Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.114exploits catalogados
31.649CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.469Referência 19.810GitHub PoC 13.116VulnCheck XDB 8069Nuclei 4188Metasploit 3462✓ solo verificadosrecientespopularesriesgo
22.467 exploits
Exploit-DB
Bludit 3.9.2 - Directory Traversal
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .j
60RIESGO
abrir ↗Exploit-DB
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file downloa
70RIESGO
abrir ↗Exploit-DB
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RIESGO
abrir ↗Exploit-DB
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to b
78RIESGO
abrir ↗Exploit-DB
Bio Star 2.8.2 - Local File Inclusion
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary fi
50RIESGO
abrir ↗Exploit-DB
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS.
23RIESGO
abrir ↗Exploit-DB
Docsify.js 4.11.4 - Reflective Cross-Site Scripting
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters a
23RIESGO
abrir ↗Exploit-DB
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
23RIESGO
abrir ↗Exploit-DB
CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
23RIESGO
abrir ↗Exploit-DB
Zyxel Armor X1 WAP6806 - Directory Traversal
Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI.
23RIESGO
abrir ↗Exploit-DB
SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to
23RIESGO
abrir ↗Exploit-DB
BSA Radar 1.6.7234.24750 - Local File Inclusion
downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and e
23RIESGO
abrir ↗Exploit-DB
Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitr
60RIESGO
abrir ↗Exploit-DB
Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution
The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon succ
35RIESGO
abrir ↗Exploit-DB
CompleteFTP Professional 12.1.3 - Remote Code Execution
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file.
23RIESGO
abrir ↗Exploit-DB
SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to
23RIESGO
abrir ↗Exploit-DB
BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can all
23RIESGO
abrir ↗Exploit-DB
Exhibitor Web UI 1.7.1 - Remote Code Execution
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7
60RIESGO
abrir ↗Exploit-DB
Grafana 7.0.1 - Denial of Service (PoC)
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows
60RIESGO
abrir ↗Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RIESGO
abrir ↗Exploit-DB
RSA IG&L Aveksa 7.1.1 - Remote Code Execution
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 cont
33RIESGO
abrir ↗Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC)
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic
100RIESGO
abrir ↗Exploit-DB
OCS Inventory NG 2.7 - Remote Code Execution
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php bec
28RIESGO
abrir ↗Exploit-DB
mySCADA myPRO 7 - Hardcoded Credentials
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attack
28RIESGO
abrir ↗Exploit-DB
Lansweeper 7.2 - Incorrect Access Control
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin accoun
28RIESGO
abrir ↗Exploit-DB
WebPort 1.19.1 - Reflected Cross-Site Scripting
Web Port 1.19.1 allows XSS via the /log type parameter.
38RIESGO
abrir ↗Exploit-DB
FileRun 2019.05.21 - Reflected Cross-Site Scripting
FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman§ion=do&page=up URI. This issue has been fixed
23RIESGO
abrir ↗Exploit-DB
WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
Web Port 1.19.1 allows XSS via the /access/setup type parameter.
23RIESGO
abrir ↗Exploit-DB
Gila CMS 1.11.8 - 'query' SQL Injection
Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.
28RIESGO
abrir ↗Exploit-DB
SOS JobScheduler 1.13.3 - Stored Password Decryption
A vulnerability based on insecure user/password encryption in the JOE (job editor) component of SOS JobScheduler 1.12 an
23RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.