Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
AllExploit-DB 22,467Referência 19,791GitHub PoC 13,086VulnCheck XDB 8,069Nuclei 4,187Metasploit 3,462✓ verified onlyrecentpopularrisk
13,086 exploits
GitHub PoC
CVE-2026-9691: Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability
48RISK
open ↗GitHub PoC
CVE-2026-42758 WebinarIgnition Exploit
WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability
48RISK
open ↗GitHub PoC
Exploitation and mitigation analysis of CVE-2021-3156 heap-based buffer overflow in sudo
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege
100RISK
open ↗GitHub PoC
mandeepsohal/CVE-2025-66391
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
41RISK
open ↗GitHub PoC
CVE-2026-49105 WP Zendesk PHP Object Injection Exploit
WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability
48RISK
open ↗GitHub PoC
CVE-2026-49104 Integration for Keap/Infusionsoft PHP Object Injection Exploit
WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability
48RISK
open ↗GitHub PoC
CVE-2026-49085 WP Insightly PHP Object Injection Exploit
WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability
48RISK
open ↗GitHub PoC
CVE-2026-49083 LatePoint Calendar Booking Plugin Privilege Escalation Exploit
WordPress LatePoint plugin <= 5.5.1 - Privilege Escalation vulnerability
41RISK
open ↗GitHub PoC
87achrafg-stack/CVE-2026-49083
WordPress LatePoint plugin <= 5.5.1 - Privilege Escalation vulnerability
41RISK
open ↗GitHub PoC★ 1
CVE-2026-20262 - Cisco Catalyst SD-WAN Manager Arbitrary File Write Path Traversal Vulnerability (CWE-22) - Authenticated Remote File Write
Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
63RISK
open ↗GitHub PoC
rootdirective-sec/CVE-2026-49060-Lab
WordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.4 - Privilege Escalation vulnerability
48RISK
open ↗GitHub PoC
CVE-2026-7654 Admin Columns PHP Object Injection RCE Exploit
Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
41RISK
open ↗GitHub PoC
PoC for CVE-2015-10141 – Xdebug unauthenticated RCE
Xdebug Remote Debugger Unauthenticated OS Command Execution
63RISK
open ↗GitHub PoC
segunakinsoyinu/CVE-2024-42009-roundcube-xss
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea
100RISK
open ↗GitHub PoC
CVE-2026-8206 Kirki Plugin Unauthenticated Account Takeover Exploit
Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
48RISK
open ↗GitHub PoC
CVE-2026-49079 JetSearch SQL Injection Exploit
WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability
48RISK
open ↗GitHub PoC★ 132
PACKET_EDIT_MEME.c (aka CVE-2026-46331): yet another page cache poisoning nightmare
net/sched: fix pedit partial COW leading to page cache corruption
41RISK
open ↗GitHub PoC★ 4
Manage and recover BitLocker encrypted drives with this tool for Windows 11 recovery key management and educational study of CVE-2026-45585.
Windows BitLocker Security Feature Bypass Vulnerability
33RISK
open ↗GitHub PoC★ 1
PoC exploit for CVE-2025-55182 (React2Shell) — Pre-auth RCE in React Server Components | CVSS 10.0
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISK
open ↗GitHub PoC★ 1
A script that gives you the credentials of a Pterodactyl panel vulnerable to CVE-2025-49132
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
68RISK
open ↗GitHub PoC
Penetration testing assessment of a vulnerable IIS 6.0 WebDAV server, demonstrating reconnaissance, enumeration, exploitation (CVE-2017-7269), and privilege escalation to SYSTEM, along with risk analysis and remediation strategies.
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in
100RISK
open ↗GitHub PoC★ 8
This is a Linux Kernel Local Privilege Escalation PoC code for CVE-2026-52943 a use-after-free in skbuff.c, my first 0day found by me in linux kernel
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
41RISK
open ↗GitHub PoC
This is an exploit poc for CVE-2026-4480
Samba: samba: remote code execution in printing subsystem via unescaped job description
68RISK
open ↗GitHub PoC
mahfuzreham/litespeed-cpanel-cve-2026-54420-fix
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provide
71RISK
open ↗GitHub PoC★ 1
CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provide
71RISK
open ↗GitHub PoC
CVE-2025-49844 exploit script
Redis Lua Use-After-Free may lead to remote code execution
85RISK
open ↗GitHub PoC
CVE-2026-47101, CVE-2026-47102, CVE-2026-40217
LiteLLM < 1.83.14 Privilege Escalation via API Key Generation
41RISK
open ↗GitHub PoC
CVE-2026-20262 - Draft
Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
63RISK
open ↗GitHub PoC
Resellnom/litespeed-cpanel-cve-2026-54420-fix
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provide
71RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.