Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.044exploits catalogados
31.616CVEs con explotación pública
0probados en laboratorio
3462 exploits
Metasploit500
HP Poly Voice Unauthenticated Remote Code Execution
CVE-2026-0826CRITICAL01 jun 2026
Poly Voice – Possible Remote Control of Certain Poly Devices
48RIESGO
abrir
Metasploit300
Linux Kernel __ptrace_may_access() Exit Race chage File Disclosure
CVE-2026-46333HIGH14 may 2026
ptrace: slightly saner 'get_dumpable()' logic
56RIESGO
abrir
Metasploit400
rxkad Page-Cache Write via CVE-2026-43500
CVE-2026-43500HIGH08 may 2026
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
78RIESGO
abrir
Metasploit400
xfrm-ESP Page-Cache Write via CVE-2026-43284
CVE-2026-43284HIGH08 may 2026
xfrm: esp: avoid in-place decrypt on shared skb frags
78RIESGO
abrir
Metasploit600
Dalfox Found-Action Deserialization RCE
CVE-2026-45087CRITICAL07 may 2026
Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
43RIESGO
abrir
Metasploit300
Cisco Catalyst SD-WAN Controller vHub Authentication Bypass
CVE-2026-20182CRITICALbajo ataque07 may 2026
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
100RIESGO
abrir
Metasploit600
Apache ActiveMQ RCE via Jolokia addNetworkConnector
CVE-2026-34197HIGHbajo ataque29 abr 2026
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
100RIESGO
abrir
Metasploit600
Copy Fail AF_ALG + authencesn Page-Cache Write
CVE-2026-31431HIGHbajo ataque29 abr 2026
crypto: algif_aead - Revert to operating out-of-place
100RIESGO
abrir
Metasploit600
cPanel/WHM CRLF Injection Authentication Bypass RCE
CVE-2026-41940CRITICALbajo ataqueransomware28 abr 2026
WebPros cPanel and WHM Authentication Bypass via Login Flow
100RIESGO
abrir
Metasploit600
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
CVE-2026-34413HIGH22 abr 2026
Xerte Online Toolkits Missing Authentication via connector.php
56RIESGO
abrir
Metasploit600
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
CVE-2026-34415CRITICAL22 abr 2026
Xerte Online Toolkits File Upload RCE via elfinder Connector
63RIESGO
abrir
Metasploit600
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
CVE-2026-41459MEDIUM22 abr 2026
Xerte Online Toolkits Path Disclosure via /setup
48RIESGO
abrir
Metasploit600
Flowise CSV Agent Prompt Injection RCE
CVE-2026-41264CRITICAL22 abr 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
43RIESGO
abrir
Metasploit600
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
CVE-2026-34414HIGH22 abr 2026
Xerte Online Toolkits Path Traversal via connector.php
56RIESGO
abrir
Metasploit300
BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner
CVE-2026-42208CRITICALbajo ataque20 abr 2026
LiteLLM: SQL injection in Proxy API key verification
100RIESGO
abrir
Metasploit600
Paperclip AI RCE using a chain of six API calls (CVE-2026-41679).
CVE-2026-41679CRITICAL10 abr 2026
Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
43RIESGO
abrir
Metasploit600
Supsystic Contact Form Wordpress Plugin SSTI RCE
CVE-2026-4257CRITICAL30 mar 2026
Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
75RIESGO
abrir
Metasploit300
Citrix ADC (NetScaler) CVE-2026-3055 Scanner
CVE-2026-3055CRITICALbajo ataque23 mar 2026
Insufficient input validation leading to memory overread
95RIESGO
abrir
Metasploit600
AVideo Encoder getImage.php Unauthenticated Command Injection
CVE-2026-29058CRITICAL05 mar 2026
AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
43RIESGO
abrir
Metasploit300
AVideo Unauthenticated SQL Injection Credential Dump
CVE-2026-28501CRITICAL05 mar 2026
WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
43RIESGO
abrir
Metasploit600
FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass
CVE-2026-28289CRITICAL01 mar 2026
FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution
55RIESGO
abrir
Metasploit600
FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass
CVE-2026-27636HIGH01 mar 2026
FreeScout: Missing .htaccess in Restricted File Extensions Allows Remote Code Execution on Apache
36RIESGO
abrir
Metasploit600
openDCIM install.php SQL Injection to RCE
CVE-2026-28515CRITICAL28 feb 2026
openDCIM <= 23.04 Missing Authorization in install.php
63RIESGO
abrir
Metasploit600
openDCIM install.php SQL Injection to RCE
CVE-2026-28516CRITICAL28 feb 2026
openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
43RIESGO
abrir
Metasploit600
openDCIM install.php SQL Injection to RCE
CVE-2026-28517CRITICAL28 feb 2026
openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter
63RIESGO
abrir
Metasploit600
Langflow RCE
CVE-2026-27966CRITICAL25 feb 2026
Langflow has Remote Code Execution in CSV Agent
55RIESGO
abrir
Metasploit300
Cisco Catalyst SD-WAN Controller Authentication Bypass
CVE-2026-20127CRITICALbajo ataque25 feb 2026
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
100RIESGO
abrir
Metasploit500
GrandStream GXP1600 Unauthenticated Remote Code Execution
CVE-2026-2329CRITICAL18 feb 2026
Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow
75RIESGO
abrir
Metasploit600
MajorDoMo Supply Chain RCE via Update Poisoning
CVE-2026-27180CRITICAL18 feb 2026
MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning
43RIESGO
abrir
Metasploit600
MajorDoMo Console Eval Unauthenticated RCE
CVE-2026-27174CRITICAL18 feb 2026
MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval
63RIESGO
abrir
página 1 / 116siguiente

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.