Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.180exploits catalogados
31.691CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.469Referência 19.841GitHub PoC 13.140VulnCheck XDB 8078Nuclei 4190Metasploit 3462✓ solo verificadosrecientespopularesriesgo
4190 exploits
Nucleihigh
Java-springboot-codebase 1.1 - Arbitrary File Read
Unauthenticated Arbitrary File Read via Absolute Path
56RIESGO
abrir ↗Nucleicritical
Mitel 6000 - OS Command Injection
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and th
40RIESGO
abrir ↗Nucleimedium
Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the sour
28RIESGO
abrir ↗Nucleihigh
Personal Weather Station Dashboard 12 - Directory Traversal
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ direct
28RIESGO
abrir ↗Nucleihigh
WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
WordPress Eventin plugin <= 4.0.26 - Arbitrary File Download Vulnerability
36RIESGO
abrir ↗Nucleicritical
Eventin <= 4.0.26 - Privilege Escalation
WordPress Eventin plugin <= 4.0.26 - Privilege Escalation Vulnerability
75RIESGO
abrir ↗Nucleihigh
TI WooCommerce Wishlist <= 2.9.2 - Arbitrary File Upload
WordPress TI WooCommerce Wishlist plugin <= 2.9.2 - Arbitrary File Upload Vulnerability
63RIESGO
abrir ↗Nucleicritical
PSW Front-end Login & Registration 1.13 - Weak Password Recovery
WordPress PSW Front-end Login & Registration plugin <= 1.13 - Broken Authentication Vulnerability
68RIESGO
abrir ↗Nucleimedium
Label Studio < 1.18.0 - Reflected XSS
label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.
36RIESGO
abrir ↗Nucleicritical
Wing FTP Server <= 7.4.3 - Remote Code Execution
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection o
100RIESGO
abrir ↗Nucleimedium
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a
70RIESGO
abrir ↗Nucleicritical
Invision Community <=5.0.6 Unauthenticated RCE via Template Injection
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The
85RIESGO
abrir ↗Nucleicritical
WordPress Formality Plugin <= 1.5.9 - Local File Inclusion
WordPress Formality <= 1.5.9 - Local File Inclusion Vulnerability
36RIESGO
abrir ↗Nucleicritical
MyStyle Custom Product Designer <= 3.21.1 - SQL Injection
WordPress MyStyle Custom Product Designer plugin <= 3.21.1 - SQL Injection Vulnerability
43RIESGO
abrir ↗Nucleicritical
CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell
100RIESGO
abrir ↗Nucleicritical
vBulletin 5.0.0-6.0.3 - Authentication Bypass
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers'
85RIESGO
abrir ↗Nucleicritical
vBulletin replaceAdTemplate - Remote Code Execution
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the t
75RIESGO
abrir ↗Nucleihigh
Discourse OAuth Social Login - Cross-site Scripting
Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow
36RIESGO
abrir ↗Nucleicritical
DataEase < 2.10.10 - JWT Authentication Bypass
Dataease Authentication Bypass Vulnerability
41RIESGO
abrir ↗Nucleihigh
DataEase - Remote Code Execution
Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability
48RIESGO
abrir ↗Nucleihigh
WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability
63RIESGO
abrir ↗Nucleicritical
Roundcube Webmail - Remote Code Execution
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the
100RIESGO
abrir ↗Nucleicritical
Pterodactyl Panel - Remote Code Execution
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
68RIESGO
abrir ↗Nucleicritical
Akamai CloudTest < 60 2025.06.02 - XML External Entity (XXE)
Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.
48RIESGO
abrir ↗Nucleicritical
Adobe Experience Manager Forms - Insecure Deserialization
Adobe Experience Manager (MS) | Deserialization of Untrusted Data (CWE-502)
55RIESGO
abrir ↗Nucleicritical
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
75RIESGO
abrir ↗Nucleimedium
Microsoft SharePoint Server - Authentication Bypass
Microsoft SharePoint Server Spoofing Vulnerability
100RIESGO
abrir ↗Nucleicritical
Teleport - Authentication Bypass
Teleport allows remote authentication bypass
43RIESGO
abrir ↗Nucleimedium
Heimdall - Host Header Injection & Open Redirect
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically
43RIESGO
abrir ↗Nucleicritical
Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
Deserialization of Untrusted Data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025
95RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.