Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,105cataloged exploits
31,648CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
CVE-2021-2496616 Feb 2022
Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing
23RISK
open
Exploit-DB
Hospital Management Startup 1.0 - 'Multiple' SQLi
CVE-2022-2336610 Feb 2022
HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php.
23RISK
open
Exploit-DB
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
CVE-2021-2493110 Feb 2022
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
60RISK
open
Exploit-DB
AtomCMS v2.0 - SQLi
CVE-2022-2422309 Feb 2022
AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.
50RISK
open
Exploit-DB
Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
CVE-2020-3574908 Feb 2022
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2
50RISK
open
Exploit-DB
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
CVE-2019-1881808 Feb 2022
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/s
60RISK
open
Exploit-DB
Hospital Management System 4.0 - 'multiple' SQL Injection
CVE-2022-2426308 Feb 2022
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-m
23RISK
open
Exploit-DB
FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)
CVE-2021-4639808 Feb 2022
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor use
23RISK
open
Exploit-DB
WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)
CVE-2021-2490108 Feb 2022
Security Audit <= 1.0.0 - Admin+ Stored Cross Site Scripting
23RISK
open
Exploit-DB
WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)
CVE-2022-044808 Feb 2022
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
23RISK
open
Exploit-DB
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
CVE-2022-2283204 Feb 2022
An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/u
28RISK
open
Exploit-DB
Servisnet Tessa - Privilege Escalation (Metasploit)
CVE-2022-2283304 Feb 2022
An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.
28RISK
open
Exploit-DB
Chamilo LMS 1.11.14 - Account Takeover
CVE-2021-3739102 Feb 2022
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator
23RISK
open
Exploit-DB
Mozilla Firefox 67 - Array.pop JIT Type Confusion
CVE-2019-11707HIGHunder attack02 Feb 2022
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow
83RISK
open
Exploit-DB
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
CVE-2015-932302 Feb 2022
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
50RISK
open
Exploit-DB
WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)
CVE-2021-2430002 Feb 2022
PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
43RISK
open
Exploit-DB
PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
CVE-2017-9841CRITICALunder attack02 Feb 2022
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
100RISK
open
Exploit-DB
WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
CVE-2021-2448802 Feb 2022
Post Grid < 2.1.8 - Reflected Cross-Site Scripting (XSS)
43RISK
open
Exploit-DB
Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
CVE-2021-24786HIGH02 Feb 2022
Download Monitor < 4.4.5 - Admin+ SQL Injection
61RISK
open
Exploit-DB
Moodle 3.11.4 - SQL Injection
CVE-2022-033202 Feb 2022
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web serv
35RISK
open
Exploit-DB
WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
CVE-2022-037702 Feb 2022
LearnPress < 4.1.5 - Arbitrary Image Renaming
23RISK
open
Exploit-DB
WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
CVE-2021-2424702 Feb 2022
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
23RISK
open
Exploit-DB
WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
CVE-2021-2492602 Feb 2022
Domain Check < 1.0.17 - Reflected Cross-Site Scripting
43RISK
open
Exploit-DB
WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)
CVE-2021-2490427 Jan 2022
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
23RISK
open
Exploit-DB
WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
CVE-2021-2494627 Jan 2022
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
60RISK
open
Exploit-DB
WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
CVE-2021-2486227 Jan 2022
RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
60RISK
open
Exploit-DB
Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion
CVE-2022-21371HIGH27 Jan 2022
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported ve
78RISK
open
Exploit-DB
PolicyKit-1 0.105-31 - Privilege Escalation
CVE-2021-4034HIGHunder attack27 Jan 2022
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool
100RISK
open
Exploit-DB
PHPIPAM 1.4.4 - SQLi (Authenticated)
CVE-2022-2304625 Jan 2022
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a su
28RISK
open
Exploit-DB
Creston Web Interface 1.0.0.2159 - Credential Disclosure
CVE-2022-2317818 Jan 2022
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI
60RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.