Exploração pública
Catálogo de exploits
Todo exploit público que catalogamos, num índice só. Busque por CVE, nome do exploit ou tecnologia — e veja, ao lado, o que a falha realmente vale: severidade, probabilidade de exploração e se já está sob ataque.
71.002exploits catalogados
31.582CVEs com exploração pública
TodosExploit-DB 22.467Referência 19.780GitHub PoC 13.048VulnCheck XDB 8.060Nuclei 4.185Metasploit 3.462recentespopularesrisco
71.002 exploits
GitHub PoC
Reproducer for CVE-2026-46457 — Apache Camel camel-nats inbound header injection (Camel control-header injection via a NATS publisher; CamelHttpUri -> SSRF)
Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers
41RISCO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46584: Apache Camel camel-mail mail.smtp.* header injection enabling credential theft via on-path SOCKS interception (fixed in 4.14.8/4.18.3/4.21.0)
Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail session properties, allowing an attacker to influence SMTP parameters
28RISCO
abrir ↗GitHub PoC★ 1
本次个人漏洞研究进展成果
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC★ 3
Vulnerability analysis and Proof of Concept (PoC) for CVE-2026-43499 affecting Xiaomi devices. For educational and research purposes only.
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC
Bartixxx32/CVE-2026-43499-OnePlus15
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC
CVE-2026-8181 — Burst Statistics WordPress plugin Authentication Bypass (CVSS 9.8) to Admin Account Takeover. Mass scanner with FOFA/Shodan integration and modern GUI.
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
68RISCO
abrir ↗GitHub PoC
JohannesLks/CVE-2026-50338
Azure Spring Apps Elevation of Privilege Vulnerability
38RISCO
abrir ↗VulnCheck XDB
initial-access
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman
60RISCO
abrir ↗VulnCheck XDB
initial-access
Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
75RISCO
abrir ↗GitHub PoC★ 1
CVE-2026-36214 - osTicket Stored XSS via Bootstrap Tooltip - PoC & Analysis | CVSS 8.7 HIGH | AMN SECURITY
osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable
30RISCO
abrir ↗GitHub PoC★ 3
Unauthenticated Stored XSS in Joomla Helix Ultimate (JoomShaper) <= 2.2.6
Joomla Extension - joomshaper.com - Unauthenticated stored XSS in Helix Ultimate < 2.2.7
41RISCO
abrir ↗GitHub PoC★ 3
Unauthenticated Arbitrary File/Folder Deletion in Joomla Helix Ultimate (JoomShaper) <= 2.2.6 — CVE-2026-57830
Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion in Helix Ultimate < 2.2.7
41RISCO
abrir ↗VulnCheck XDB
initial-access
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[
50RISCO
abrir ↗VulnCheck XDB
initial-access
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RISCO
abrir ↗GitHub PoC
Admin-only terminal bootstrap routes checked only for login state, which let a normal team member drive Coolify's realtime terminal backend and execute commands on team servers.
Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
48RISCO
abrir ↗GitHub PoC
nuclei template for CVE-2026-56291
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RISCO
abrir ↗GitHub PoC★ 11
CVE-2026-43724 - Apple's published enough advisories about the issue, I'm not getting paid for any of my kernel bugs.
The issue was addressed with improved input sanitization. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tah
41RISCO
abrir ↗GitHub PoC
CVE-2026-49049 Helix3 (JoomShaper) Joomla Unauthenticated AJAX RCE Scanner
Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler
41RISCO
abrir ↗GitHub PoC
CVE-2026-53805 - Draft
NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API
48RISCO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46453 — Apache Camel camel-elasticsearch-rest-client unprefixed-header injection (operation/query override via inbound HTTP headers)
Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation
33RISCO
abrir ↗GitHub PoC★ 1
CVE-2026-40047 - Apache Camel Docling CLI Argument Injection - PoC & Analysis | CVSS 9.1 CRITICAL | AMN SECURITY
Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
48RISCO
abrir ↗GitHub PoC★ 1
Mendeteksi versi (passive detection) & Exploitation CVE POC
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
78RISCO
abrir ↗GitHub PoC★ 1
CVE-2026-6307 - Google Chrome V8 Turbofan Type Confusion Sandbox Escape - PoC & Analysis | CVSS 8.8 HIGH | AMN SECURITY
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code
41RISCO
abrir ↗GitHub PoC★ 1
Android version CVE-2026-43499 tester
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC★ 3
(Hopefully) A tool to root for (most) Android devices through CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46456 — Apache Camel camel-aws2-sqs inbound message-attribute header injection (Camel control-header injection via sqs:SendMessage → downstream producer steering / RCE)
Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
48RISCO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46455 — Apache Camel camel-keycloak missing TokenVerifier.IS_ACTIVE check (expired access tokens accepted)
Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted
48RISCO
abrir ↗GitHub PoC
Reproducer for CVE-2026-46454 — Apache Camel camel-cometd inbound Bayeux header injection (unauthenticated Camel control-header injection → downstream producer steering / RCE)
Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers
48RISCO
abrir ↗GitHub PoC
OPPO Find X6 Pro GhostLock (CVE-2026-43499) exploit adaptation
rtmutex: Use waiter::task instead of current in remove_waiter()
41RISCO
abrir ↗GitHub PoC★ 1
CVE-2026-46529 - Atril Evince XReader PDF Clickable Link RCE - PoC & Analysis | CVSS 7.8 HIGH | AMN SECURITY
PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen
41RISCO
abrir ↗página 1 / 2.367próximo →
Indexamos apenas o link público para a prova de conceito — nunca hospedamos nem redistribuímos código de exploração. Fontes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit e VulnCheck XDB. A existência de PoC pública não significa que a falha seja explorável no seu ambiente.