Exploração pública

Catálogo de exploits

Todo exploit público que catalogamos, num índice só. Busque por CVE, nome do exploit ou tecnologia — e veja, ao lado, o que a falha realmente vale: severidade, probabilidade de exploração e se já está sob ataque.

71.180exploits catalogados
31.691CVEs com exploração pública
0testados em laboratório
4.190 exploits
Nucleihigh
TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unau
41RISCO
abrir
Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
CVE-2025-2746CRITICALsob ataque
Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass
100RISCO
abrir
Nucleicritical
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
CVE-2025-2747CRITICALsob ataque
Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass
100RISCO
abrir
Nucleimedium
Kentico Xperience CMS - Unauthenticated Stored XSS
Kentico Xperience stored cross-site scripting in multiple-file upload functionality
60RISCO
abrir
Nucleimedium
GeoServer - Missing Authorization on REST API Index
GeoServer Missing Authorization on REST API Index
28RISCO
abrir
Nucleimedium
NocoDB < 0.258.0 - Reflected XSS in Password Reset
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
28RISCO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
CVE-2025-2775CRITICALsob ataque
SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection
100RISCO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
CVE-2025-2776CRITICALsob ataque
SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection
100RISCO
abrir
Nucleicritical
SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection
85RISCO
abrir
Nucleihigh
Apache Kafka Client - Arbitrary File Read
Apache Kafka Client: Arbitrary file read and SSRF vulnerability
68RISCO
abrir
Nucleihigh
Apache Druid - Server-Side Request Forgery
Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
28RISCO
abrir
Nucleicritical
Shopware < 6.5.8.13 - SQL Injection
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE:
33RISCO
abrir
Nucleimedium
Zimbra - Cross-Site Scripting via ICS Files
CVE-2025-27915MEDIUMsob ataque
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnera
58RISCO
abrir
Nucleihigh
Electrolink FM/DAB/TV Transmitter - Credentials Disclosure
A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and
36RISCO
abrir
Nucleihigh
DAEnetIP4 METO v1.25 - Session Hijacking
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
43RISCO
abrir
Nucleimedium
mojoPortal <=2.9.0.1 - Directory Traversal
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. A
28RISCO
abrir
Nucleimedium
Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
WordPress Skitter Slideshow plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability
28RISCO
abrir
Nucleicritical
Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
63RISCO
abrir
Nucleicritical
Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via
48RISCO
abrir
Nucleicritical
FoxCMS v.1.2.5 - Remote Code Execution
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.htm
75RISCO
abrir
Nucleihigh
XWiki REST API - Private Pages Disclosure
XWiki allows unregistered users to access private pages information through REST endpoint
36RISCO
abrir
Nucleicritical
Next.js Middleware Bypass
Authorization Bypass in Next.js Middleware
85RISCO
abrir
Nucleimedium
Vite - Arbitrary File Read
Vite bypasses server.fs.deny when using `?raw??`
70RISCO
abrir
Nucleicritical
GeoServer WFS - XXE Processing Vulnerability
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
55RISCO
abrir
Nucleicritical
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
CVE-2025-30406CRITICALsob ataque
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the
100RISCO
abrir
Nucleihigh
WordPress WP01 - Path Traversal
WordPress WP01 plugin <= 2.6.2 - Arbitrary File Download Vulnerability
56RISCO
abrir
Nucleihigh
SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
78RISCO
abrir
Nucleimedium
Vite Development Server - Path Traversal
CVE-2025-31125MEDIUMsob ataque
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
90RISCO
abrir
Nucleihigh
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
Path Traversal allowing arbitrary read of files in Yeswiki
56RISCO
abrir
Nucleicritical
CrushFTP - Authentication Bypass
CVE-2025-31161CRITICALsob ataqueransomware
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unle
100RISCO
abrir
anteriorpágina 71 / 140próximo

Indexamos apenas o link público para a prova de conceito — nunca hospedamos nem redistribuímos código de exploração. Fontes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit e VulnCheck XDB. A existência de PoC pública não significa que a falha seja explorável no seu ambiente.