Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.180exploits catalogados
31.691CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.469Referência 19.841GitHub PoC 13.140VulnCheck XDB 8078Nuclei 4190Metasploit 3462✓ solo verificadosrecientespopularesriesgo
4190 exploits
Nucleihigh
TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unau
41RIESGO
abrir ↗Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass
100RIESGO
abrir ↗Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass
100RIESGO
abrir ↗Nucleimedium
Kentico Xperience CMS - Unauthenticated Stored XSS
Kentico Xperience stored cross-site scripting in multiple-file upload functionality
60RIESGO
abrir ↗Nucleimedium
GeoServer - Missing Authorization on REST API Index
GeoServer Missing Authorization on REST API Index
28RIESGO
abrir ↗Nucleimedium
NocoDB < 0.258.0 - Reflected XSS in Password Reset
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
28RIESGO
abrir ↗Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection
100RIESGO
abrir ↗Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection
100RIESGO
abrir ↗Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection
85RIESGO
abrir ↗Nucleihigh
Apache Kafka Client - Arbitrary File Read
Apache Kafka Client: Arbitrary file read and SSRF vulnerability
68RIESGO
abrir ↗Nucleihigh
Apache Druid - Server-Side Request Forgery
Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
28RIESGO
abrir ↗Nucleicritical
Shopware < 6.5.8.13 - SQL Injection
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE:
33RIESGO
abrir ↗Nucleimedium
Zimbra - Cross-Site Scripting via ICS Files
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnera
58RIESGO
abrir ↗Nucleihigh
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and
36RIESGO
abrir ↗Nucleihigh
DAEnetIP4 METO v1.25 - Session Hijacking
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
43RIESGO
abrir ↗Nucleimedium
mojoPortal <=2.9.0.1 - Directory Traversal
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. A
28RIESGO
abrir ↗Nucleimedium
Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
WordPress Skitter Slideshow plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability
28RIESGO
abrir ↗Nucleicritical
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
63RIESGO
abrir ↗Nucleicritical
Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via
48RIESGO
abrir ↗Nucleicritical
FoxCMS v.1.2.5 - Remote Code Execution
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.htm
75RIESGO
abrir ↗Nucleihigh
XWiki REST API - Private Pages Disclosure
XWiki allows unregistered users to access private pages information through REST endpoint
36RIESGO
abrir ↗Nucleimedium
Vite - Arbitrary File Read
Vite bypasses server.fs.deny when using `?raw??`
70RIESGO
abrir ↗Nucleicritical
GeoServer WFS - XXE Processing Vulnerability
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
55RIESGO
abrir ↗Nucleicritical
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the
100RIESGO
abrir ↗Nucleihigh
WordPress WP01 - Path Traversal
WordPress WP01 plugin <= 2.6.2 - Arbitrary File Download Vulnerability
56RIESGO
abrir ↗Nucleihigh
SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
78RIESGO
abrir ↗Nucleimedium
Vite Development Server - Path Traversal
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
90RIESGO
abrir ↗Nucleihigh
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
Path Traversal allowing arbitrary read of files in Yeswiki
56RIESGO
abrir ↗Nucleicritical
CrushFTP - Authentication Bypass
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unle
100RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.