Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.114exploits catalogados
31.649CVEs con explotación pública
0probados en laboratorio
4187 exploits
Nucleimedium
Traefik - Open Redirect
Open redirect in Traefik
28RIESGO
abrir
Nucleicritical
Yii 2 < 2.0.38 - Remote Code Execution
Unsafe deserialization in Yii 2
58RIESGO
abrir
Nucleicritical
Nette Framework - Remote Code Execution
Remote Code Execution vulnerability
68RIESGO
abrir
Nucleicritical
DrayTek Vigor - Command Injection
CVE-2020-15415CRITICALbajo ataque
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote
95RIESGO
abrir
Nucleimedium
TileServer GL <=3.0.0 - Cross-Site Scripting
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected u
43RIESGO
abrir
Nucleicritical
MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution
CVE-2020-15505CRITICALbajo ataque
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
100RIESGO
abrir
Nucleicritical
TerraMaster TOS <.1.29 - Remote Code Execution
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic cla
43RIESGO
abrir
Nucleimedium
RosarioSIS 6.7.2 - Cross-Site Scripting
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php sc
38RIESGO
abrir
Nucleihigh
Gogs 0.5.5 - 0.12.2 - Remote Code Execution
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privile
40RIESGO
abrir
Nucleimedium
D-Link DIR-816L 2.x - Cross-Site Scripting
An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no outp
18RIESGO
abrir
Nucleicritical
Tiki Wiki CMS GroupWare - Authentication Bypass
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
23RIESGO
abrir
Nucleicritical
Mida eFramework <=2.9.0 - Remote Command Execution
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Executi
60RIESGO
abrir
Nucleihigh
Cisco Unified IP Conference Station 7937G - Denial-of-Service
A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the de
40RIESGO
abrir
Nucleimedium
Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this mi
18RIESGO
abrir
Nucleicritical
SaltStack <=3002 - Shell Injection
CVE-2020-16846CRITICALbajo ataque
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH clien
100RIESGO
abrir
Nucleihigh
Microsoft SharePoint - Remote Code Execution
Microsoft SharePoint Remote Code Execution Vulnerability
58RIESGO
abrir
Nucleimedium
Nova Lite < 1.3.9 - Cross-Site Scripting
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
18RIESGO
abrir
Nucleimedium
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
43RIESGO
abrir
Nucleicritical
SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi pa
60RIESGO
abrir
Nucleicritical
Fuel CMS 1.4.7 - SQL Injection
CVE-2020-17463CRITICALbajo ataque
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
100RIESGO
abrir
Nucleicritical
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
CVE-2020-17496CRITICALbajo ataque
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe
100RIESGO
abrir
Nucleihigh
Artica Web Proxy 4.30 - OS Command Injection
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter i
40RIESGO
abrir
Nucleicritical
Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator p
60RIESGO
abrir
Nucleihigh
Apache Flink 1.5.1 - Local File Inclusion
Apache Flink directory traversal attack: remote file writing through the REST API
50RIESGO
abrir
Nucleihigh
Apache Flink - Local File Inclusion
CVE-2020-17519CRITICALbajo ataque
Apache Flink directory traversal attack: reading remote files through the REST API
100RIESGO
abrir
Nucleihigh
Apache Airflow <1.10.14 - Authentication Bypass
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a maliciou
23RIESGO
abrir
Nucleicritical
Apache Struts 2.0.0-2.5.25 - Remote Code Execution
CVE-2020-17530CRITICALbajo ataque
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected
100RIESGO
abrir
Nucleimedium
Z-Blog <=1.5.2 - Open Redirect
Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect"
18RIESGO
abrir
Nucleimedium
Jeesns 1.4.2 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in Jeesns 1.4.2 allows attackers to execute arbitrary web scripts o
18RIESGO
abrir
Nucleimedium
Jeesns 1.4.2 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the /newVersion component of Jeesns 1.4.2 allows attackers to ex
18RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.