Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
3462 exploits
Metasploit600
Langflow AI RCE
CVE-2025-3248CRITICALbajo ataqueransomware09 abr 2025
Langflow < 1.3.0 Unauthenticated RCE via /api/v1/validate/code
100RIESGO
abrir
Metasploit600
BentoML's runner server RCE
CVE-2025-32375CRITICAL09 abr 2025
Insecure Deserialization leads to RCE in BentoML's runner server
75RIESGO
abrir
Metasploit600
BentoML RCE
CVE-2025-27520CRITICAL04 abr 2025
BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
75RIESGO
abrir
Metasploit500
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
CVE-2025-22457CRITICALbajo ataqueransomware03 abr 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7
100RIESGO
abrir
Metasploit600
pgAdmin Query Tool authenticated RCE (CVE-2025-2945)
CVE-2025-2945CRITICAL03 abr 2025
pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
75RIESGO
abrir
Metasploit300
Gladinet CentreStack/Triofox Path Traversal
CVE-2025-11371HIGHbajo ataque03 abr 2025
Gladinet CentreStack and TrioFox Local File Inclusion Flaw
100RIESGO
abrir
Metasploit600
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
CVE-2025-30406CRITICALbajo ataque03 abr 2025
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the
100RIESGO
abrir
Metasploit600
Appsmith RCE
CVE-2024-55964CRITICAL25 mar 2025
An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image lea
43RIESGO
abrir
Metasploit600
WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)
CVE-2025-2563HIGH24 mar 2025
User Registration & Membership < 4.1.2- Unauthenticated Privilege Escalation
68RIESGO
abrir
Metasploit300
Next.js Middleware Authorization Bypass Scanner
CVE-2025-29927CRITICAL21 mar 2025
Authorization Bypass in Next.js Middleware
85RIESGO
abrir
Metasploit600
ICTBroadcast Unauthenticated Remote Code Execution
CVE-2025-2611CRITICAL19 mar 2025
ICTBroadcast <= 7.4 Unauthenticated Session Cookie RCE
63RIESGO
abrir
Metasploit600
Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin
CVE-2024-12971HIGH17 mar 2025
QuickShell Authenticated Command Injection
48RIESGO
abrir
Metasploit600
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
CVE-2025-27007CRITICAL13 mar 2025
WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability
75RIESGO
abrir
Metasploit600
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
CVE-2025-3102HIGH13 mar 2025
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
78RIESGO
abrir
Metasploit300
Sante PACS Server Path Traversal (CVE-2025-2264)
CVE-2025-2264HIGH13 mar 2025
Santesoft Sante PACS Server Path Traversal Information Disclosure
48RIESGO
abrir
Metasploit300
GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi
CVE-2025-24799HIGH12 mar 2025
GLPI allows unauthenticated SQL injection through the inventory endpoint
78RIESGO
abrir
Metasploit600
Tomcat Partial PUT Java Deserialization
CVE-2025-24813CRITICALbajo ataque10 mar 2025
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
100RIESGO
abrir
Metasploit300
Xorcom CompletePBX Authenticated File Disclosure via Backup Download
CVE-2025-2292MEDIUM02 mar 2025
Xorcom CompletePBX <= 5.2.35 Authenticated File Disclosure
28RIESGO
abrir
Metasploit600
Xorcom CompletePBX Authenticated Command Injection via Task Scheduler
CVE-2025-30004HIGH02 mar 2025
Xorcom CompletePBX <= 5.2.35 Task Scheduler Authenticated Command Injection
36RIESGO
abrir
Metasploit300
Xorcom CompletePBX Arbitrary File Read and Deletion via systemDataFileName
CVE-2025-30005HIGH02 mar 2025
Xorcom CompletePBX <= 5.2.35 Authenticated Path Traversal & File Deletion
36RIESGO
abrir
Metasploit600
Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)
CVE-2025-24893CRITICALbajo ataque20 feb 2025
Remote code execution as guest via SolrSearchMacros request in xwiki
100RIESGO
abrir
Metasploit600
SPIP Saisies Plugin Unauthenticated RCE
CVE-2025-71243CRITICAL19 feb 2025
SPIP Saisies Plugin < 5.11.1 Remote Code Execution
63RIESGO
abrir
Metasploit300
mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)
CVE-2025-24865CRITICAL13 feb 2025
mySCADA myPRO Manager Missing Authentication for Critical Function
43RIESGO
abrir
Metasploit300
mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)
CVE-2025-22896CRITICAL13 feb 2025
mySCADA myPRO Manager Cleartext Storage of Sensitive Information
43RIESGO
abrir
Metasploit300
Audiobookshelf Unauthenticated API Authentication Bypass Scanner
CVE-2025-25205HIGH12 feb 2025
Remote Authentication-Bypass can lead to server crash or limited information disclosure due to faulty pattern matching
36RIESGO
abrir
Metasploit600
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
CVE-2025-24016CRITICALbajo ataque10 feb 2025
Remote code execution in Wazuh server
100RIESGO
abrir
Metasploit600
InvokeAI RCE
CVE-2024-12029CRITICAL07 feb 2025
Remote Code Execution via Model Deserialization in invoke-ai/invokeai
63RIESGO
abrir
Metasploit600
D-Tale RCE
CVE-2024-3408CRITICAL05 feb 2025
Authentication Bypass and RCE in man-group/dtale
85RIESGO
abrir
Metasploit600
D-Tale RCE
CVE-2025-065505 feb 2025
15RIESGO
abrir
Metasploit600
Unauthenticated RCE in NetAlertX
CVE-2024-46506CRITICAL30 ene 2025
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because fun
75RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.