CVE-2021-4357916 Sep 2025
A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim co
23RISK
open
Exploit-DB
dotCMS 25.07.02-1 - Authenticated Blind SQL Injection
CVE-2025-8311CRITICAL16 Sep 2025
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpo
48RISK
open
Exploit-DB
HTTP/2 2.0 - Denial Of Service (DOS)
CVE-2023-44487HIGHunder attack16 Sep 2025
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many
93RISK
open
Exploit-DB
XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
CVE-2025-24893CRITICALunder attack16 Sep 2025
Remote code execution as guest via SolrSearchMacros request in xwiki
100RISK
open
Exploit-DB
Casdoor 2.55.0 - Cross-Site Request Forgery (CSRF)
CVE-2023-3492716 Sep 2025
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
23RISK
open
Exploit-DB
Tourism Management System 2.0 - Arbitrary Shell Upload
CVE-2025-57642HIGH16 Sep 2025
A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP she
41RISK
open
Exploit-DB
ClipBucket 5.5.0 - Arbitrary File Upload
CVE-2025-55912HIGH16 Sep 2025
An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in
41RISK
open
Exploit-DB
GeoVision ASManager Windows Application 6.1.2.0 - Credentials Disclosure
CVE-2025-26263MEDIUM26 Aug 2025
GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to cred
33RISK
open
Exploit-DB
GeoVision ASManager Windows Application 6.1.2.0 - Remote Code Execution (RCE)
CVE-2025-26264HIGH26 Aug 2025
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerabili
46RISK
open
Exploit-DB
Ivanti Endpoint Manager Mobile 12.5.0.0 - Authentication Bypass
CVE-2025-4427MEDIUMunder attack26 Aug 2025
Authentication Bypass
100RISK
open
Exploit-DB
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
CVE-2025-6082MEDIUM26 Aug 2025
Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure
33RISK
open
Exploit-DB
StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload
CVE-2025-7441CRITICAL26 Aug 2025
StoryChief <= 1.0.42 - Unauthenticated Arbitrary File Upload
75RISK
open
Exploit-DB
PHPMyAdmin 3.0 - Bruteforce Login Bypass
CVE-2015-683018 Aug 2025
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allo
23RISK
open
Exploit-DB
BigAnt Office Messenger 5.6.06 - SQL Injection
CVE-2024-54761MEDIUM18 Aug 2025
BigAnt Office Messenger 5.6.06 is vulnerable to SQL Injection via the 'dev_code' parameter.
33RISK
open
Exploit-DB
Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure
CVE-2025-50154MEDIUM18 Aug 2025
Microsoft Windows File Explorer Spoofing Vulnerability
38RISK
open
Exploit-DB
Tenda AC20 16.03.08.12 - Command Injection
CVE-2025-9090MEDIUM18 Aug 2025
Tenda AC20 Telnet Service telnet websFormDefine command injection
38RISK
open
Exploit-DB
Lantronix Provisioning Manager 7.10.3 - XML External Entity Injection (XXE)
CVE-2025-7766HIGH18 Aug 2025
Lantronix Provisioning Manager Improper Restriction of XML External Entity Reference
41RISK
open
Exploit-DB
RiteCMS 3.0.0 - Reflected Cross Site Scripting (XSS)
CVE-2024-28623MEDIUM18 Aug 2025
RiteCMS v3.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component main_menu/edit_sec
48RISK
open
Exploit-DB
Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape
CVE-2025-2783HIGHunder attack11 Aug 2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allow
71RISK
open
Exploit-DB
JetBrains TeamCity 2023.11.4 - Authentication Bypass
CVE-2024-27198CRITICALunder attackransomware11 Aug 2025
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
100RISK
open
Exploit-DB
Ghost CMS 5.59.1 - Arbitrary File Read
CVE-2023-40028MEDIUM11 Aug 2025
Arbitrary file read via symlinks in Ghost
45RISK
open
Exploit-DB
Ghost CMS 5.42.1 - Path Traversal
CVE-2023-32235HIGH11 Aug 2025
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2
68RISK
open
Exploit-DB
Tigo Energy Cloud Connect Advanced (CCA) 4.0.1 - Command Injection
CVE-2025-7769HIGH11 Aug 2025
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Tigo Energy Cloud Connect Advanced
46RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.