Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,114cataloged exploits
31,649CVEs with public exploitation
0lab-tested
4,188 exploits
Nucleimedium
PlaceOS 1.2109.1 - Open Redirection
PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
23RISK
open
Nucleimedium
i-Panel Administration System 2.0 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enable
38RISK
open
Nucleimedium
GitLab GraphQL API User Enumeration
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Priv
70RISK
open
Nucleimedium
Resourcespace - Cross-Site Scripting
ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_ss
40RISK
open
Nucleicritical
Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
CVE-2021-42013CRITICALunder attackransomware
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
100RISK
open
Nucleimedium
SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage
43RISK
open
Nucleicritical
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharac
50RISK
open
Nucleihigh
KONGA 0.14.9 - Privilege Escalation
Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to pri
18RISK
open
Nucleicritical
Sitecore Experience Platform Pre-Auth RCE
CVE-2021-42237CRITICALunder attackransomware
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it
100RISK
open
Nucleicritical
BillQuick Web Suite SQL Injection
CVE-2021-42258CRITICALunder attackransomware
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution
95RISK
open
Nucleihigh
WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion
WP DSGVO Tools (GDPR) <= 3.1.23 Unauthenticated Arbitrary Post Deletion
36RISK
open
Nucleimedium
NetBiblio WebOPAC - Cross-Site Scripting
Reflected XSS in NetBiblio WebOPAC search functionality
28RISK
open
Nucleimedium
myfactory FMS - Cross-Site Scripting
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
38RISK
open
Nucleimedium
myfactory FMS - Cross-Site Scripting
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
38RISK
open
Nucleimedium
Apereo CAS Cross-Site Scripting
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
18RISK
open
Nucleicritical
D-Link DIR-615 - Unauthorized Access
The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without auth
30RISK
open
Nucleimedium
Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting
An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via th
18RISK
open
Nucleicritical
Online Event Booking and Reservation System 2.3.0 - SQL Injection
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-manag
23RISK
open
Nucleicritical
TOTOLINK EX1200T 4.1.2cu.5215 - Authentication Bypass
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
30RISK
open
Nucleimedium
Fortinet FortiMail 7.0.1 - Cross-Site Scripting
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0
53RISK
open
Nucleihigh
Pre-Auth Takeover of Build Pipelines in GoCD
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default,
43RISK
open
Nucleicritical
Studio-42 elFinder <2.1.60 - Arbitrary File Upload
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remot
30RISK
open
Nucleihigh
AlquistManager Local File Inclusion
AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnera
18RISK
open
Nucleihigh
Clustering Local File Inclusion
Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vuln
23RISK
open
Nucleicritical
Sourcecodester Simple Client Management System 1.0 - SQL Injection
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login
18RISK
open
Nucleimedium
Atmail 6.5.0 - Cross-Site Scripting
WebAdmin Control Panel in Atmail 6.5.0 (a version released in 2012) allows XSS via the format parameter to the default U
18RISK
open
Nucleimedium
Spotweb <= 1.5.1 - Cross Site Scripting (Reflected)
There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remot
18RISK
open
Nucleihigh
kkFileview v4.0.0 - Local File Inclusion
kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file l
23RISK
open
Nucleicritical
WordPress Automatic Plugin - Unauthenticated Options Change
WordPress Automatic Plugin <= 3.53.2 - Unauthenticated Arbitrary Options Update
48RISK
open
Nucleihigh
GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.
Path traversal in GLPI barcode plugin
75RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.