Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
4,187 exploits
Nucleimedium
Rudloff alltube prior to 3.0.1 - Open Redirect
Open Redirect on Rudloff/alltube in rudloff/alltube
28RISK
open
Nucleicritical
WordPress Master Elements <=8.0 - SQL Injection
Master Elements <= 8.0 - Unauthenticated SQLi
18RISK
open
Nucleicritical
GitLab CE/EE - Information Disclosure
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
48RISK
open
Nucleicritical
Infographic Maker iList < 4.3.8 - SQL Injection
Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
23RISK
open
Nucleicritical
WordPress Simple Link Directory <7.7.2 - SQL injection
Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
23RISK
open
Nucleimedium
WordPress Loco Translate < 2.6.1 - Cross-Site Scripting
Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
18RISK
open
Nucleicritical
Users Ultra <= 3.1.0 - SQL Injection
Users Ultra <= 3.1.0 - Unauthenticated SQL Injection
18RISK
open
Nucleicritical
Documentor <= 1.5.3 - Unauthenticated SQL Injection
Documentor <= 1.5.3 - Unauthenticated SQLi
30RISK
open
Nucleimedium
RevealJS postMessage <4.3.0 - Cross-Site Scripting
Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
28RISK
open
Nucleicritical
WordPress Nirweb Support <2.8.2 - SQL Injection
Nirweb support < 2.8.2 - Unauthenticated SQLi
23RISK
open
Nucleihigh
Multiple Shipping Address Woocommerce < 2.0 - SQL Injection
Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi
18RISK
open
Nucleicritical
WordPress Title Experiments Free <9.0.1 - SQL Injection
Title Experiments Free < 9.0.1 - Unauthenticated SQLi
23RISK
open
Nucleicritical
WordPress Daily Prayer Time <2022.03.01 - SQL Injection
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
18RISK
open
Nucleicritical
WordPress KiviCare <2.3.9 - SQL Injection
KiviCare < 2.3.9 - Unauthenticated SQLi
23RISK
open
Nucleicritical
Limit Login Attempts (Spam Protection) < 5.1 - SQL Injection
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
18RISK
open
Nucleicritical
WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
18RISK
open
Nucleicritical
Ubigeo de Peru < 3.6.4 - SQL Injection
Ubigeo de Peru < 3.6.4 - Unauthenticated SQLi
18RISK
open
Nucleicritical
WordPress BadgeOS <=3.7.0 - SQL Injection
BadgeOS <= 3.7.0 - Unauthenticated SQLi
23RISK
open
Nucleihigh
Webmin <1.990 - Improper Access Control
Improper Access Control to Remote Code Execution in webmin/webmin
78RISK
open
Nucleicritical
WordPress WP Video Gallery <=1.7.1 - SQL Injection
WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
18RISK
open
Nucleicritical
WordPress Best Books <=2.6.3 - SQL Injection
Bestbooks <= 2.6.3 - Unauthenticated SQLi
18RISK
open
Nucleicritical
SpeakOut Email Petitions < 2.14.15.1 - SQL Injection
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
18RISK
open
Nucleimedium
UpdraftPlus < 1.22.9 - Cross-Site Scripting
UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting
18RISK
open
Nucleicritical
WordPress ARPrice <3.6.1 - SQL Injection
ARPrice Lite < 3.6.1 - Unauthenticated SQLi
23RISK
open
Nucleimedium
nitely/spirit 0.12.3 - Open Redirect
Multiple Open Redirect in nitely/spirit
28RISK
open
Nucleimedium
Gogs <0.12.5 - Server-Side Request Forgery
Server-Side Request Forgery (SSRF) in gogs/gogs
28RISK
open
Nucleimedium
WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting
Gmedia Photo Gallery < 1.20.0 - Admin+ Stored Cross-Site Scripting
18RISK
open
Nucleimedium
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting
18RISK
open
Nucleicritical
Member Hero <=1.0.9 - Remote Code Execution
Member Hero <= 1.0.9 - Unauthenticated RCE
18RISK
open
Nucleimedium
Header Footer Code Manager < 1.1.24 - Cross-Site Scripting
Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting
18RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.