Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
4187 exploits
Nucleihigh
Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
50RIESGO
abrir
Nucleicritical
Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
60RIESGO
abrir
Nucleicritical
Etherpad Lite <1.6.4 - Admin Authentication Bypass
Etherpad Lite before 1.6.4 is exploitable for admin access.
23RIESGO
abrir
Nucleicritical
TBK DVR4104/DVR4216 Devices - Authentication Bypass
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR L
60RIESGO
abrir
Nucleicritical
ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/con
18RIESGO
abrir
Nucleicritical
Apache Solr - Deserialization of Untrusted Data
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP
60RIESGO
abrir
Nucleihigh
Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
CVE-2019-0193HIGHbajo ataque
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources,
100RIESGO
abrir
Nucleimedium
Apache Tomcat - Cross-Site Scripting
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided
50RIESGO
abrir
Nucleicritical
Apache Struts <=2.5.20 - Remote Code Execution
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lea
60RIESGO
abrir
Nucleihigh
Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0
60RIESGO
abrir
Nucleihigh
Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
60RIESGO
abrir
Nucleicritical
Kentico CMS Insecure Deserialization Remote Code Execution
CVE-2019-10068CRITICALbajo ataque
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions
100RIESGO
abrir
Nucleimedium
Apache HTTP Server <=2.4.39 - HTML Injection/Partial Cross-Site Scripting
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page
60RIESGO
abrir
Nucleimedium
Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential m
60RIESGO
abrir
Nucleimedium
Timesheet Next Gen <=1.5.3 - Cross-Site Scripting
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to ex
18RIESGO
abrir
Nucleimedium
Babel - Open Redirect
Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is sup
18RIESGO
abrir
Nucleicritical
Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
23RIESGO
abrir
Nucleimedium
Jenkins <=2.196 - Cookie Exposure
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/
30RIESGO
abrir
Nucleimedium
Jenkins build-metrics 1.3 - Cross-Site Scripting
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML
50RIESGO
abrir
Nucleicritical
WordPress Google Maps <7.11.18 - SQL Injection
In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize
40RIESGO
abrir
Nucleihigh
BlogEngine.NET 3.3.7.0 - Local File Inclusion
BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.
18RIESGO
abrir
Nucleicritical
mongo-express Remote Code Execution
CVE-2019-10758CRITICALbajo ataque
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse
100RIESGO
abrir
Nucleimedium
Nimble Streamer <=3.5.4-9 - Local File Inclusion
Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow
43RIESGO
abrir
Nucleihigh
Debug Endpoint pprof - Exposure Detection
Kubernetes kubelet exposes /debug/pprof info on healthz port
40RIESGO
abrir
Nucleihigh
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
41RIESGO
abrir
Nucleimedium
Carel pCOWeb <B1.2.4 - Cross-Site Scripting
Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" f
38RIESGO
abrir
Nucleimedium
Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on t
28RIESGO
abrir
Nucleicritical
Pulse Connect Secure SSL VPN Arbitrary File Read
CVE-2019-11510CRITICALbajo ataqueransomware
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthent
100RIESGO
abrir
Nucleicritical
Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
CVE-2019-11580CRITICALbajo ataqueransomware
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attac
100RIESGO
abrir
Nucleicritical
Atlassian Jira Server-Side Template Injection
CVE-2019-11581CRITICALbajo ataque
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators an
100RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.