Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,044cataloged exploits
31,616CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
Joomla Page Builder CK 3.5.10 - Arbitrary File Upload
CVE-2026-56290CRITICALwebappsmultiple08 Jul 2026
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0
48RISK
open
Exploit-DB
Krayin CRM v2.2.x - Authenticated Remote Code Execution
CVE-2026-38526CRITICAL08 Jul 2026
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x a
48RISK
open
Exploit-DB
Hydra - Stack Buffer Overflow
CVE-2026-56766HIGH07 Jul 2026
Hydra - Stack Buffer Overflow in NTLM Authentication Handler
41RISK
open
Exploit-DB
Tenable Nessus 10.12.1 - SQL Injection
CVE-2026-57588LOW07 Jul 2026
SQL Injection in Nessus via Malicious Scan Result File Import
28RISK
open
Exploit-DB
Flowise 3.1.3 - arbitrary code execution
CVE-2026-58057LOWwebappsmultiple07 Jul 2026
Flowise - Custom MCP Environment Variable Denylist Bypass via Case Sensitivity
28RISK
open
Exploit-DB
Discuz! X5.0 - Authentication Bypass
CVE-2026-49952CRITICAL07 Jul 2026
Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
48RISK
open
Exploit-DB
Joomla Extension 4.1.4 - PHP Object injection
CVE-2026-48909CRITICAL06 Jul 2026
Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4
48RISK
open
Exploit-DB
KeepInMind 0.8.4.2 - Stored XSS
CVE-2026-9271MEDIUM06 Jul 2026
KeepInMind - Dashboard Notes < 0.8.4.2 - Contributor+ Stored XSS
33RISK
open
Exploit-DB
MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation
CVE-2026-36213HIGH06 Jul 2026
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.e
41RISK
open
Exploit-DB
WordPress Plugin WPZOOM Portfolio 1.4.21 - Reflected Cross-Site Scripting (XSS)
CVE-2026-49069HIGH06 Jul 2026
WordPress WPZOOM Portfolio plugin <= 1.4.21 - Cross Site Scripting (XSS) vulnerability
41RISK
open
Exploit-DB
Pulpy 0.1.1-Beta - Filesystem Sandbox Bypass
CVE-2026-44225CRITICAL06 Jul 2026
Pulpy: Incomplete filesystem sandbox in pulpy.fs bridge allows packaged web apps to read arbitrary user files
48RISK
open
Exploit-DB
OpenEMR 7.0.2 - Arbitrary File Read
CVE-2026-24849CRITICAL08 Jun 2026
OpenEMR Arbitrary File Read Vulnerability
48RISK
open
Exploit-DB
Drupal Core 10.5.5 - Error-Based SQL Injection
CVE-2026-9082CRITICALunder attack01 Jun 2026
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
100RISK
open
Exploit-DB
WordPress OrderConvo 14 - Path Traversal
CVE-2025-10162HIGH01 Jun 2026
OrderConvo < 14 - Unauthenticated Arbitrary File Read
56RISK
open
Exploit-DB
YAMCS yamcs-core 5.12.7 - LDAP Injection
CVE-2026-42568MEDIUM30 May 2026
Yamcs Vulnerable to LDAP Injection in LdapAuthModule
33RISK
open
Exploit-DB
Notepad++ 8.9.6 - Arbitrary Code Execution
CVE-2026-48778HIGHremotewindows30 May 2026
Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter
41RISK
open
Exploit-DB
CubeCart < 6.7.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
CVE-2026-44376MEDIUM29 May 2026
CubeCart: Reflected XSS in Store Search Bar
33RISK
open
Exploit-DB
Microsoft - NTLMv2 Hash Capture
CVE-2026-32202MEDIUMunder attack29 May 2026
Windows Shell Spoofing Vulnerability
75RISK
open
Exploit-DB
Prodigy Commerce 3.3.0 - Local File Inclusion
CVE-2026-0926CRITICAL29 May 2026
Prodigy Commerce <= 3.3.0 - Unauthenticated Local File Inclusion via parameters[template_name]
63RISK
open
Exploit-DB
ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion
CVE-2026-46522HIGH29 May 2026
ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
41RISK
open
Exploit-DB
Wing FTP Server 8.1.3 - Authenticated Remote Code Execution
CVE-2026-44403HIGH29 May 2026
Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization
41RISK
open
Exploit-DB
Linux Kernel - Local Privilege Escalation
CVE-2026-43284HIGH29 May 2026
xfrm: esp: avoid in-place decrypt on shared skb frags
78RISK
open
Exploit-DB
Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution
CVE-2026-1830CRITICAL29 May 2026
Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload
48RISK
open
Exploit-DB
MixPHP Framework 2.2.17 - Unsafe Deserialization Remote Code Execution
CVE-2026-42471HIGH29 May 2026
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) cal
41RISK
open
Exploit-DB
MikroORM 7.0.13 - SQL Injection
CVE-2026-44680HIGH29 May 2026
MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys
41RISK
open
Exploit-DB
Linux Kernel - Local Privilege Escalation
CVE-2026-43500HIGH29 May 2026
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
78RISK
open
Exploit-DB
Linux Kernel - Local Privilege Escalation
CVE-2026-46300HIGH29 May 2026
net: skbuff: preserve shared-frag marker during coalescing
41RISK
open
Exploit-DB
ZTE H298A / H108N - Unauthenticated Credential Exposure
CVE-2026-34474HIGH29 May 2026
Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to
46RISK
open
Exploit-DB
ZTE Routers - Unauthenticated Denial of Service
CVE-2026-34473HIGH29 May 2026
Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H
41RISK
open
Exploit-DB
ZTE ZXHN H188A V6 - Authentication Bypass
CVE-2026-34472HIGH29 May 2026
Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows u
41RISK
open
page 1 / 749next

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.