Explotación pública
Catálogo de exploits
Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.
71.114exploits catalogados
31.649CVEs con explotación pública
0probados en laboratorio
TodosExploit-DB 22.469Referência 19.810GitHub PoC 13.116VulnCheck XDB 8069Nuclei 4188Metasploit 3462✓ solo verificadosrecientespopularesriesgo
71.114 exploits
GitHub PoC★ 1
CVE-2026-48866 — Gravity Forms <= 2.10.0.1 Arbitrary File Deletion via Path Traversal (CVSS 9.6)
WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability
48RIESGO
abrir ↗GitHub PoC★ 4
CVE-2026-49975 HTTP/2 Stream Amplification — Docker PoC with Web Console
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir ↗GitHub PoC
react2shell - CVE-2025-55182 (Next.js: CVE-2025-66478) - Unauthenticated RCE in React Server Components (Flight Protocol) - PoC Exploit
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RIESGO
abrir ↗GitHub PoC
yurahshell/CVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RIESGO
abrir ↗GitHub PoC
react CVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1
100RIESGO
abrir ↗GitHub PoC★ 1
horrister/log4shell-cve-2021-44228
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
100RIESGO
abrir ↗GitHub PoC
Improved Metasploit module for CVE-2013-6117 (Dahua DVR authentication bypass)
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive informatio
60RIESGO
abrir ↗VulnCheck XDB
initial-access
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
100RIESGO
abrir ↗GitHub PoC
0-Click RCE Android Adb TLS Wireless Debugging
In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic err
41RIESGO
abrir ↗GitHub PoC
Dhananjayasj/CVE-2024-1698-NotificationX-WordPress-Plugin-SQL-Injection-to-Admin-Credential-Extraction
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection
85RIESGO
abrir ↗GitHub PoC★ 1
horrister/solarwinds-sunburst-cve-2020-10148
SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands
100RIESGO
abrir ↗GitHub PoC★ 13
Attack surface in the real-world environment of CVE-2026-41096
Windows DNS Client Remote Code Execution Vulnerability
48RIESGO
abrir ↗GitHub PoC★ 9
strivepan/ActiveMQ-cve-2026-42588-scanner-gui
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector
41RIESGO
abrir ↗GitHub PoC
PoC CVE-2026-8732 (WP Maps Pro <= 6.1.0)
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
48RIESGO
abrir ↗VulnCheck XDB
initial-access
SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands
100RIESGO
abrir ↗GitHub PoC
YellowKey | BitLocker Bypass Vulnerability (CVE-2026-45585)
Windows BitLocker Security Feature Bypass Vulnerability
33RIESGO
abrir ↗GitHub PoC
CVE-2026-35904 / CVE-2026-35905 / CVE-2026-35906 — Unauth RCE, Hardcoded Root Creds & Telnet Enable in T3 Technology CPE
Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, an
48RIESGO
abrir ↗VulnCheck XDB
info-leak
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection
85RIESGO
abrir ↗GitHub PoC
CVE-2026-5076 — ARMember Premium <= 7.3.1 Insecure Password Reset Mechanism → Full Admin Account Takeover | Proof of Concept
ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
48RIESGO
abrir ↗GitHub PoC★ 2
Proof of Concept (PoC) exploit for CVE-2026-6815: Authenticated Path Traversal & Arbitrary File Write in Casdoor (< 3.54.1) leading to RCE/DoS.
CVE-2026-6815
33RIESGO
abrir ↗GitHub PoC
rootdirective-sec/CVE-2026-34234-Lab
CtrlPanel: Unauthenticated RCE using installer script
48RIESGO
abrir ↗GitHub PoC
Safe read-only version checker + Sigma rule for Redis CVE-2026-23479 (authenticated use-after-free → RCE). Find exposed instances, patch left-of-boom. By DugganUSA.
redis-server use-after-free in unblock client flow may allow remote code execution
41RIESGO
abrir ↗GitHub PoC
Piotnet Forms Pro <= 2.1.40 - Unauthenticated Arbitrary File Upload → RCE
Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload
48RIESGO
abrir ↗GitHub PoC★ 28
HTTP/2 Bomb PoC — CVE-2026-49975 (HPACK indexed reference bomb + flow-control stall)
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir ↗GitHub PoC
HTB Facts is a Easy Linux box featuring Camaleon CMS and MinIO. Gain admin access via open registration and a mass assignment vulnerability, then extract MinIO credentials from admin settings. Use CVE-2024-46987 path traversal to steal an SSH private key, crack its passphrase, and escalate to root by abusing sudo permissions on facter via GTFOBins.
Arbitrary path traversal in Camaleon CMS
61RIESGO
abrir ↗Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.