Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
13,086 exploits
GitHub PoC
CVE-2025-14847 mongobleed python file
CVE-2025-14847HIGHunder attack14 Jun 2026
Zlib compressed protocol header length confusion may allow memory read
100RISK
open
GitHub PoC
CVE-2026-5513 — Bookly ≤ 27.2 Stored XSS via Cookie
CVE-2026-5513HIGH14 Jun 2026
Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie
41RISK
open
GitHub PoC1
HTTP/2 Bomb: HPACK indexed-reference amplification + flow-control stall. A high school student's full protocol analysis (LaTeX). CVE-2026-49975, CVE-2026-47774.
CVE-2026-49975HIGH13 Jun 2026
Apache HTTP Server: mod_http2 denial of service
46RISK
open
GitHub PoC
Some labs looking at the xz backdoor vulnerability (CVE-2024-3094)
CVE-2024-3094CRITICAL13 Jun 2026
Xz: malicious code in distributed source
70RISK
open
GitHub PoC
rootdirective-sec/CVE-2026-42647-Lab
CVE-2026-42647CRITICAL13 Jun 2026
WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability
63RISK
open
GitHub PoC
Remote Code Execution in DbGate via functionName injection in the loadReader endpoint — CVSS 8.8
CVE-2026-48017HIGH13 Jun 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
41RISK
open
GitHub PoC1
razureink/cve-2026-49975-http2bomb_reproduction
CVE-2026-49975HIGH13 Jun 2026
Apache HTTP Server: mod_http2 denial of service
46RISK
open
GitHub PoC1
CVE-2026-45447
CVE-2026-45447HIGH13 Jun 2026
Heap Use-After-Free in the PKCS7_verify() Function
41RISK
open
GitHub PoC1
(phpBB authentication bypass)
CVE-2026-48611CRITICAL13 Jun 2026
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or
63RISK
open
GitHub PoC1
Hunt-Benito/glinet-beryl-ax-triple-rce-cve-2026-11450-11451-11452-unauthenticated-root-on-travel-router
CVE-2026-11450MEDIUM13 Jun 2026
GL.iNet GL-MT3000 Path Normalization dlopen command injection
33RISK
open
GitHub PoC
webshellseo8/CVE-2026-1555-POC
CVE-2026-1555CRITICAL13 Jun 2026
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload
48RISK
open
GitHub PoC3
CVE-2026-20253
CVE-2026-20253CRITICALunder attack13 Jun 2026
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
100RISK
open
GitHub PoC2
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
CVE-2026-49975HIGH13 Jun 2026
Apache HTTP Server: mod_http2 denial of service
46RISK
open
GitHub PoC
Technical writeup and Proof of Concept (PoC) for CVE-2026-11417: OS Command Injection / Remote Code Execution (RCE) in AWS CDK's NodejsFunction.
CVE-2026-11417HIGH13 Jun 2026
OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
41RISK
open
GitHub PoC
CVE-2025-55182 exploit script
CVE-2025-55182CRITICALunder attackransomware13 Jun 2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISK
open
GitHub PoC
J1nKsC/CVE-2024-4367_test
CVE-2024-4367MEDIUM13 Jun 2026
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js c
55RISK
open
GitHub PoC1
CVE-2021-21425 - GravCMS 1.10.7 Unauthenticated RCE via Scheduler. Improved exploit with CLI args and auto base64 encoding.
CVE-2021-21425CRITICAL13 Jun 2026
Unauthenticated Arbitrary YAML Write/Update leads to Code Execution
85RISK
open
GitHub PoC
CVE-2018-9276 — PRTG Network Monitor < 18.2.39 Authenticated RCE. For educational purposes and authorized penetration testing only.
CVE-2018-9276HIGHunder attack13 Jun 2026
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administra
100RISK
open
GitHub PoC2
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
CVE-2026-49975HIGH13 Jun 2026
Apache HTTP Server: mod_http2 denial of service
46RISK
open
GitHub PoC
AISec Plus Week 1 threat write-up — EchoLeak (CVE-2025-32711), zero-click indirect prompt injection in Microsoft 365 Copilot.
CVE-2025-32711CRITICAL13 Jun 2026
M365 Copilot Information Disclosure Vulnerability
48RISK
open
GitHub PoC
SQL Injection in Dagster database I/O managers via dynamic partition keys (DuckDB/Snowflake/BigQuery/DeltaLake) — High
CVE-2026-41490HIGH13 Jun 2026
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
41RISK
open
GitHub PoC
87achrafg-stack/CVE-2026-48907
CVE-2026-48907CRITICALunder attack13 Jun 2026
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
100RISK
open
GitHub PoC
CyruxSec/CVE-2026-4524
CVE-2026-4524MEDIUM13 Jun 2026
Authentication Bypass Using an Alternate Path or Channel in GitLab
33RISK
open
GitHub PoC1
CVE-2026-6279
CVE-2026-6279CRITICAL13 Jun 2026
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RISK
open
GitHub PoC
87achrafg-stack/CVE-2026-6279
CVE-2026-6279CRITICAL13 Jun 2026
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
48RISK
open
GitHub PoC
JupyterHub XSRF bypass via cross-origin form POST (Sec-Fetch-Mode: no-cors) — CWE-352
CVE-2026-40864MEDIUM13 Jun 2026
JupyterHub: Cross-origin form POSTs bypass XSRF
33RISK
open
GitHub PoC
A lightweight stdio-based MCP server for local file system operations — read, write, edit, search, exec for AI assistants. Specially optimized for Chatbox: bat-bypass for exec (CVE-2026-6130), b64 encoding to eliminate escaping issues, and multi-pattern regex for precise code block targeting.
CVE-2026-6130MEDIUM13 Jun 2026
chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection
33RISK
open
GitHub PoC
ExifTool RCE exploit (CVE-2021-22204) - improved version, no exiftool dependency
CVE-2021-22204MEDIUMunder attack13 Jun 2026
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code exec
100RISK
open
GitHub PoC1
CVE-2026-50751 — Check Point IKEv1 Authentication Bypass
CVE-2026-50751CRITICALunder attackransomware12 Jun 2026
User Authentication Bypass in VPN Remote Access and Mobile Access
100RISK
open
GitHub PoC1
FOSSBilling CVE-2026-53647 & CVE-2026-53646 PoC — Unauthenticated API key disclosure & password reset token reuse
CVE-2026-53647MEDIUM12 Jun 2026
FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint
33RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.