Exploração pública
Catálogo de exploits
Todo exploit público que catalogamos, num índice só. Busque por CVE, nome do exploit ou tecnologia — e veja, ao lado, o que a falha realmente vale: severidade, probabilidade de exploração e se já está sob ataque.
71.062exploits catalogados
31.617CVEs com exploração pública
0testados em laboratório
TodosExploit-DB 22.467Referência 19.791GitHub PoC 13.086VulnCheck XDB 8.069Nuclei 4.187Metasploit 3.462✓ só verificadosrecentespopularesrisco
71.062 exploits
VulnCheck XDB
initial-access
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
100RISCO
abrir ↗GitHub PoC
JupyterHub XSRF bypass via cross-origin form POST (Sec-Fetch-Mode: no-cors) — CWE-352
JupyterHub: Cross-origin form POSTs bypass XSRF
33RISCO
abrir ↗GitHub PoC★ 1
Hunt-Benito/glinet-beryl-ax-triple-rce-cve-2026-11450-11451-11452-unauthenticated-root-on-travel-router
GL.iNet GL-MT3000 Path Normalization dlopen command injection
33RISCO
abrir ↗GitHub PoC★ 1
(phpBB authentication bypass)
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or
63RISCO
abrir ↗GitHub PoC★ 3
CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
100RISCO
abrir ↗GitHub PoC
Technical writeup and Proof of Concept (PoC) for CVE-2026-11417: OS Command Injection / Remote Code Execution (RCE) in AWS CDK's NodejsFunction.
OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
41RISCO
abrir ↗VulnCheck XDB
initial-access
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISCO
abrir ↗GitHub PoC
rootdirective-sec/CVE-2026-42647-Lab
WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability
63RISCO
abrir ↗GitHub PoC
ExifTool RCE exploit (CVE-2021-22204) - improved version, no exiftool dependency
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code exec
100RISCO
abrir ↗GitHub PoC
A lightweight stdio-based MCP server for local file system operations — read, write, edit, search, exec for AI assistants. Specially optimized for Chatbox: bat-bypass for exec (CVE-2026-6130), b64 encoding to eliminate escaping issues, and multi-pattern regex for precise code block targeting.
chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection
33RISCO
abrir ↗VulnCheck XDB
client-side
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code exec
100RISCO
abrir ↗GitHub PoC
SQL Injection in Dagster database I/O managers via dynamic partition keys (DuckDB/Snowflake/BigQuery/DeltaLake) — High
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
41RISCO
abrir ↗GitHub PoC★ 1
razureink/cve-2026-49975-http2bomb_reproduction
Apache HTTP Server: mod_http2 denial of service
46RISCO
abrir ↗GitHub PoC
87achrafg-stack/CVE-2026-6279
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RISCO
abrir ↗GitHub PoC★ 1
CVE-2026-6279
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RISCO
abrir ↗GitHub PoC★ 2
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
Apache HTTP Server: mod_http2 denial of service
46RISCO
abrir ↗GitHub PoC★ 1
HTTP/2 Bomb: HPACK indexed-reference amplification + flow-control stall. A high school student's full protocol analysis (LaTeX). CVE-2026-49975, CVE-2026-47774.
Apache HTTP Server: mod_http2 denial of service
46RISCO
abrir ↗VulnCheck XDB
local
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool
100RISCO
abrir ↗GitHub PoC★ 1
CVE-2021-21425 - GravCMS 1.10.7 Unauthenticated RCE via Scheduler. Improved exploit with CLI args and auto base64 encoding.
Unauthenticated Arbitrary YAML Write/Update leads to Code Execution
85RISCO
abrir ↗GitHub PoC
Remote Code Execution in DbGate via functionName injection in the loadReader endpoint — CVSS 8.8
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
41RISCO
abrir ↗GitHub PoC
J1nKsC/CVE-2024-4367_test
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js c
55RISCO
abrir ↗GitHub PoC
Some labs looking at the xz backdoor vulnerability (CVE-2024-3094)
Xz: malicious code in distributed source
70RISCO
abrir ↗GitHub PoC
CVE-2018-9276 — PRTG Network Monitor < 18.2.39 Authenticated RCE. For educational purposes and authorized penetration testing only.
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administra
100RISCO
abrir ↗GitHub PoC★ 9
An offensive security researcher + an AI vs. a fresh n-day: building the first public PoC for CVE-2026-53435 in one Friday night. Raw 8h20m log inside.
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrar
46RISCO
abrir ↗GitHub PoC
Chains CVE-2025-57819 (stacked query SQL injection) and CVE-2025-61678 (authenticated file upload in FreePBX Endpoint Manager) to achieve Remote Code Execution (RCE). For educational use only.
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
100RISCO
abrir ↗GitHub PoC
This project simulates a real-world attack-and-defend scenario across two virtual machines. You will exploit a critical pre-authentication RCE vulnerability (CVE-2025-32433) in an Erlang/OTP SSH server, crack extracted password hashes, and then harden the victim machine with firewall rules and patching.
Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
100RISCO
abrir ↗GitHub PoC★ 3
Toolkit for CVE-2025-55182, also known as React2Shell.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISCO
abrir ↗GitHub PoC★ 4
CVE-2026-35273
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Mana
100RISCO
abrir ↗GitHub PoC
Cisco Unified Communications Manager (Unified CM) deployments affected by CVE-2026-20230.
Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability
53RISCO
abrir ↗GitHub PoC★ 2
CVE-2026-25089
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F
83RISCO
abrir ↗Indexamos apenas o link público para a prova de conceito — nunca hospedamos nem redistribuímos código de exploração. Fontes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit e VulnCheck XDB. A existência de PoC pública não significa que a falha seja explorável no seu ambiente.