Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
AllExploit-DB 22,467Referência 19,791GitHub PoC 13,086VulnCheck XDB 8,069Nuclei 4,187Metasploit 3,462✓ verified onlyrecentpopularrisk
4,187 exploits
Nucleimedium
Elasticsearch - Local File Inclusion
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
50RISK
open ↗Nucleihigh
ResourceSpace - Local File inclusion
Directory traversal vulnerability in pages/setup.php in Montala Limited ResourceSpace before 7.2.6727 allows remote atta
18RISK
open ↗Nucleimedium
Bonita BPM Portal <6.5.3 - Local File Inclusion
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via
43RISK
open ↗Nucleimedium
Symfony - Authentication Bypass
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.1
18RISK
open ↗Nucleimedium
WordPress NewStatPress 0.9.8 - SQL Injection
SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remo
38RISK
open ↗Nucleilow
NewStatPress <0.9.9 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPres
38RISK
open ↗Nucleihigh
Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read ar
50RISK
open ↗Nucleimedium
WordPress Church Admin <0.810 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers t
38RISK
open ↗Nucleimedium
WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player)
43RISK
open ↗Nucleicritical
WordPress Plugin Aviary Image Editor Addon For Gravity Forms 3.0 Beta - Arbitrary File Upload
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin
50RISK
open ↗Nucleihigh
Koha 3.20.1 - Directory Traversal
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08
50RISK
open ↗Nucleimedium
Xceedium Xsuite <=2.4.4.5 - Local File Inclusion
Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attack
43RISK
open ↗Nucleimedium
Xsuite <=2.4.4.5 - Open Redirect
Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remote attackers to redirect users to arbitrary web sit
38RISK
open ↗Nucleihigh
WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval
Directory traversal vulnerability in download.php in the Zip Attachments plugin before 1.5.1 for WordPress allows remote
23RISK
open ↗Nucleimedium
Novius OS 5.0.1-elche - Open Redirect
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
43RISK
open ↗Nucleimedium
WordPress StageShow <5.0.9 - Open Redirect
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
18RISK
open ↗Nucleihigh
WordPress MDC YouTube Downloader 2.1.0 - Local File Inclusion
Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allows remote attackers t
23RISK
open ↗Nucleimedium
Swim Team <= v1.44.10777 - Local File Inclusion
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allo
50RISK
open ↗Nucleimedium
ElasticSearch <1.6.1 - Local File Inclusion
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
60RISK
open ↗Nucleimedium
Geddy <13.0.8 - Local File Inclusion
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
18RISK
open ↗Nucleimedium
Nordex NC2 - Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm Portal application in Nordex Control 2 (NC2) SCADA
33RISK
open ↗Nucleimedium
Combodo iTop <2.2.0-2459 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows
18RISK
open ↗Nucleimedium
WordPress sourceAFRICA <=0.1.3 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in js/window.php in the sourceAFRICA plugin 0.1.3 for WordPress allows remote a
18RISK
open ↗Nucleihigh
D-Link DVG-N5402SP - Local File Inclusion
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot
50RISK
open ↗Nucleihigh
Joomla! Core SQL Injection
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via un
60RISK
open ↗Nucleimedium
WordPress Pie-Register <2.0.19 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for W
18RISK
open ↗Nucleicritical
IBM WebSphere Java Object Deserialization - Remote Code Execution
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and
100RISK
open ↗Nucleimedium
ManageEngine Firewall Analyzer <8.0 - Local File Inclusion
Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.
23RISK
open ↗Nucleimedium
Kentico CMS 8.2 - Open Redirect
Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS 8.2 through 8.2.41 allows remote attackers to red
18RISK
open ↗Nucleimedium
SourceBans <2.0 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary
18RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.