Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
13.086 exploits
GitHub PoC1
Defensive research notes for CVE-2026-5950, a BIND 9 resolver DoS vulnerability credited to Billy Baraja (BielraX).
CVE-2026-5950MEDIUM14 jun 2026
Unbounded resend loop in BIND 9 resolver
33RIESGO
abrir
GitHub PoC
webshellseo8/CVE-2026-53787-POC-
CVE-2026-53787CRITICAL14 jun 2026
Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload
63RIESGO
abrir
GitHub PoC
JupyterHub XSRF bypass via cross-origin form POST (Sec-Fetch-Mode: no-cors) — CWE-352
CVE-2026-40864MEDIUM13 jun 2026
JupyterHub: Cross-origin form POSTs bypass XSRF
33RIESGO
abrir
GitHub PoC
A lightweight stdio-based MCP server for local file system operations — read, write, edit, search, exec for AI assistants. Specially optimized for Chatbox: bat-bypass for exec (CVE-2026-6130), b64 encoding to eliminate escaping issues, and multi-pattern regex for precise code block targeting.
CVE-2026-6130MEDIUM13 jun 2026
chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection
33RIESGO
abrir
GitHub PoC
Technical writeup and Proof of Concept (PoC) for CVE-2026-11417: OS Command Injection / Remote Code Execution (RCE) in AWS CDK's NodejsFunction.
CVE-2026-11417HIGH13 jun 2026
OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
41RIESGO
abrir
GitHub PoC1
CVE-2021-21425 - GravCMS 1.10.7 Unauthenticated RCE via Scheduler. Improved exploit with CLI args and auto base64 encoding.
CVE-2021-21425CRITICAL13 jun 2026
Unauthenticated Arbitrary YAML Write/Update leads to Code Execution
85RIESGO
abrir
GitHub PoC
87achrafg-stack/CVE-2026-6279
CVE-2026-6279CRITICAL13 jun 2026
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RIESGO
abrir
GitHub PoC
AISec Plus Week 1 threat write-up — EchoLeak (CVE-2025-32711), zero-click indirect prompt injection in Microsoft 365 Copilot.
CVE-2025-32711CRITICAL13 jun 2026
M365 Copilot Information Disclosure Vulnerability
48RIESGO
abrir
GitHub PoC
CyruxSec/CVE-2026-4524
CVE-2026-4524MEDIUM13 jun 2026
Authentication Bypass Using an Alternate Path or Channel in GitLab
33RIESGO
abrir
GitHub PoC
SQL Injection in Dagster database I/O managers via dynamic partition keys (DuckDB/Snowflake/BigQuery/DeltaLake) — High
CVE-2026-41490HIGH13 jun 2026
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
41RIESGO
abrir
GitHub PoC
Some labs looking at the xz backdoor vulnerability (CVE-2024-3094)
CVE-2024-3094CRITICAL13 jun 2026
Xz: malicious code in distributed source
70RIESGO
abrir
GitHub PoC1
(phpBB authentication bypass)
CVE-2026-48611CRITICAL13 jun 2026
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or
63RIESGO
abrir
GitHub PoC2
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
CVE-2026-49975HIGH13 jun 2026
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir
GitHub PoC2
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
CVE-2026-49975HIGH13 jun 2026
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir
GitHub PoC1
CVE-2026-45447
CVE-2026-45447HIGH13 jun 2026
Heap Use-After-Free in the PKCS7_verify() Function
41RIESGO
abrir
GitHub PoC
CVE-2018-9276 — PRTG Network Monitor < 18.2.39 Authenticated RCE. For educational purposes and authorized penetration testing only.
CVE-2018-9276HIGHbajo ataque13 jun 2026
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administra
100RIESGO
abrir
GitHub PoC
rootdirective-sec/CVE-2026-42647-Lab
CVE-2026-42647CRITICAL13 jun 2026
WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability
63RIESGO
abrir
GitHub PoC1
CVE-2026-6279
CVE-2026-6279CRITICAL13 jun 2026
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RIESGO
abrir
GitHub PoC1
HTTP/2 Bomb: HPACK indexed-reference amplification + flow-control stall. A high school student's full protocol analysis (LaTeX). CVE-2026-49975, CVE-2026-47774.
CVE-2026-49975HIGH13 jun 2026
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir
GitHub PoC
Remote Code Execution in DbGate via functionName injection in the loadReader endpoint — CVSS 8.8
CVE-2026-48017HIGH13 jun 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
41RIESGO
abrir
GitHub PoC1
Hunt-Benito/glinet-beryl-ax-triple-rce-cve-2026-11450-11451-11452-unauthenticated-root-on-travel-router
CVE-2026-11450MEDIUM13 jun 2026
GL.iNet GL-MT3000 Path Normalization dlopen command injection
33RIESGO
abrir
GitHub PoC
webshellseo8/CVE-2026-1555-POC
CVE-2026-1555CRITICAL13 jun 2026
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload
48RIESGO
abrir
GitHub PoC1
razureink/cve-2026-49975-http2bomb_reproduction
CVE-2026-49975HIGH13 jun 2026
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir
GitHub PoC3
CVE-2026-20253
CVE-2026-20253CRITICALbajo ataque13 jun 2026
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
100RIESGO
abrir
GitHub PoC
J1nKsC/CVE-2024-4367_test
CVE-2024-4367MEDIUM13 jun 2026
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js c
55RIESGO
abrir
GitHub PoC
87achrafg-stack/CVE-2026-48907
CVE-2026-48907CRITICALbajo ataque13 jun 2026
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
100RIESGO
abrir
GitHub PoC
ExifTool RCE exploit (CVE-2021-22204) - improved version, no exiftool dependency
CVE-2021-22204MEDIUMbajo ataque13 jun 2026
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code exec
100RIESGO
abrir
GitHub PoC
CVE-2025-55182 exploit script
CVE-2025-55182CRITICALbajo ataqueransomware13 jun 2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RIESGO
abrir
GitHub PoC
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
CVE-2026-8809CRITICAL12 jun 2026
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
48RIESGO
abrir
GitHub PoC
This project simulates a real-world attack-and-defend scenario across two virtual machines. You will exploit a critical pre-authentication RCE vulnerability (CVE-2025-32433) in an Erlang/OTP SSH server, crack extracted password hashes, and then harden the victim machine with firewall rules and patching.
CVE-2025-32433CRITICALbajo ataque12 jun 2026
Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
100RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.