Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,292cataloged exploits
31,741CVEs with public exploitation
0lab-tested
71,284 exploits
Exploit-DB
NocoBase 2.0.27 - VM Sandbox Escape
CVE-2026-34156CRITICAL07 May 2026
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
75RISK
open
VulnCheck XDB
initial-access
CVE-2026-41940CRITICALunder attackransomware07 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
Exploit-DB
Bludit CMS 3.18.4 - RCE
CVE-2026-25099HIGH07 May 2026
Remote Code Execution via Unrestricted File Upload in Bludit
41RISK
open
GitHub PoC
CVE-2026-44590 - Sherlock <= v0.16.0 - RCE via pull_request_target Injection → Supply Chain Compromise
CVE-2026-44590CRITICAL07 May 2026
Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml
28RISK
open
GitHub PoC
Discovery and original disclosure of CVE-2026-31431: Theori / Xint. Public writeup: https://copy.fail/.
CVE-2026-31431HIGHunder attack07 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
initial-access
CVE-2026-3844CRITICAL07 May 2026
Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote
75RISK
open
VulnCheck XDB
info-leak
CVE-2026-27944CRITICAL06 May 2026
Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure
68RISK
open
VulnCheck XDB
initial-access
CVE-2026-41940CRITICALunder attackransomware06 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
VulnCheck XDB
local
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
local
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
local
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC1
mawussid/CVE-2026-41651-Python
CVE-2026-41651HIGH06 May 2026
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
41RISK
open
VulnCheck XDB
initial-access
CVE-2025-4632CRITICALunder attack06 May 2026
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 2
98RISK
open
GitHub PoC
MartinaStarone/CVE-2026-2441
CVE-2026-2441HIGHunder attack06 May 2026
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside
76RISK
open
GitHub PoC
Analysis of network scan results, service vulnerabilities, OS fingerprinting, and critical Nessus findings including Ghostcat (CVE-2020-1938).
CVE-2020-1938CRITICALunder attack06 May 2026
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomc
100RISK
open
GitHub PoC
This repository contains an academic and technical analysis of CVE-2023-34362, a critical SQL injection vulnerability affecting the MOVEit Transfer application, a widely used enterprise Managed File Transfer (MFT) platform. The project was developed as part of the CYB625 – Ethical Hacking & Penetration Testing course at Pace University.
CVE-2023-34362CRITICALunder attackransomware06 May 2026
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.
100RISK
open
GitHub PoC12
mitigation of cve-2026-31431 using ftrace
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
local
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
local
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
initial-access
CVE-2024-22120CRITICAL06 May 2026
Time Based SQL Injection in Zabbix Server Audit Log
70RISK
open
VulnCheck XDB
local
CVE-2011-124906 May 2026
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis
23RISK
open
GitHub PoC1
Test authentication bypass vulnerabilities in cPanel and WHM using this proof of concept exploit tool written in Go.
CVE-2026-41940CRITICALunder attackransomware06 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
GitHub PoC
C implementation for researching Copy Fail (CVE-2026-31431)
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
VulnCheck XDB
info-leak
CVE-2024-4040CRITICALunder attack06 May 2026
Unauthenticated arbitrary file read and remote code execution in CrushFTP
100RISK
open
GitHub PoC12
CVE-2026-41940 Auto Root Login
CVE-2026-41940CRITICALunder attackransomware06 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
GitHub PoC1
PoC for CVE-2026-41940: WHM/cPanel authentication bypass chain (Python 2.7). For authorized security research and testing only.
CVE-2026-41940CRITICALunder attackransomware06 May 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RISK
open
GitHub PoC
Proof-of-concept for CVE-2024-4040 (CrushFTP SSTI -> unauthenticated LFI) in a controlled CS443 lab environment - for educational/authorised use only.
CVE-2024-4040CRITICALunder attack06 May 2026
Unauthenticated arbitrary file read and remote code execution in CrushFTP
100RISK
open
GitHub PoC3
Exploit CVE-2026-31431 on Linux using a Rust implementation to achieve local privilege escalation via an arbitrary page cache write primitive.
CVE-2026-31431HIGHunder attack06 May 2026
crypto: algif_aead - Revert to operating out-of-place
100RISK
open
GitHub PoC1
Zimbra Path Traversal (CVE-2025-68645) - Unauthenticated file read vulnerability in Zimbra Collaboration Suite
CVE-2025-68645HIGHunder attack06 May 2026
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1
98RISK
open
GitHub PoC1
Proof-of-concept exploit for CVE-2024-22120 that leverages time-based SQL injection and gopher-based SSRF to achieve remote code execution on vulnerable Zabbix servers for educational security research.
CVE-2024-22120CRITICAL06 May 2026
Time Based SQL Injection in Zabbix Server Audit Log
70RISK
open
previouspage 69 / 2,377next

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.