Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,044cataloged exploits
31,616CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
NiceGUI 3.6.1 - Path Traversal
CVE-2026-25732HIGH30 Apr 2026
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write
41RISK
open
Exploit-DB
Js2Py 0.74 - RCE
CVE-2024-28397MEDIUM30 Apr 2026
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a
48RISK
open
Exploit-DB
Windows 11 25H2 - Heap Overflow
CVE-2026-21244HIGH30 Apr 2026
Windows Hyper-V Remote Code Execution Vulnerability
41RISK
open
Exploit-DB
Windows 11 25H2 - Heap Overflow
CVE-2026-21248HIGH30 Apr 2026
Windows Hyper-V Remote Code Execution Vulnerability
41RISK
open
Exploit-DB
FUXA 1.2.8 - Authentication Bypass + RCE Exploit
CVE-2025-69985CRITICAL30 Apr 2026
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnera
48RISK
open
Exploit-DB
Repetier-Server 1.4.10 - Path Traversal
CVE-2026-26335CRITICAL30 Apr 2026
Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE
48RISK
open
Exploit-DB
Erugo 0.2.14 - Remote Code Execution (RCE)
CVE-2026-24897CRITICAL30 Apr 2026
Authenticated Remote Code Execution via Arbitrary File Upload
48RISK
open
Exploit-DB
Frigate NVR 0.16.3 - Remote Code Execution
CVE-2026-25643CRITICAL30 Apr 2026
Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
48RISK
open
Exploit-DB
Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap
CVE-2026-2441HIGHunder attack30 Apr 2026
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside
76RISK
open
Exploit-DB
HUSTOJ Zip-Slip v26.01.24 - RCE
CVE-2026-24479CRITICAL30 Apr 2026
HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
63RISK
open
Exploit-DB
SUSE Manager 4.3.15 - Code Execution
CVE-2025-46811CRITICAL30 Apr 2026
SUSE Multi Linux Manager allows code execution via unprotected websocket endpoint
53RISK
open
Exploit-DB
Python-Multipart 0.0.22 - Path Traversal
CVE-2026-24486HIGH30 Apr 2026
Python-Multipart has Arbitrary File Write via Non-Default Configuration
41RISK
open
Exploit-DB
Camaleon CMS v2.9.0 - Path Traversal
CVE-2024-46987HIGH30 Apr 2026
Arbitrary path traversal in Camaleon CMS
61RISK
open
Exploit-DB
Windows 11 23H2 - Denial of Service (DoS)
CVE-2025-47987HIGH30 Apr 2026
Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability
41RISK
open
Exploit-DB
JUNG Smart Visu Server 1.1.1050 - Dos
CVE-2026-26235HIGH30 Apr 2026
JUNG Smart Visu Server 1.1.1050 - 'JUNG Smart Visu Server' Missing Authentication
41RISK
open
Exploit-DB
GeographicLib v2.5.1 - stack buffer overflow
CVE-2025-60751HIGH29 Apr 2026
GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode.
41RISK
open
Exploit-DB
GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution (RCE)
CVE-2026-22241HIGH29 Apr 2026
Open eClass has Unrestricted File Upload that Leads to Remote Code Execution (RCE)
41RISK
open
Exploit-DB
LangChain Core 1.2.4 - SSTI/RCE
CVE-2025-68664CRITICAL29 Apr 2026
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
53RISK
open
Exploit-DB
phpMyFAQ 4.0.16 - Improper Authorization
CVE-2026-24421MEDIUM29 Apr 2026
phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user
33RISK
open
Exploit-DB
GNU InetUtils 2.6 - Telnetd Remote Privilege Escalation
CVE-2026-24061CRITICALunder attack29 Apr 2026
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment
100RISK
open
Exploit-DB
Craft CMS 5.6.16 - RCE
CVE-2025-32432CRITICALunder attack29 Apr 2026
Craft CMS Allows Remote Code Execution
100RISK
open
Exploit-DB
HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
CVE-2026-22704HIGH29 Apr 2026
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
41RISK
open
Exploit-DB
Atlona ATOMERX21 - Authenticated Command Injection
CVE-2024-30167MEDIUM29 Apr 2026
/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary comm
33RISK
open
Exploit-DB
Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation
CVE-2025-7771HIGH22 Apr 2026
Code Execution / Escalation of Privileges in ThrottleStop
41RISK
open
Exploit-DB
React Server 19.2.0 - Remote Code Execution
CVE-2025-55182CRITICALunder attackransomware09 Apr 2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RISK
open
Exploit-DB
xibocms 3.3.4 - RCE
CVE-2023-33177HIGH08 Apr 2026
Xibo CMS vulnerable to Remote Code Execution through Zip Slip
41RISK
open
Exploit-DB
Microsoft MMC MSC EvilTwin - Local Admin Creation
CVE-2025-26633HIGHunder attackransomware08 Apr 2026
Microsoft Management Console Security Feature Bypass Vulnerability
83RISK
open
Exploit-DB
SQLite 3.50.1 - Heap Overflow
CVE-2025-6965HIGH08 Apr 2026
Integer Truncation on SQLite
63RISK
open
Exploit-DB
FortiWeb 8.0.2 - Remote Code Execution
CVE-2025-64446CRITICALunder attack08 Apr 2026
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb
100RISK
open
Exploit-DB
7-Zip 24.00 - Directory Traversal
CVE-2025-11001HIGH08 Apr 2026
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
46RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.