Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,053cataloged exploits
31,617CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
Horilla v1.3 - RCE
CVE-2025-48868HIGH08 Apr 2026
Horilla vulnerable to authenticated RCE via eval() in project_bulk_archive
41RISK
open
Exploit-DB
Desktop Window Manager Core Library 10.0.10240.0 - Privilege Escalation
CVE-2025-59254HIGH06 Apr 2026
Microsoft DWM Core Library Elevation of Privilege Vulnerability
41RISK
open
Exploit-DB
Fortinet FortiWeb v8.0.1 - Auth Bypass
CVE-2025-64446CRITICALunder attack06 Apr 2026
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb
100RISK
open
Exploit-DB
Windows Kernel - Elevation of Privilege
CVE-2025-62215HIGHunder attack06 Apr 2026
Windows Kernel Elevation of Privilege Vulnerability
71RISK
open
Exploit-DB
ASP.net 8.0.10 - Bypass
CVE-2025-55315CRITICAL06 Apr 2026
ASP.NET Security Feature Bypass Vulnerability
60RISK
open
Exploit-DB
mailcow 2025-01a - Host Header Password Reset Poisoning
CVE-2025-25198HIGH03 Mar 2026
mailcow: dockerized vulnerable to password reset poisoning
41RISK
open
Exploit-DB
Boss Mini v1.4.0 - Local File Inclusion (LFI)
CVE-2023-3643HIGH03 Mar 2026
Boss Mini document file inclusion
78RISK
open
Exploit-DB
WordPress Backup Migration 1.3.7 - Remote Command Execution
CVE-2023-6553CRITICAL03 Mar 2026
Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
85RISK
open
Exploit-DB
motionEye 0.43.1b4 - RCE
CVE-2025-60787HIGH11 Feb 2026
MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name
61RISK
open
Exploit-DB
OctoPrint 1.11.2 - File Upload
CVE-2025-58180HIGH04 Feb 2026
OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
46RISK
open
Exploit-DB
Docker Desktop 4.44.3 - Unauthenticated API Exposure
CVE-2025-9074CRITICAL04 Feb 2026
Docker Desktop allows unauthenticated access to Docker Engine API from containers
48RISK
open
Exploit-DB
Siklu EtherHaul Series EH-8010 - Remote Command Execution
CVE-2025-57174CRITICAL17 Jan 2026
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and p
48RISK
open
Exploit-DB
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
CVE-2025-14558HIGH25 Dec 2025
Remote code execution via ND6 Router Advertisements
56RISK
open
Exploit-DB
esm-dev 136 - Path Traversal
CVE-2025-59342MEDIUM16 Dec 2025
esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header
48RISK
open
Exploit-DB
Pluck 4.7.7-dev2 - PHP Code Execution
CVE-2018-1173608 Dec 2025
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute a
23RISK
open
Exploit-DB
phpMyAdmin 5.0.0 - SQL Injection
CVE-2020-550403 Dec 2025
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could
35RISK
open
Exploit-DB
MaNGOSWebV4 4.0.6 - Reflected XSS
CVE-2017-647803 Dec 2025
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter).
38RISK
open
Exploit-DB
PluckCMS 4.7.10 - Unrestricted File Upload
CVE-2020-20969HIGH03 Dec 2025
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_resto
41RISK
open
Exploit-DB
OpenRepeater 2.1 - OS Command Injection
CVE-2019-2502403 Dec 2025
OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_sy
28RISK
open
Exploit-DB
phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)
CVE-2017-1580803 Dec 2025
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
23RISK
open
Exploit-DB
RosarioSIS 6.7.2 - Cross-Site Scripting (XSS)
CVE-2020-1571803 Dec 2025
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php sc
38RISK
open
Exploit-DB
RosarioSIS 6.7.2 - Cross Site Scripting (XSS)
CVE-2020-1571603 Dec 2025
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php scrip
23RISK
open
Exploit-DB
phpMyFAQ 2.9.8 - Cross-Site Request Forgery (CSRF)
CVE-2017-1573503 Dec 2025
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.
23RISK
open
Exploit-DB
MobileDetect 2.8.31 - Cross-Site Scripting (XSS)
CVE-2018-25080LOW03 Dec 2025
MobileDetect Example session_example.php initLayoutType cross site scripting
28RISK
open
Exploit-DB
openSIS Community Edition 8.0 - SQL Injection
CVE-2021-4061703 Dec 2025
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
23RISK
open
Exploit-DB
phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)
CVE-2017-1573403 Dec 2025
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php.
23RISK
open
Exploit-DB
phpIPAM 1.4 - SQL-Injection
CVE-2019-1669303 Dec 2025
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
23RISK
open
Exploit-DB
Django 5.1.13 - SQL Injection
CVE-2025-64459CRITICAL03 Dec 2025
Potential SQL injection via _connector keyword argument in QuerySet and Q objects
53RISK
open
Exploit-DB
phpIPAM 1.6 - Reflected-Cross-Site Scripting (XSS)
CVE-2024-41357HIGH02 Dec 2025
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
41RISK
open
Exploit-DB
phpIPAM 1.6 - Reflected Cross-Site Scripting (XSS)
CVE-2024-41358MEDIUM02 Dec 2025
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
33RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.