Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,171cataloged exploits
31,690CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,841GitHub PoC 13,140VulnCheck XDB 8,069Nuclei 4,190Metasploit 3,462✓ verified onlyrecentpopularrisk
4,190 exploits
Nucleihigh
Odoo Apps - Cross-Site Scripting via Prototype Pollution
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a m
18RISK
open ↗Nucleicritical
Buffalo WSR-2533DHPL2 - Path Traversal
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3
95RISK
open ↗Nucleihigh
Buffalo WSR-2533DHPL2 - Configuration File Injection
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not pr
18RISK
open ↗Nucleihigh
Buffalo WSR-2533DHPL2 - Improper Access Control
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not pr
18RISK
open ↗Nucleihigh
TCExam <= 14.8.1 - Sensitive Information Exposure
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the
18RISK
open ↗Nucleihigh
Draytek VigorConnect 1.6.0-B - Local File Inclusion
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the D
88RISK
open ↗Nucleihigh
Draytek VigorConnect 6.0-B3 - Local File Inclusion
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the W
78RISK
open ↗Nucleimedium
Gryphon Tower - Cross-Site Scripting
A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the
18RISK
open ↗Nucleimedium
Trendnet AC2600 TEW-827DRU - Credentials Disclosure
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authe
30RISK
open ↗Nucleicritical
Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauth
23RISK
open ↗Nucleihigh
Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
Netgear RAX43 version 1.0.3.96 contains a command injection vulnerability. The readycloud cgi application is vulnerable
18RISK
open ↗Nucleimedium
Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
30RISK
open ↗Nucleicritical
Acmailer - Improper Access Control to OS Command Injection
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows
18RISK
open ↗Nucleimedium
WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting
Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject
18RISK
open ↗Nucleicritical
MovableType - Remote Command Injection
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab
60RISK
open ↗Nucleimedium
Adobe ColdFusion - Cross-Site Scripting
ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser
40RISK
open ↗Nucleihigh
MinIO Browser API - Server-Side Request Forgery
Server-Side Request Forgery in MinIO Browser API
41RISK
open ↗Nucleihigh
Node.JS System Information Library <5.3.1 - Remote Command Injection
Command Injection Vulnerability
100RISK
open ↗Nucleicritical
XStream < 1.4.16 - Remote Code Execution
XStream is vulnerable to a Remote Command Execution attack
50RISK
open ↗Nucleicritical
Oracle WebLogic Server - Remote Code Execution
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container). Suppor
43RISK
open ↗Nucleicritical
XStream <1.4.16 - Remote Code Execution
XStream is vulnerable to an Arbitrary Code Execution attack
50RISK
open ↗Nucleihigh
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
BuddyPress privilege escalation via REST API
61RISK
open ↗Nucleimedium
Jellyfin <10.7.0 - Local File Inclusion
Unauthenticated Arbitrary File Access in Jellyfin
78RISK
open ↗Nucleicritical
SCIMono <0.0.19 - Remote Code Execution
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availabi
41RISK
open ↗Nucleimedium
ZTE MF971R - Referer authentication bypass
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use th
30RISK
open ↗Nucleimedium
Advantech R-SeeNet 2.4.12 - Cross-Site Scripting
Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (2
48RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.