Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
22,469 exploits
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2515715 Jul 2021
A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s
28RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2515515 Jul 2021
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in v
28RISK
open
Exploit-DB
Aruba Instant (IAP) - Remote Code Execution
CVE-2021-2516115 Jul 2021
A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in ve
43RISK
open
Exploit-DB
Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)
CVE-2021-3176214 Jul 2021
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users fea
23RISK
open
Exploit-DB
Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
CVE-2019-022113 Jul 2021
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided
50RISK
open
Exploit-DB
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
CVE-2018-1513913 Jul 2021
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
28RISK
open
Exploit-DB
Apache Tomcat 9.0.0.M1 - Open Redirect
CVE-2018-1178413 Jul 2021
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a r
60RISK
open
Exploit-DB
Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
CVE-2021-2291107 Jul 2021
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
60RISK
open
Exploit-DB
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
CVE-2018-1587707 Jul 2021
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell meta
60RISK
open
Exploit-DB
Pallets Werkzeug 0.15.4 - Path Traversal
CVE-2019-1432206 Jul 2021
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
50RISK
open
Exploit-DB
Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
CVE-2021-2415505 Jul 2021
Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
60RISK
open
Exploit-DB
Scratch Desktop 3.17 - Remote Code Execution
CVE-2020-7750CRITICAL02 Jul 2021
Cross-site Scripting (XSS)
48RISK
open
Exploit-DB
AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)
CVE-2021-3595602 Jul 2021
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote aut
23RISK
open
Exploit-DB
Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
CVE-2021-2414502 Jul 2021
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
60RISK
open
Exploit-DB
Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
CVE-2021-2414602 Jul 2021
Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
50RISK
open
Exploit-DB
Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
CVE-2020-35948CRITICAL01 Jul 2021
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated atta
53RISK
open
Exploit-DB
ES File Explorer 4.1.9.7.4 - Arbitrary File Read
CVE-2019-644729 Jun 2021
The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary fi
50RISK
open
Exploit-DB
Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
CVE-2021-2607828 Jun 2021
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before
23RISK
open
Exploit-DB
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
CVE-2019-1274425 Jun 2021
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a differe
28RISK
open
Exploit-DB
Adobe ColdFusion 8 - Remote Command Execution (RCE)
CVE-2009-226524 Jun 2021
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable fil
60RISK
open
Exploit-DB
TP-Link TL-WR841N - Command Injection
CVE-2020-3557624 Jun 2021
A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216
35RISK
open
Exploit-DB
VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)
CVE-2021-21972CRITICALunder attackransomware24 Jun 2021
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor
100RISK
open
Exploit-DB
WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)
CVE-2021-2438323 Jun 2021
WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)
23RISK
open
Exploit-DB
Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
CVE-2021-3230521 Jun 2021
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search paramet
60RISK
open
Exploit-DB
Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
CVE-2020-14871CRITICALunder attack21 Jun 2021
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported ve
100RISK
open
Exploit-DB
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
CVE-2019-1453021 Jun 2021
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can
50RISK
open
Exploit-DB
Node.JS - 'node-serialize' Remote Code Execution (3)
CVE-2017-594118 Jun 2021
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() fu
35RISK
open
Exploit-DB
Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration
CVE-2021-3115917 Jun 2021
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-messag
28RISK
open
Exploit-DB
OpenEMR 5.0.1.3 - Authentication Bypass
CVE-2018-1515216 Jun 2021
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote
28RISK
open
Exploit-DB
Polkit 0.105-26 0.117-2 - Local Privilege Escalation
CVE-2021-3560HIGHunder attack15 Jun 2021
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privile
91RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.