Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path
CVE-2022-2390907 Apr 2022
There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might
23RISK
open
Exploit-DB
Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
CVE-2019-1712430 Mar 2022
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
28RISK
open
Exploit-DB
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
CVE-2021-2659930 Mar 2022
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
43RISK
open
Exploit-DB
WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS
CVE-2021-2440530 Mar 2022
Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting
28RISK
open
Exploit-DB
Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
CVE-2021-44529CRITICALunder attackransomware22 Mar 2022
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execut
100RISK
open
Exploit-DB
iRZ Mobile Router - CSRF to RCE
CVE-2022-2722622 Mar 2022
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in
35RISK
open
Exploit-DB
Apache APISIX 2.12.1 - Remote Code Execution (RCE)
CVE-2022-24112CRITICALunder attack16 Mar 2022
apisix/batch-requests plugin allows overwriting the X-REAL-IP header
100RISK
open
Exploit-DB
Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
CVE-2021-4501016 Mar 2022
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7
45RISK
open
Exploit-DB
Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)
CVE-2022-2696516 Mar 2022
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remot
35RISK
open
Exploit-DB
Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
CVE-2021-4096416 Mar 2022
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to
23RISK
open
Exploit-DB
Webmin 1.984 - Remote Code Execution (Authenticated)
CVE-2022-0824HIGH09 Mar 2022
Improper Access Control to Remote Code Execution in webmin/webmin
78RISK
open
Exploit-DB
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)
CVE-2022-0847HIGHunder attack08 Mar 2022
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in cop
100RISK
open
Exploit-DB
Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
CVE-2022-22947CRITICALunder attack07 Mar 2022
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack whe
100RISK
open
Exploit-DB
part-db 0.5.11 - Remote Code Execution (RCE)
CVE-2022-0848CRITICAL07 Mar 2022
OS Command Injection in part-db/part-db
60RISK
open
Exploit-DB
Xerte 3.10.3 - Directory Traversal (Authenticated)
CVE-2021-4466502 Mar 2022
A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via
23RISK
open
Exploit-DB
Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
CVE-2021-4466402 Mar 2022
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupl
28RISK
open
Exploit-DB
Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
CVE-2021-4638702 Mar 2022
ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads t
43RISK
open
Exploit-DB
Casdoor 1.13.0 - SQL Injection (Unauthenticated)
CVE-2022-2412428 Feb 2022
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as d
50RISK
open
Exploit-DB
ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD
CVE-2022-2535923 Feb 2022
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, dele
35RISK
open
Exploit-DB
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
CVE-2021-4509221 Feb 2022
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection vi
50RISK
open
Exploit-DB
WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
CVE-2021-2507621 Feb 2022
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
28RISK
open
Exploit-DB
WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
CVE-2021-2476221 Feb 2022
Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
60RISK
open
Exploit-DB
Thinfinity VirtualUI 2.5.26.2 - Information Disclosure
CVE-2021-4635421 Feb 2022
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vuln
28RISK
open
Exploit-DB
FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
CVE-2022-2524121 Feb 2022
In FileCloud before 21.3, the CSV user import functionality is vulnerable to Cross-Site Request Forgery (CSRF).
23RISK
open
Exploit-DB
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)
CVE-2021-43062MEDIUM18 Feb 2022
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0
53RISK
open
Exploit-DB
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
CVE-2022-2290918 Feb 2022
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attack
35RISK
open
Exploit-DB
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
CVE-2022-044118 Feb 2022
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
60RISK
open
Exploit-DB
WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
CVE-2021-2496616 Feb 2022
Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing
23RISK
open
Exploit-DB
ServiceNow - Username Enumeration
CVE-2021-4590116 Feb 2022
The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending
28RISK
open
Exploit-DB
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
CVE-2021-2493110 Feb 2022
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
60RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.