Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
AllExploit-DB 22,467Referência 19,791GitHub PoC 13,086VulnCheck XDB 8,069Nuclei 4,187Metasploit 3,462✓ verified onlyrecentpopularrisk
4,187 exploits
Nucleimedium
Google Maps by BestWebSoft < 1.3.6 - Cross-Site Scripting
The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
Testimonials by BestWebSoft < 0.1.9 - Cross-Site Scripting
The bws-testimonials plugin before 0.1.9 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
Error Log Viewer by BestWebSoft < 1.0.6 - Cross-Site Scripting
The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
Sender by BestWebSoft < 1.2.1 - Cross-Site Scripting
The sender plugin before 1.2.1 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
Updater by BestWebSoft < 1.35 - Cross-Site Scripting
The updater plugin before 1.35 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
User Role by BestWebSoft < 1.5.6 - Cross-Site Scripting
The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleicritical
WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or use
23RISK
open ↗Nucleimedium
Timesheet Plugin < 0.1.5 - Cross-Site Scripting
The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.
18RISK
open ↗Nucleimedium
WordPress Qards - Cross-Site Scripting
The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2c
18RISK
open ↗Nucleihigh
Graphite <=1.1.5 - Server-Side Request Forgery
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulner
23RISK
open ↗Nucleimedium
Formidable Forms < 2.05.02 - Cross-Site Scripting
Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting
56RISK
open ↗Nucleimedium
Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure
Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure
28RISK
open ↗Nucleimedium
FortiOS 5.4.0 to 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to exec
38RISK
open ↗Nucleimedium
Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthor
38RISK
open ↗Nucleimedium
Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthor
43RISK
open ↗Nucleihigh
Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supporte
100RISK
open ↗Nucleimedium
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
43RISK
open ↗Nucleimedium
McAfee Network Data Loss Prevention 9.3.x - Cross-Site Scripting
Embedding Script (XSS) in HTTP Headers vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x a
18RISK
open ↗Nucleihigh
NETGEAR Routers - Authentication Bypass
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R
100RISK
open ↗Nucleimedium
KMCIS CaseAware - Cross-Site Scripting
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr"
38RISK
open ↗Nucleicritical
Apache Struts 2 - Remote Command Execution
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception ha
100RISK
open ↗Nucleicritical
Intel Active Management - Authentication Bypass
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana
100RISK
open ↗Nucleimedium
OpenVPN Access Server 2.1.4 - CRLF Injection
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbit
18RISK
open ↗Nucleimedium
Odoo <= 8.0-20160726 & 9.0 - Open Redirect
Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive in
18RISK
open ↗Nucleihigh
Kodi 17.1 - Local File Inclusion
Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files v
40RISK
open ↗Nucleicritical
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,
23RISK
open ↗Nucleihigh
PhpColl 2.5.1 Arbitrary File Upload
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authentica
60RISK
open ↗Nucleimedium
MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter).
38RISK
open ↗Nucleicritical
Windows Server 2003 & IIS 6.0 - Remote Code Execution
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in
100RISK
open ↗Nucleimedium
Magmi 0.7.22 - Cross-Site Scripting
A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration o
18RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.