Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
22,467 exploits
Exploit-DB
phpIPAM 1.6 - Reflected-Cross-Site Scripting (XSS)
CVE-2024-41357HIGH02 Dec 2025
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
41RISK
open
Exploit-DB
phpIPAM 1.5.1 - SQL Injection
CVE-2023-1211HIGH02 Dec 2025
SQL Injection in phpipam/phpipam
41RISK
open
Exploit-DB
YOURLS 1.8.2 - Cross-Site Request Forgery (CSRF)
CVE-2022-0088LOW02 Dec 2025
Cross-Site Request Forgery (CSRF) in yourls/yourls
28RISK
open
Exploit-DB
Piwigo 13.6.0 - SQL Injection
CVE-2023-33362CRITICAL02 Dec 2025
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
48RISK
open
Exploit-DB
Flowise 3.0.4 - Remote Code Execution (RCE)
CVE-2025-59528CRITICAL31 Oct 2025
Flowise has Remote Code Execution vulnerability
85RISK
open
Exploit-DB
Casdoor 2.95.0 - Cross-Site Request Forgery (CSRF)
CVE-2023-3492729 Oct 2025
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
23RISK
open
Exploit-DB
HTTP/2 2.0 - Denial Of Service (DOS)
CVE-2023-44487HIGHunder attack16 Sep 2025
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many
93RISK
open
Exploit-DB
ClipBucket 5.5.0 - Arbitrary File Upload
CVE-2025-55912HIGH16 Sep 2025
An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in
41RISK
open
Exploit-DB
XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
CVE-2025-24893CRITICALunder attack16 Sep 2025
Remote code execution as guest via SolrSearchMacros request in xwiki
100RISK
open
Exploit-DB
Casdoor 2.55.0 - Cross-Site Request Forgery (CSRF)
CVE-2023-3492716 Sep 2025
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
23RISK
open
Exploit-DB
HTMLDOC 1.9.13 - Stack Buffer Overflow
CVE-2021-4357916 Sep 2025
A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim co
23RISK
open
Exploit-DB
Tourism Management System 2.0 - Arbitrary Shell Upload
CVE-2025-57642HIGH16 Sep 2025
A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP she
41RISK
open
Exploit-DB
Mbed TLS 3.6.4 - Use-After-Free
CVE-2025-47917HIGH16 Sep 2025
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance wit
41RISK
open
Exploit-DB
dotCMS 25.07.02-1 - Authenticated Blind SQL Injection
CVE-2025-8311CRITICAL16 Sep 2025
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpo
48RISK
open
Exploit-DB
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
CVE-2025-6082MEDIUM26 Aug 2025
Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure
33RISK
open
Exploit-DB
Ivanti Endpoint Manager Mobile 12.5.0.0 - Authentication Bypass
CVE-2025-4427MEDIUMunder attack26 Aug 2025
Authentication Bypass
100RISK
open
Exploit-DB
GeoVision ASManager Windows Application 6.1.2.0 - Remote Code Execution (RCE)
CVE-2025-26264HIGH26 Aug 2025
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerabili
46RISK
open
Exploit-DB
GeoVision ASManager Windows Application 6.1.2.0 - Credentials Disclosure
CVE-2025-26263MEDIUM26 Aug 2025
GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to cred
33RISK
open
Exploit-DB
StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload
CVE-2025-7441CRITICAL26 Aug 2025
StoryChief <= 1.0.42 - Unauthenticated Arbitrary File Upload
75RISK
open
Exploit-DB
RiteCMS 3.0.0 - Reflected Cross Site Scripting (XSS)
CVE-2024-28623MEDIUM18 Aug 2025
RiteCMS v3.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component main_menu/edit_sec
48RISK
open
Exploit-DB
PHPMyAdmin 3.0 - Bruteforce Login Bypass
CVE-2015-683018 Aug 2025
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allo
23RISK
open
Exploit-DB
Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure
CVE-2025-50154MEDIUM18 Aug 2025
Microsoft Windows File Explorer Spoofing Vulnerability
38RISK
open
Exploit-DB
Tenda AC20 16.03.08.12 - Command Injection
CVE-2025-9090MEDIUM18 Aug 2025
Tenda AC20 Telnet Service telnet websFormDefine command injection
38RISK
open
Exploit-DB
Lantronix Provisioning Manager 7.10.3 - XML External Entity Injection (XXE)
CVE-2025-7766HIGH18 Aug 2025
Lantronix Provisioning Manager Improper Restriction of XML External Entity Reference
41RISK
open
Exploit-DB
BigAnt Office Messenger 5.6.06 - SQL Injection
CVE-2024-54761MEDIUM18 Aug 2025
BigAnt Office Messenger 5.6.06 is vulnerable to SQL Injection via the 'dev_code' parameter.
33RISK
open
Exploit-DB
ServiceNow Multiple Versions - Input Validation & Template Injection
CVE-2024-4879CRITICALunder attack11 Aug 2025
Jelly Template Injection Vulnerability in ServiceNow UI Macros
100RISK
open
Exploit-DB
JetBrains TeamCity 2023.11.4 - Authentication Bypass
CVE-2024-27198CRITICALunder attackransomware11 Aug 2025
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
100RISK
open
Exploit-DB
Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
CVE-2025-5777CRITICALunder attackransomware11 Aug 2025
NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread
100RISK
open
Exploit-DB
Belkin F9K1009 F9K1010 2.00.04/2.00.09 - Hard Coded Credentials
CVE-2025-8730CRITICAL11 Aug 2025
Belkin F9K1009/F9K1010 Web Interface hard-coded credentials
48RISK
open
Exploit-DB
Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape
CVE-2025-2783HIGHunder attack11 Aug 2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allow
71RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.