Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.163exploits catalogados
31.687CVEs con explotación pública
0probados en laboratorio
13.134 exploits
GitHub PoC
CVE-2026-0926 exploit. The Prodigy Commerce plugin for WordPress Local File Inclusion
CVE-2026-0926CRITICAL23 may 2026
Prodigy Commerce <= 3.3.0 - Unauthenticated Local File Inclusion via parameters[template_name]
63RIESGO
abrir
GitHub PoC
Xmyronn/CVE-2026-11518-XSS
CVE-2026-11518MEDIUM23 may 2026
SourceCodester Inventory System User Management users.php cross site scripting
33RIESGO
abrir
GitHub PoC
CVE-2026-41901
CVE-2026-41901CRITICAL23 may 2026
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions
48RIESGO
abrir
GitHub PoC8
R3n3r0/CVE-2026-20700
CVE-2026-20700HIGHbajo ataque23 may 2026
A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3,
71RIESGO
abrir
GitHub PoC
CVE-2026-6960: BookingPress Pro <= 5.6 – Unauthenticated Arbitrary File Upload
CVE-2026-6960CRITICAL23 may 2026
BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field
48RIESGO
abrir
GitHub PoC
felisha-elmer/Sandbox-Challenge-Log4Shell-CVE-2021-44228-
CVE-2021-44228CRITICALbajo ataqueransomware23 may 2026
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
100RIESGO
abrir
GitHub PoC
Google Dorks for detecting CMS Made Simple < 2.2.10 SQL Injection (CVE-2019-9053). Built for security auditing and patch verification.
CVE-2019-905323 may 2026
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve
35RIESGO
abrir
GitHub PoC3
CVE-2026-20182 PoC - Cisco Catalyst SD-WAN Controller / Manager Authentication Bypass (CVSS 10.0)
CVE-2026-20182CRITICALbajo ataque22 may 2026
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
100RIESGO
abrir
GitHub PoC
Critical WIC bug (9.8): uninitialized JPEG encode pointers in WindowsCodecs.dll — triggers on 12/16-bit re-encode, not casual preview.
CVE-2025-50165CRITICAL22 may 2026
Windows Graphics Component Remote Code Execution Vulnerability
48RIESGO
abrir
GitHub PoC
r3nsi15/CVE-2026-33017-langflow-rce
CVE-2026-33017CRITICALbajo ataque22 may 2026
Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
100RIESGO
abrir
GitHub PoC
NullByte8080/CVE-2026-36227
CVE-2026-36227MEDIUM22 may 2026
Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and e
33RIESGO
abrir
GitHub PoC2
Safely detect whether a PAN-OS target is vulnerable to CVE-2026-0265.
CVE-2026-0265HIGH22 may 2026
PAN-OS: Authentication Bypass with Cloud Authentication Service (CAS) enabled
41RIESGO
abrir
GitHub PoC1
PoC for CVE-2026-42945 (nginx Rift) — heap buffer overflow in ngx_http_rewrite_module. Includes detect/probe/exploit modes, dual-fixture Docker lab, empirical address discovery, OOB-verified offset sweep. Original disclosure by depthfirst.
CVE-2026-42945CRITICAL22 may 2026
NGINX ngx_http_rewrite_module vulnerability
60RIESGO
abrir
GitHub PoC
CVE-2024-6387 POC (Currently being edited)
CVE-2024-6387HIGH22 may 2026
Openssh: regresshion - race condition in ssh allows rce/dos
63RIESGO
abrir
GitHub PoC
CVE-2026-31431 / Copy Fail Linux kernel vulnerability checker - algif_aead attack path detection
CVE-2026-31431HIGHbajo ataque22 may 2026
crypto: algif_aead - Revert to operating out-of-place
100RIESGO
abrir
GitHub PoC
Portable Python PoC for CVE-2026-31431 (Copy Fail)
CVE-2026-31431HIGHbajo ataque22 may 2026
crypto: algif_aead - Revert to operating out-of-place
100RIESGO
abrir
GitHub PoC2
A safe read-only Linux check for CVE-2026-31431 / Copy Fail without running exploit code.
CVE-2026-31431HIGHbajo ataque22 may 2026
crypto: algif_aead - Revert to operating out-of-place
100RIESGO
abrir
GitHub PoC
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass
CVE-2026-8181CRITICAL22 may 2026
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
68RIESGO
abrir
GitHub PoC
Divi Form Builder <= 5.1.2 — Unauthenticated Privilege Escalation via Role Injection
CVE-2026-5118CRITICAL22 may 2026
Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'
48RIESGO
abrir
GitHub PoC
BastianXploited/CVE-2026-8181
CVE-2026-8181CRITICAL22 may 2026
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
68RIESGO
abrir
GitHub PoC
This vulnerability allows unauthenticated attackers who know a valid administrator username to impersonate that admin during REST API requests by using any incorrect password in a Basic Authentication header. Attackers could abuse this flaw to create a new administrator account without prior authentication.
CVE-2026-8181CRITICAL22 may 2026
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
68RIESGO
abrir
GitHub PoC3
eprocess offset puller for relevant member offsets and function addresses for cve-2026-40369
CVE-2026-40369HIGH22 may 2026
Windows Kernel Elevation of Privilege Vulnerability
41RIESGO
abrir
GitHub PoC2
CVE-2026-43494
CVE-2026-43494HIGH22 may 2026
net/rds: reset op_nents when zerocopy page pin fails
41RIESGO
abrir
GitHub PoC
A Go implementation of PinTheft (CVE-2026-43494)
CVE-2026-43494HIGH22 may 2026
net/rds: reset op_nents when zerocopy page pin fails
41RIESGO
abrir
GitHub PoC1
Detect whether a Strapi instance is vulnerable to CVE-2026-27886 (unauthenticated boolean-oracle exfiltration of administrator secrets).
CVE-2026-27886CRITICAL22 may 2026
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
48RIESGO
abrir
GitHub PoC
CVE-2026-34926
CVE-2026-34926MEDIUMbajo ataque22 may 2026
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker t
68RIESGO
abrir
GitHub PoC
Python exploit toolkit for WordPress Crop Image RCE — CVE-2019-8942 & CVE-2019-8943
CVE-2019-894222 may 2026
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry ca
60RIESGO
abrir
GitHub PoC
felisha-elmer/Sandbox-Challenge-Spring4Shell-CVE-2022-22965-
CVE-2022-22965CRITICALbajo ataque22 may 2026
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
100RIESGO
abrir
GitHub PoC
Pumila03/CVE-2026-6009
CVE-2026-6009HIGH22 may 2026
Jaspersoft Library Deserialisation Vulnerability
41RIESGO
abrir
GitHub PoC
CVE-2026-41091 / CVE-2026-45498 Microsoft Defender vulnerability scanner
CVE-2026-41091HIGHbajo ataque22 may 2026
Microsoft Defender Elevation of Privilege Vulnerability
71RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.