Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.002exploits catalogados
31.582CVEs con explotación pública
TodosExploit-DB 22.467Referência 19.780GitHub PoC 13.048VulnCheck XDB 8060Nuclei 4185Metasploit 3462recientespopularesriesgo
71.002 exploits
GitHub PoC
CVE-2026-8181 — Burst Statistics WordPress plugin Authentication Bypass (CVSS 9.8) to Admin Account Takeover. Mass scanner with FOFA/Shodan integration and modern GUI.
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
68RIESGO
abrir ↗GitHub PoC
JohannesLks/CVE-2026-50338
Azure Spring Apps Elevation of Privilege Vulnerability
38RIESGO
abrir ↗VulnCheck XDB
initial-access
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman
60RIESGO
abrir ↗VulnCheck XDB
initial-access
Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
75RIESGO
abrir ↗GitHub PoC
Bartixxx32/CVE-2026-43499-OnePlus15
rtmutex: Use waiter::task instead of current in remove_waiter()
41RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46584: Apache Camel camel-mail mail.smtp.* header injection enabling credential theft via on-path SOCKS interception (fixed in 4.14.8/4.18.3/4.21.0)
Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail session properties, allowing an attacker to influence SMTP parameters
28RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46457 — Apache Camel camel-nats inbound header injection (Camel control-header injection via a NATS publisher; CamelHttpUri -> SSRF)
Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers
41RIESGO
abrir ↗GitHub PoC★ 3
Vulnerability analysis and Proof of Concept (PoC) for CVE-2026-43499 affecting Xiaomi devices. For educational and research purposes only.
rtmutex: Use waiter::task instead of current in remove_waiter()
41RIESGO
abrir ↗GitHub PoC★ 1
本次个人漏洞研究进展成果
rtmutex: Use waiter::task instead of current in remove_waiter()
41RIESGO
abrir ↗GitHub PoC
CVE-2026-53805 - Draft
NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API
48RIESGO
abrir ↗GitHub PoC
CVE-2026-49049 Helix3 (JoomShaper) Joomla Unauthenticated AJAX RCE Scanner
Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler
41RIESGO
abrir ↗GitHub PoC★ 11
CVE-2026-43724 - Apple's published enough advisories about the issue, I'm not getting paid for any of my kernel bugs.
The issue was addressed with improved input sanitization. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tah
41RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46454 — Apache Camel camel-cometd inbound Bayeux header injection (unauthenticated Camel control-header injection → downstream producer steering / RCE)
Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers
48RIESGO
abrir ↗VulnCheck XDB
initial-access
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RIESGO
abrir ↗VulnCheck XDB
initial-access
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[
50RIESGO
abrir ↗GitHub PoC★ 3
Unauthenticated Arbitrary File/Folder Deletion in Joomla Helix Ultimate (JoomShaper) <= 2.2.6 — CVE-2026-57830
Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion in Helix Ultimate < 2.2.7
41RIESGO
abrir ↗GitHub PoC★ 3
Unauthenticated Stored XSS in Joomla Helix Ultimate (JoomShaper) <= 2.2.6
Joomla Extension - joomshaper.com - Unauthenticated stored XSS in Helix Ultimate < 2.2.7
41RIESGO
abrir ↗GitHub PoC★ 1
CVE-2026-6307 - Google Chrome V8 Turbofan Type Confusion Sandbox Escape - PoC & Analysis | CVSS 8.8 HIGH | AMN SECURITY
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code
41RIESGO
abrir ↗GitHub PoC
nuclei template for CVE-2026-56291
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RIESGO
abrir ↗GitHub PoC★ 1
Mendeteksi versi (passive detection) & Exploitation CVE POC
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RIESGO
abrir ↗GitHub PoC★ 1
CVE-2026-40047 - Apache Camel Docling CLI Argument Injection - PoC & Analysis | CVSS 9.1 CRITICAL | AMN SECURITY
Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
48RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46453 — Apache Camel camel-elasticsearch-rest-client unprefixed-header injection (operation/query override via inbound HTTP headers)
Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation
33RIESGO
abrir ↗GitHub PoC
Admin-only terminal bootstrap routes checked only for login state, which let a normal team member drive Coolify's realtime terminal backend and execute commands on team servers.
Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
48RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-43867 — Apache Camel camel-pqc AwsSecretsManagerKeyLifecycleManager unsafe key-metadata deserialization (RCE)
Apache Camel: Camel-PQC: The AWS Secrets Manager key-lifecycle manager deserializes persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter
48RIESGO
abrir ↗GitHub PoC★ 1
CVE-2026-36214 - osTicket Stored XSS via Bootstrap Tooltip - PoC & Analysis | CVSS 8.7 HIGH | AMN SECURITY
osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable
30RIESGO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46456 — Apache Camel camel-aws2-sqs inbound message-attribute header injection (Camel control-header injection via sqs:SendMessage → downstream producer steering / RCE)
Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
48RIESGO
abrir ↗GitHub PoC
1beelze/CVE-2026-5118
Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'
48RIESGO
abrir ↗GitHub PoC★ 1
Android version CVE-2026-43499 tester
rtmutex: Use waiter::task instead of current in remove_waiter()
41RIESGO
abrir ↗GitHub PoC
OPPO Find X6 Pro GhostLock (CVE-2026-43499) exploit adaptation
rtmutex: Use waiter::task instead of current in remove_waiter()
41RIESGO
abrir ↗página 1 / 2367siguiente →
Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.