Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.180exploits catalogados
31.691CVEs con explotación pública
0probados en laboratorio
4190 exploits
Nucleihigh
TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unau
41RIESGO
abrir
Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
CVE-2025-2746CRITICALbajo ataque
Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass
100RIESGO
abrir
Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
CVE-2025-2747CRITICALbajo ataque
Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass
100RIESGO
abrir
Nucleimedium
Kentico Xperience CMS - Unauthenticated Stored XSS
Kentico Xperience stored cross-site scripting in multiple-file upload functionality
60RIESGO
abrir
Nucleimedium
GeoServer - Missing Authorization on REST API Index
GeoServer Missing Authorization on REST API Index
28RIESGO
abrir
Nucleimedium
NocoDB < 0.258.0 - Reflected XSS in Password Reset
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
28RIESGO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
CVE-2025-2775CRITICALbajo ataque
SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection
100RIESGO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
CVE-2025-2776CRITICALbajo ataque
SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection
100RIESGO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection
85RIESGO
abrir
Nucleihigh
Apache Kafka Client - Arbitrary File Read
Apache Kafka Client: Arbitrary file read and SSRF vulnerability
68RIESGO
abrir
Nucleihigh
Apache Druid - Server-Side Request Forgery
Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
28RIESGO
abrir
Nucleicritical
Shopware < 6.5.8.13 - SQL Injection
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE:
33RIESGO
abrir
Nucleimedium
Zimbra - Cross-Site Scripting via ICS Files
CVE-2025-27915MEDIUMbajo ataque
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnera
58RIESGO
abrir
Nucleihigh
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and
36RIESGO
abrir
Nucleihigh
DAEnetIP4 METO v1.25 - Session Hijacking
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
43RIESGO
abrir
Nucleimedium
mojoPortal <=2.9.0.1 - Directory Traversal
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. A
28RIESGO
abrir
Nucleimedium
Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
WordPress Skitter Slideshow plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability
28RIESGO
abrir
Nucleicritical
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
63RIESGO
abrir
Nucleicritical
Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via
48RIESGO
abrir
Nucleicritical
FoxCMS v.1.2.5 - Remote Code Execution
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.htm
75RIESGO
abrir
Nucleihigh
XWiki REST API - Private Pages Disclosure
XWiki allows unregistered users to access private pages information through REST endpoint
36RIESGO
abrir
Nucleicritical
Next.js Middleware Bypass
Authorization Bypass in Next.js Middleware
85RIESGO
abrir
Nucleimedium
Vite - Arbitrary File Read
Vite bypasses server.fs.deny when using `?raw??`
70RIESGO
abrir
Nucleicritical
GeoServer WFS - XXE Processing Vulnerability
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
55RIESGO
abrir
Nucleicritical
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
CVE-2025-30406CRITICALbajo ataque
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the
100RIESGO
abrir
Nucleihigh
WordPress WP01 - Path Traversal
WordPress WP01 plugin <= 2.6.2 - Arbitrary File Download Vulnerability
56RIESGO
abrir
Nucleihigh
SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
78RIESGO
abrir
Nucleimedium
Vite Development Server - Path Traversal
CVE-2025-31125MEDIUMbajo ataque
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
90RIESGO
abrir
Nucleihigh
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
Path Traversal allowing arbitrary read of files in Yeswiki
56RIESGO
abrir
Nucleicritical
CrushFTP - Authentication Bypass
CVE-2025-31161CRITICALbajo ataqueransomware
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unle
100RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.