Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.467Referência 19.791GitHub PoC 13.086VulnCheck XDB 8069Nuclei 4187Metasploit 3462✓ solo verificadosrecientespopularesriesgo
4187 exploits
Nucleihigh
Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
50RIESGO
abrir ↗Nucleicritical
Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
60RIESGO
abrir ↗Nucleicritical
Etherpad Lite <1.6.4 - Admin Authentication Bypass
Etherpad Lite before 1.6.4 is exploitable for admin access.
23RIESGO
abrir ↗Nucleicritical
TBK DVR4104/DVR4216 Devices - Authentication Bypass
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR L
60RIESGO
abrir ↗Nucleicritical
ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/con
18RIESGO
abrir ↗Nucleicritical
Apache Solr - Deserialization of Untrusted Data
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP
60RIESGO
abrir ↗Nucleihigh
Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources,
100RIESGO
abrir ↗Nucleimedium
Apache Tomcat - Cross-Site Scripting
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided
50RIESGO
abrir ↗Nucleicritical
Apache Struts <=2.5.20 - Remote Code Execution
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lea
60RIESGO
abrir ↗Nucleihigh
Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0
60RIESGO
abrir ↗Nucleihigh
Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
60RIESGO
abrir ↗Nucleicritical
Kentico CMS Insecure Deserialization Remote Code Execution
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions
100RIESGO
abrir ↗Nucleimedium
Apache HTTP Server <=2.4.39 - HTML Injection/Partial Cross-Site Scripting
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page
60RIESGO
abrir ↗Nucleimedium
Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential m
60RIESGO
abrir ↗Nucleimedium
Timesheet Next Gen <=1.5.3 - Cross-Site Scripting
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to ex
18RIESGO
abrir ↗Nucleimedium
Babel - Open Redirect
Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is sup
18RIESGO
abrir ↗Nucleicritical
Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
23RIESGO
abrir ↗Nucleimedium
Jenkins <=2.196 - Cookie Exposure
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/
30RIESGO
abrir ↗Nucleimedium
Jenkins build-metrics 1.3 - Cross-Site Scripting
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML
50RIESGO
abrir ↗Nucleicritical
WordPress Google Maps <7.11.18 - SQL Injection
In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize
40RIESGO
abrir ↗Nucleihigh
BlogEngine.NET 3.3.7.0 - Local File Inclusion
BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.
18RIESGO
abrir ↗Nucleicritical
mongo-express Remote Code Execution
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse
100RIESGO
abrir ↗Nucleimedium
Nimble Streamer <=3.5.4-9 - Local File Inclusion
Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow
43RIESGO
abrir ↗Nucleihigh
Debug Endpoint pprof - Exposure Detection
Kubernetes kubelet exposes /debug/pprof info on healthz port
40RIESGO
abrir ↗Nucleihigh
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
41RIESGO
abrir ↗Nucleimedium
Carel pCOWeb <B1.2.4 - Cross-Site Scripting
Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" f
38RIESGO
abrir ↗Nucleimedium
Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on t
28RIESGO
abrir ↗Nucleicritical
Pulse Connect Secure SSL VPN Arbitrary File Read
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthent
100RIESGO
abrir ↗Nucleicritical
Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attac
100RIESGO
abrir ↗Nucleicritical
Atlassian Jira Server-Side Template Injection
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators an
100RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.