Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
4,190 exploits
Nucleimedium
Spotweb <= 1.5.1 - Cross Site Scripting
Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote
18RISK
open
Nucleimedium
Spotweb <= 1.5.1 - Cross Site Scripting
Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote
18RISK
open
Nucleihigh
MKdocs 1.2.2 - Directory Traversal
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obt
23RISK
open
Nucleihigh
Aurelia-Path < 1.1.7 - Prototype Pollution
Prototype pollution in aurelia-path
43RISK
open
Nucleimedium
Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
XSS vulnerability allowing arbitrary JavaScript execution
50RISK
open
Nucleimedium
Redash Setup Configuration - Default Secrets Disclosure
Insecure default configuration
36RISK
open
Nucleicritical
MinIO Operator Console Authentication Bypass
Authentication bypass issue in the Operator Console
48RISK
open
Nucleihigh
Metabase - Local File Inclusion
CVE-2021-41277CRITICALunder attack
GeoJSON URL validation can expose server files and environment variables to unauthorized users
100RISK
open
Nucleihigh
pfSense - Arbitrary File Write
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data abo
40RISK
open
Nucleihigh
ECOA Building Automation System - Directory Traversal Content Disclosure
ECOA BAS controller - Path Traversal-1
58RISK
open
Nucleihigh
ECOA Building Automation System - Arbitrary File Retrieval
ECOA BAS controller - Path Traversal-3
41RISK
open
Nucleimedium
Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting
Microsoft Exchange Server Spoofing Vulnerability
70RISK
open
Nucleihigh
Payara Micro Community 5.2021.6 Directory Traversal
Payara Micro Community 5.2021.6 and below allows Directory Traversal.
50RISK
open
Nucleicritical
QVIS NVR/DVR - Remote Code Execution
QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.
18RISK
open
Nucleimedium
FlatPress 1.2.1 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaS
18RISK
open
Nucleihigh
ECShop 4.1.0 - SQL Injection
ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information.
18RISK
open
Nucleimedium
JustWriting - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow rem
18RISK
open
Nucleihigh
SAS/Internet 9.4 1520 - Local File Inclusion
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the app
18RISK
open
Nucleihigh
PuneethReddyHC action.php SQL Injection
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId
23RISK
open
Nucleicritical
PuneethReddyHC Online Shopping System homeaction.php SQL Injection
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php c
30RISK
open
Nucleicritical
TP-Link - OS Command Injection
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r
60RISK
open
Nucleihigh
openSIS Student Information System 8.0 SQL Injection
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TR
43RISK
open
Nucleicritical
CraftCMS SEOmatic - Server-Side Template Injection
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Si
23RISK
open
Nucleihigh
Apache 2.4.49 - Path Traversal and Remote Code Execution
CVE-2021-41773HIGHunder attackransomware
Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
100RISK
open
Nucleimedium
PlaceOS 1.2109.1 - Open Redirection
PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
23RISK
open
Nucleimedium
i-Panel Administration System 2.0 - Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enable
38RISK
open
Nucleimedium
GitLab GraphQL API User Enumeration
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Priv
70RISK
open
Nucleimedium
Resourcespace - Cross-Site Scripting
ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_ss
40RISK
open
Nucleicritical
Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
CVE-2021-42013CRITICALunder attackransomware
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
100RISK
open
Nucleimedium
SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage
43RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.