Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,171cataloged exploits
31,690CVEs with public exploitation
0lab-tested
4,190 exploits
Nucleihigh
Odoo Apps - Cross-Site Scripting via Prototype Pollution
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a m
18RISK
open
Nucleicritical
Buffalo WSR-2533DHPL2 - Path Traversal
CVE-2021-20090CRITICALunder attack
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3
95RISK
open
Nucleihigh
Buffalo WSR-2533DHPL2 - Configuration File Injection
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not pr
18RISK
open
Nucleihigh
Buffalo WSR-2533DHPL2 - Improper Access Control
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not pr
18RISK
open
Nucleihigh
TCExam <= 14.8.1 - Sensitive Information Exposure
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the
18RISK
open
Nucleihigh
Draytek VigorConnect 1.6.0-B - Local File Inclusion
CVE-2021-20123HIGHunder attack
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the D
88RISK
open
Nucleihigh
Draytek VigorConnect 6.0-B3 - Local File Inclusion
CVE-2021-20124HIGHunder attack
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the W
78RISK
open
Nucleimedium
Gryphon Tower - Cross-Site Scripting
A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the
18RISK
open
Nucleimedium
Trendnet AC2600 TEW-827DRU - Credentials Disclosure
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authe
30RISK
open
Nucleicritical
Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauth
23RISK
open
Nucleihigh
Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
Netgear RAX43 version 1.0.3.96 contains a command injection vulnerability. The readycloud cgi application is vulnerable
18RISK
open
Nucleimedium
Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
30RISK
open
Nucleicritical
Acmailer - Improper Access Control to OS Command Injection
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows
18RISK
open
Nucleimedium
WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting
Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject
18RISK
open
Nucleicritical
MovableType - Remote Command Injection
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab
60RISK
open
Nucleimedium
Adobe ColdFusion - Cross-Site Scripting
ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser
40RISK
open
Nucleihigh
Spring Boot Actuator Logview Directory Traversal
Directory Traversal
61RISK
open
Nucleihigh
OneDev < 4.0.3 - User Access Token Leak
Pre-Auth Access token leak
48RISK
open
Nucleihigh
MinIO Browser API - Server-Side Request Forgery
Server-Side Request Forgery in MinIO Browser API
41RISK
open
Nucleicritical
Lucee Admin - Remote Code Execution
Remote Code Exploit in Lucee Admin
78RISK
open
Nucleihigh
Adminer <4.7.9 - Server-Side Request Forgery
CVE-2021-21311HIGHunder attack
SSRF in adminer
100RISK
open
Nucleihigh
Node.JS System Information Library <5.3.1 - Remote Command Injection
CVE-2021-21315HIGHunder attack
Command Injection Vulnerability
100RISK
open
Nucleicritical
XStream < 1.4.16 - Remote Code Execution
XStream is vulnerable to a Remote Command Execution attack
50RISK
open
Nucleicritical
Oracle WebLogic Server - Remote Code Execution
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container). Suppor
43RISK
open
Nucleicritical
XStream <1.4.16 - Remote Code Execution
XStream is vulnerable to an Arbitrary Code Execution attack
50RISK
open
Nucleihigh
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
BuddyPress privilege escalation via REST API
61RISK
open
Nucleimedium
Jellyfin <10.7.0 - Local File Inclusion
Unauthenticated Arbitrary File Access in Jellyfin
78RISK
open
Nucleicritical
SCIMono <0.0.19 - Remote Code Execution
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availabi
41RISK
open
Nucleimedium
ZTE MF971R - Referer authentication bypass
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use th
30RISK
open
Nucleimedium
Advantech R-SeeNet 2.4.12 - Cross-Site Scripting
Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (2
48RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.