Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
4,190 exploits
Nucleihigh
Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure
An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and vi
36RISK
open
Nucleicritical
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
CVE-2021-37415CRITICALunder attack
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs w
95RISK
open
Nucleimedium
Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
18RISK
open
Nucleicritical
PrestaShop SmartBlog <4.0.6 - SQL Injection
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthentica
40RISK
open
Nucleimedium
Tiny Java Web Server - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS
18RISK
open
Nucleicritical
Apache ShenYu Admin JWT - Authentication Bypass
Apache ShenYu Admin bypass JWT authentication
50RISK
open
Nucleihigh
Virtua Software Cobranca <12R - Blind SQL Injection
Virtua Cobranca before 12R allows SQL Injection on the login page.
43RISK
open
Nucleimedium
WP Cerber < 8.9.3 - Broken Access Control
WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character.
18RISK
open
Nucleimedium
phpfastcache - phpinfo Resource Exposure
Exposed phpinfo() in PhpFastCache
28RISK
open
Nucleimedium
Hotel Druid 3.0.2 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid applic
18RISK
open
Nucleihigh
Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary
23RISK
open
Nucleihigh
Wipro Holmes Orchestrator 20.4.1 - Information Disclosure
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as report
30RISK
open
Nucleihigh
Canon Devices - Authentication Bypass in Catwalk Server
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server
18RISK
open
Nucleimedium
Nagios XI < 5.8.6 - Cross-Site Scripting
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a
40RISK
open
Nucleimedium
Gnuboard 5 - Cross-Site Scripting
Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5
36RISK
open
Nucleimedium
WordPress Redux Framework <=4.2.11 - Information Disclosure
Gutenberg Template Library & Redux Framework <= 4.2.11 Sensitive Information Disclosure
33RISK
open
Nucleicritical
Apache Airflow - Unauthenticated Variable Import
Apache Airflow: Variable Import endpoint missed authentication check
40RISK
open
Nucleicritical
Microsoft Open Management Infrastructure - Remote Code Execution
CVE-2021-38647CRITICALunder attackransomware
Open Management Infrastructure Remote Code Execution Vulnerability
100RISK
open
Nucleimedium
Cyberoam NetGenie Cross-Site Scripting
Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow tweb/ft.php?u=[XSS] attacks.
18RISK
open
Nucleimedium
ClinicCases 7.3.3 Cross-Site Scripting
Multiple reflected cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow unauthenticated attackers to in
18RISK
open
Nucleimedium
ExponentCMS <= 2.6 - Host Header Injection
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can cha
18RISK
open
Nucleihigh
XStream 1.4.18 - Remote Code Execution
XStream is vulnerable to an Arbitrary Code Execution attack
41RISK
open
Nucleihigh
XStream 1.4.18 - Remote Code Execution
CVE-2021-39144HIGHunder attack
XStream is vulnerable to a Remote Command Execution attack
100RISK
open
Nucleihigh
XStream 1.4.18 - Arbitrary Code Execution
XStream is vulnerable to an Arbitrary Code Execution attack
41RISK
open
Nucleihigh
XStream <1.4.18 - Server-Side Request Forgery
A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling
41RISK
open
Nucleimedium
Cachet <=2.3.18 - SQL Injection
Unauthenticated SQL Injection
36RISK
open
Nucleimedium
GLPI 9.2/<9.5.6 - Information Disclosure
Disclosure of GLPI and server information in telemetry endpoint
28RISK
open
Nucleihigh
Grafana Snapshot - Authentication Bypass
CVE-2021-39226CRITICALunder attack
Snapshot authentication bypass in grafana
95RISK
open
Nucleihigh
WordPress True Ranker <2.2.4 - Local File Inclusion
True Ranker <= 2.2.2 Directory Traversal/Arbitrary File Read
78RISK
open
Nucleihigh
WordPress DZS Zoomsounds <=6.50 - Local File Inclusion
ZoomSounds <= 6.45 Unauthenticated Directory Traversal and Sensitive Information Dislosure
68RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.