Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
CVE-2021-34621CRITICAL31 Aug 2021
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
75RISK
open
Exploit-DB
Strapi 3.0.0-beta - Set Password (Unauthenticated)
CVE-2019-1881830 Aug 2021
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/s
60RISK
open
Exploit-DB
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
CVE-2019-1960930 Aug 2021
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin c
35RISK
open
Exploit-DB
HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)
CVE-2021-344125 Aug 2021
A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross
23RISK
open
Exploit-DB
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
CVE-2006-123618 Aug 2021
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrar
28RISK
open
Exploit-DB
SonicWall NetExtender 10.2.0.300 - Unquoted Service Path
CVE-2020-514717 Aug 2021
SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to
23RISK
open
Exploit-DB
Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)
CVE-2021-3742512 Aug 2021
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workfl
35RISK
open
Exploit-DB
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
CVE-2020-3584710 Aug 2021
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
60RISK
open
Exploit-DB
Amica Prodigy 1.7 - Privilege Escalation
CVE-2021-3531210 Aug 2021
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable "RemoteBackup.Serv
23RISK
open
Exploit-DB
Xiaomi browser 10.2.4.g - Browser Search History Disclosure
CVE-2018-2052310 Aug 2021
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider
28RISK
open
Exploit-DB
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
CVE-2020-3584810 Aug 2021
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
60RISK
open
Exploit-DB
CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)
CVE-2021-3665405 Aug 2021
CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while
23RISK
open
Exploit-DB
qdPM 9.1 - Remote Code Execution (Authenticated)
CVE-2020-724604 Aug 2021
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code
60RISK
open
Exploit-DB
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)
CVE-2020-949604 Aug 2021
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
60RISK
open
Exploit-DB
CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)
CVE-2021-2999529 Jul 2021
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute
23RISK
open
Exploit-DB
Elasticsearch ECE 7.13.3 - Anonymous Database Dump
CVE-2021-2214626 Jul 2021
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
28RISK
open
Exploit-DB
Microsoft SharePoint Server 2019 - Remote Code Execution (2)
CVE-2020-1147HIGHunder attack23 Jul 2021
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the softwar
100RISK
open
Exploit-DB
ElasticSearch 7.13.3 - Memory disclosure
CVE-2021-2214523 Jul 2021
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the abil
60RISK
open
Exploit-DB
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)
CVE-2021-3176120 Jul 2021
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's ru
35RISK
open
Exploit-DB
WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
CVE-2020-601019 Jul 2021
LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection
50RISK
open
Exploit-DB
PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
CVE-2021-3759319 Jul 2021
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQ
23RISK
open
Exploit-DB
Aruba Instant 8.7.1.0 - Arbitrary File Modification
CVE-2021-2515516 Jul 2021
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in v
28RISK
open
Exploit-DB
ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)
CVE-2021-35464CRITICALunder attackransomware16 Jul 2021
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pa
100RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2516215 Jul 2021
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products
28RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2516115 Jul 2021
A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in ve
43RISK
open
Exploit-DB
WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
CVE-2021-42362HIGH15 Jul 2021
WordPress Popular Posts <= 5.3.2 Authenticated Arbitrary File Upload
78RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2515815 Jul 2021
A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s
35RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2515715 Jul 2021
A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s
28RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2516015 Jul 2021
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in v
23RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2515615 Jul 2021
A remote arbitrary directory create vulnerability was discovered in some Aruba Instant Access Point (IAP) products in ve
35RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.