Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.180exploits catalogados
31.691CVEs con explotación pública
0probados en laboratorio
4188 exploits
Nucleihigh
Nodejs Squirrelly - Remote Code Execution
Remote code execution in squirrelly
68RIESGO
abrir
Nucleihigh
Express-handlebars - Local File Inclusion
File disclosure in Express Handlebars
23RIESGO
abrir
Nucleicritical
Erxes <0.23.0 - Cross-Site Scripting
Erxes vulnerable to Cross-site Scripting
28RIESGO
abrir
Nucleicritical
Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the
30RIESGO
abrir
Nucleimedium
emlog 5.3.1 Path Disclosure
emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webr
23RIESGO
abrir
Nucleihigh
Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
23RIESGO
abrir
Nucleicritical
Dahua IPC/VTH/VTO - Authentication Bypass
CVE-2021-33044CRITICALbajo ataque
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can by
100RIESGO
abrir
Nucleicritical
Dahua IPC/VTH/VTO - Authentication Bypass
CVE-2021-33045CRITICALbajo ataque
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can by
100RIESGO
abrir
Nucleicritical
CommScope Ruckus IoT Controller - Information Disclosure
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints.
30RIESGO
abrir
Nucleicritical
RaspAP <=2.6.5 - Remote Command Injection
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the
23RIESGO
abrir
Nucleihigh
Geutebruck - Remote Command Injection
UDP Technology/Geutebrück camera devices: command injection leading to RCE
58RIESGO
abrir
Nucleihigh
Boa 0.94.13 - Information Disclosure
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, previe
43RIESGO
abrir
Nucleicritical
Ruby Dragonfly <1.4.0 - Remote Code Execution
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write
60RIESGO
abrir
Nucleicritical
SAP NetWeaver Development Infrastructure - Server Side Request Forgery
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Compo
75RIESGO
abrir
Nucleimedium
Rstudio Shiny Server <1.5.16 - Local File Inclusion
Directory traversal in RStudio Shiny Server before 1.5.16 allows attackers to read the application source code, involvin
23RIESGO
abrir
Nucleihigh
Microsoft Exchange - Authentication Bypass
CVE-2021-33766HIGHbajo ataque
Microsoft Exchange Server Information Disclosure Vulnerability
100RIESGO
abrir
Nucleimedium
npm ansi_up v4 - Cross-Site Scripting
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTM
18RIESGO
abrir
Nucleicritical
FortiLogger 4.4.2.2 - Arbitrary File Upload
FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUpl
60RIESGO
abrir
Nucleihigh
Cartadis Gespage 8.2.1 - Directory Traversal
Cartadis Gespage through 8.2.1 allows Directory Traversal in gespage/doDownloadData and gespage/webapp/doDownloadData.
23RIESGO
abrir
Nucleimedium
Drupal 7 CKEditor XSS
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1
18RIESGO
abrir
Nucleimedium
WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an appl
18RIESGO
abrir
Nucleimedium
Accela Civic Platform <=21.1 - Cross-Site Scripting
In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS. NOTE: The
43RIESGO
abrir
Nucleicritical
Chamilo model.ajax.php - SQL Injection
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 p
23RIESGO
abrir
Nucleimedium
Accela Civic Platform <=21.1 - Cross-Site Scripting
Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS. NOTE: the vendor states "there are
38RIESGO
abrir
Nucleicritical
Eclipse BIRT Viewer - Remote Code Execution
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessibl
50RIESGO
abrir
Nucleimedium
Eclipse Jetty - Information Disclosure
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characte
70RIESGO
abrir
Nucleicritical
Exchange Server - Remote Code Execution
CVE-2021-34473CRITICALbajo ataqueransomware
Microsoft Exchange Server Remote Code Execution Vulnerability
100RIESGO
abrir
Nucleicritical
WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
75RIESGO
abrir
Nucleicritical
WordPress ProfilePress <= 3.1.3 - Privilege Escalation
ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation
43RIESGO
abrir
Nucleicritical
WordPress ProfilePress 3.0-3.1.3 - Arbitrary File Upload
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component
43RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.