Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,841GitHub PoC 13,140VulnCheck XDB 8,078Nuclei 4,190Metasploit 3,462✓ verified onlyrecentpopularrisk
22,469 exploits
Exploit-DB
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userMan
23RISK
open ↗Exploit-DB
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zon
28RISK
open ↗Exploit-DB
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zon
23RISK
open ↗Exploit-DB
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zon
23RISK
open ↗Exploit-DB
XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued.
23RISK
open ↗Exploit-DB
Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
60RISK
open ↗Exploit-DB
XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discont
23RISK
open ↗Exploit-DB
Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src
60RISK
open ↗Exploit-DB
Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
60RISK
open ↗Exploit-DB
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped file
28RISK
open ↗Exploit-DB
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via l
98RISK
open ↗Exploit-DB
mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The a
45RISK
open ↗Exploit-DB
Master IP CAM 01 3.3.4.2103 - Remote Command Execution
MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, related to the thttpd component.
35RISK
open ↗Exploit-DB
Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
An issue was discovered in Webiness Inventory 2.3. The ProductModel component allows Arbitrary File Upload via a crafted
23RISK
open ↗Exploit-DB
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
38RISK
open ↗Exploit-DB
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing
The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.
28RISK
open ↗Exploit-DB
qdPM 9.1 - 'type' Cross-Site Scripting
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
23RISK
open ↗Exploit-DB
Jinja2 2.10 - 'from_string' Server Side Template Injection
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where
35RISK
open ↗Exploit-DB
MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CS
23RISK
open ↗Exploit-DB
Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because
28RISK
open ↗Exploit-DB
DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
38RISK
open ↗Exploit-DB
WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary
28RISK
open ↗Exploit-DB
DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
38RISK
open ↗Exploit-DB
DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
38RISK
open ↗Exploit-DB
LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_
23RISK
open ↗Exploit-DB
DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
38RISK
open ↗Exploit-DB
DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
38RISK
open ↗Exploit-DB
Apple macOS 10.13.5 - Local Privilege Escalation
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Ser
23RISK
open ↗Exploit-DB
Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
23RISK
open ↗Exploit-DB
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc b
60RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.