Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.467Referência 19.791GitHub PoC 13.086VulnCheck XDB 8069Nuclei 4187Metasploit 3462✓ solo verificadosrecientespopularesriesgo
4187 exploits
Nucleihigh
OpenEMR <5.0.2 - Local File Inclusion
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can
50RIESGO
abrir ↗Nucleimedium
Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
43RIESGO
abrir ↗Nucleimedium
osTicket < 1.12.1 - Cross-Site Scripting
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It w
43RIESGO
abrir ↗Nucleimedium
Custom 404 Pro < 3.2.8 - Cross-Site Scripting
The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.
18RIESGO
abrir ↗Nucleimedium
WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
18RIESGO
abrir ↗Nucleimedium
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
50RIESGO
abrir ↗Nucleihigh
Grafana - Improper Access Control
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run
30RIESGO
abrir ↗Nucleicritical
Webmin <= 1.920 - Unauthenticated Remote Command Execution
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnera
100RIESGO
abrir ↗Nucleimedium
L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.
38RIESGO
abrir ↗Nucleihigh
Webmin < 1.920 - Authenticated Remote Code Execution
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise
50RIESGO
abrir ↗Nucleimedium
WordPress My Calendar <= 3.1.9 - Cross-Site Scripting
The my-calendar plugin before 3.1.10 for WordPress has XSS.
18RIESGO
abrir ↗Nucleimedium
ND Booking < 2.5 - Unauthenticated Options Change
The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting
18RIESGO
abrir ↗Nucleimedium
DomainMOD <=4.13.0 - Cross-Site Scripting
In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
38RIESGO
abrir ↗Nucleihigh
WPS Hide Login <= 1.5.2.2 - Login Page Bypass
The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass.
18RIESGO
abrir ↗Nucleimedium
Gallery Photoblocks < 1.1.43 - Cross-Site Scripting
The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.
18RIESGO
abrir ↗Nucleihigh
WordPress Woody Ad Snippets <2.2.5 - Cross-Site Scripting/Remote Code Execution
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthentica
23RIESGO
abrir ↗Nucleicritical
Socomec DIRIS A-40 Devices Password Disclosure
Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get f
30RIESGO
abrir ↗Nucleimedium
WordPress Download Manager <2.9.94 - Cross-Site Scripting
The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by t
53RIESGO
abrir ↗Nucleicritical
D-Link DNS-320 - Remote Code Execution
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
95RIESGO
abrir ↗Nucleicritical
Enigma NMS < 65.0.0 - Authenticated OS Command Injection
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows
43RIESGO
abrir ↗Nucleimedium
Harbor <=1.82.0 - Privilege Escalation
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users A
23RIESGO
abrir ↗Nucleihigh
PilusCart <=1.4.1 - Local File Inclusion
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File D
23RIESGO
abrir ↗Nucleicritical
nostromo 1.9.6 - Remote Code Execution
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote co
100RIESGO
abrir ↗Nucleihigh
ifw8 Router ROM v4.31 - Credential Discovery
ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.
30RIESGO
abrir ↗Nucleimedium
WordPress API Bearer Auth <20190907 - Cross-Site Scripting
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagg
18RIESGO
abrir ↗Nucleihigh
Adobe Experience Manager - Expression Language Injection
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability.
23RIESGO
abrir ↗Nucleimedium
WordPress Checklist <1.1.9 - Cross-Site Scripting
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filt
18RIESGO
abrir ↗Nucleihigh
Cisco Small Business WAN VPN Routers - Sensitive Information Disclosure
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
100RIESGO
abrir ↗Nucleicritical
rConfig 3.9.2 - Remote Code Execution
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to a
60RIESGO
abrir ↗Nucleicritical
vBulletin 5.0.0-5.5.4 - Remote Command Execution
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge
100RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.