Public exploitation
Exploit catalog
Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.
71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
AllExploit-DB 22,469Referência 19,841GitHub PoC 13,140VulnCheck XDB 8,078Nuclei 4,190Metasploit 3,462✓ verified onlyrecentpopularrisk
4,190 exploits
Nucleimedium
WordPress GiveWP <2.17.3 - Cross-Site Scripting
Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
18RISK
open ↗Nucleimedium
WordPress Ocean Extra <1.9.5 - Cross-Site Scripting
Ocean Extra < 1.9.5 - Reflected Cross-Site Scripting
18RISK
open ↗Nucleimedium
WordPress English Admin <1.5.2 - Open Redirect
English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
18RISK
open ↗Nucleimedium
WordPress WHMCS Bridge <6.4b - Cross-Site Scripting
WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
18RISK
open ↗Nucleicritical
WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
40RISK
open ↗Nucleimedium
Yoast SEO 16.7-17.2 - Information Disclosure
Yoast SEO 16.7-17.2 - Unauthenticated Full Path Disclosure
18RISK
open ↗Nucleimedium
Easy Social Feed < 6.2.7 - Cross-Site Scripting
Easy Social Feed < 6.2.7 - Reflected Cross-Site Scripting
18RISK
open ↗Nucleimedium
Aruba Instant Access Point (IAP) - Cross-Site Scripting
A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in ve
43RISK
open ↗Nucleicritical
SaltStack Salt <3002.5 - Auth Bypass
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel
40RISK
open ↗Nucleihigh
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi
100RISK
open ↗Nucleihigh
Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi
98RISK
open ↗Nucleihigh
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi
100RISK
open ↗Nucleimedium
Nagios XI 5.7.5 - Cross-Site Scripting
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/na
40RISK
open ↗Nucleihigh
Apache Druid - Remote Code Execution
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
60RISK
open ↗Nucleihigh
Hue Magic 3.0.0 - Local File Inclusion
node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in fil
18RISK
open ↗Nucleihigh
Void Aural Rec Monitor 9.0.0.1 - SQL Injection
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a craft
23RISK
open ↗Nucleimedium
Atlassian Confluence < 5.8.6 - Server-Side Request Forgery
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers
30RISK
open ↗Nucleicritical
Confluence Server - Remote Code Execution
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an un
100RISK
open ↗Nucleimedium
Atlassian Confluence Server - Local File Inclusion
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authoriza
100RISK
open ↗Nucleimedium
Atlassian Jira Limited - Local File Inclusion
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path tr
100RISK
open ↗Nucleimedium
Cacti - Cross-Site Scripting
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" t
18RISK
open ↗Nucleihigh
AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal
23RISK
open ↗Nucleicritical
Apache OFBiz <17.12.06 - Arbitrary Code Execution
RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
60RISK
open ↗Nucleimedium
EPrints 3.4.2 - Cross-Site Scripting
EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI.
18RISK
open ↗Nucleimedium
ImpressCMS <1.4.3 - Incorrect Authorization
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated atta
23RISK
open ↗Nucleihigh
ImpressCMS < 1.4.3 - SQL Injection
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
43RISK
open ↗Nucleimedium
EPrints 3.4.2 - Cross-Site Scripting
EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI.
18RISK
open ↗Nucleimedium
Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting
A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to
18RISK
open ↗Nucleimedium
Jenzabar 9.2x-9.2.2 - Cross-Site Scripting
Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.
23RISK
open ↗Nucleimedium
Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This
40RISK
open ↗We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.