Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
13,140 exploits
GitHub PoC
Exploiting Parsec for Windows to gain SYSTEM privileges
CVE-2026-54424HIGH08 May 2026
An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Pri
41RISK
open
GitHub PoC
A Rust honeypot that simulates a vulnerable cPanel/WHM instance for CVE-2026-41940
CVE-2026-41940CRITICALunder attackransomware08 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
GitHub PoC
Tracking CVE-2026-43284
CVE-2026-43284HIGH08 May 2026
xfrm: esp: avoid in-place decrypt on shared skb frags
78RISK
open
GitHub PoC
CVE-2025-58434 Proof of Concept
CVE-2025-58434CRITICAL08 May 2026
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
75RISK
open
GitHub PoC
EspoCRM 9.3.3 - Authenticated SSRF via Alternative IPv4 Notation
CVE-2026-33534MEDIUM08 May 2026
EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation
48RISK
open
GitHub PoC
Full exploit chain lab and Suricata IDS detection for CVE-2022-30190 (Follina) - MSDT RCE
CVE-2022-30190HIGHunder attackransomware08 May 2026
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
100RISK
open
GitHub PoC
Vulnerability Research and Exploit for CVE-2019-10149
CVE-2019-10149CRITICALunder attack07 May 2026
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message(
100RISK
open
GitHub PoC
CVE-2025-6440
CVE-2025-6440CRITICAL07 May 2026
WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Upload
60RISK
open
GitHub PoC
CVE-2026-44590 - Sherlock <= v0.16.0 - RCE via pull_request_target Injection → Supply Chain Compromise
CVE-2026-44590CRITICAL07 May 2026
Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml
28RISK
open
GitHub PoC
borahll/CVE-2021-21220
CVE-2021-21220HIGHunder attack07 May 2026
Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to po
100RISK
open
GitHub PoC2
Advisory: CVE-2026-38360 path traversal (CWE-22) in dash-uploader (Python/PyPI)
CVE-2026-38360CRITICAL07 May 2026
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execut
43RISK
open
GitHub PoC3
One-liner Python LPE for CVE-2026-31431 (CopyFail2). No compilation, no dependencies beyond Python+OpenSSL. Just curl | python3 and get root on Linux 6.5+.
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC
Advisory: CVE-2026-38361 multiple DoS vulnerabilities (CWE-400/CWE-670) in dash-uploader (Python/PyPI)
CVE-2026-38361HIGH07 May 2026
Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-u
36RISK
open
GitHub PoC2
Math.js Expression Parser RCE
CVE-2026-40897HIGH07 May 2026
Math.js: Unsafe object property setter in mathjs
41RISK
open
GitHub PoC1
cve-2026-41940 cPanel/WHM Authentication Bypass - Detection Artifact Generator
CVE-2026-41940CRITICALunder attackransomware07 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
GitHub PoC1
Automatic script written in python for CVE-2009-3999
CVE-2009-399907 May 2026
Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to ex
60RISK
open
GitHub PoC1
HTB Snapped — Hard Linux machine writeup. CVE-2026-27944 (Nginx UI unauthenticated backup disclosure) chained with CVE-2026-3888 (snapd race condition LPE) to achieve full system compromise.
CVE-2026-27944CRITICAL07 May 2026
Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure
68RISK
open
GitHub PoC1
CVE-2026-23918 Apache mod_http2 Double-Free Detector
CVE-2026-23918HIGH07 May 2026
Apache HTTP Server: http2: double free and possible RCE on early reset
53RISK
open
GitHub PoC
CVE-2026-3844
CVE-2026-3844CRITICAL07 May 2026
Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote
75RISK
open
GitHub PoC
Caliburn9/CVE-2023-21716-Analysis-ICT287
CVE-2023-21716CRITICAL07 May 2026
Microsoft Word Remote Code Execution Vulnerability
70RISK
open
GitHub PoC
adilkurtulmus/linux-copy-fail-CVE-2026-31431
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC
CVE-2026-31431 (Copy Fail) novel exploit: live code corruption via page cache. Overwrites libc exit() code through MAP_PRIVATE page sharing — affects ALL running processes.
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC
Discovery and original disclosure of CVE-2026-31431: Theori / Xint. Public writeup: https://copy.fail/.
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC1
CVE-2026-31431 Copy Fail
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC33
CVE-2026-23631 (DarkReplica) Redis Exploit
CVE-2026-23631MEDIUM07 May 2026
redis-server Lua use-after-free may allow remote code execution
33RISK
open
GitHub PoC
CVE-2026-31431, AKA Copy Fail, can be mitigated in one-line with bpftrace
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC
abdelkabirouadoukou/CVE-2026-31431-Analysis-and-Fix
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC171
Next.js v16.2.4 Security PoC Collection (CVE-2026-23870, CVE-2026-44575, CVE-2026-44579, CVE-2026-44574, CVE-2026-44578, CVE-2026-44573, CVE-2026-44581, CVE-2026-44580, CVE-2026-44577, CVE-2026-44576, CVE-2026-44582, CVE-2026-44572)
CVE-2026-23870HIGH07 May 2026
A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpo
41RISK
open
GitHub PoC
julichaan/CVE-2026-31431-python-copyfail-POC
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC1
FlowiseAI CVE-2025-58434 & CVE-2025-59528 exploit PoC, demonstrating unauthenticated ATO via reset token leakage, followed by authenticated RCE. Includes a reproductible Docker lab environment.
CVE-2025-58434CRITICAL07 May 2026
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
75RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.