Explotación pública

Catálogo de exploits

Todo exploit público que catalogamos, en un solo índice. Busca por CVE, nombre del exploit o tecnología — y mira, al lado, lo que la falla realmente vale: severidad, probabilidad de explotación y si ya está bajo ataque.

71.062exploits catalogados
31.617CVEs con explotación pública
0probados en laboratorio
13.086 exploits
GitHub PoC
Proof of Concept (PoC) for CVE-2026-49975 – HTTP/2 server memory exhaustion attack leveraging HPACK amplification and connection retention (HTTP/2 Slowloris).
CVE-2026-49975HIGH05 jul 2026
Apache HTTP Server: mod_http2 denial of service
46RIESGO
abrir
GitHub PoC
Pre-auth Local File Inclusion in WP User Manager <= 2.9.17 via path traversal in tab parameter (CVSS 7.5)
CVE-2026-9290HIGH05 jul 2026
WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter
56RIESGO
abrir
GitHub PoC5
Epson Printer RAW Protocol Exploit Framework
CVE-2026-39047HIGH05 jul 2026
Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Prin
41RIESGO
abrir
GitHub PoC1
QNAP password reset URL injection writeup + PoC.
CVE-2025-59382LOW05 jul 2026
QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)
28RIESGO
abrir
GitHub PoC
Casdoor version 2.362.0
CVE-2026-9090CRITICAL04 jul 2026
CVE-2026-9090
28RIESGO
abrir
GitHub PoC1
CVE-2026-34038: Authenticated Remote Command Injection in Coolify
CVE-2026-34038CRITICAL04 jul 2026
Coolify authenticated remote command injection leading to RCE and secret exfiltration
48RIESGO
abrir
GitHub PoC3
PoC for CVE-2026-54415 — Azuriom CMS (<1.2.11) Broken Access Control → account takeover
CVE-2026-54415HIGH04 jul 2026
Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover
41RIESGO
abrir
GitHub PoC3
Read-only vulnerability scanner for CVE-2026-49049 — Helix3 Joomla plugin unauthenticated AJAX handler
CVE-2026-49049HIGH04 jul 2026
Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler
41RIESGO
abrir
GitHub PoC2
caterscam/CVE-2026-5524-PoC
CVE-2026-5524CRITICAL04 jul 2026
Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter
48RIESGO
abrir
GitHub PoC3
📤 Mass exploitation framework for CVE-2026-56290 — Page Builder CK Joomla unauthenticated file upload to RCE
CVE-2026-56290CRITICAL04 jul 2026
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0
48RIESGO
abrir
GitHub PoC
Python & template nuclei
CVE-2026-48907CRITICALbajo ataque04 jul 2026
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
100RIESGO
abrir
GitHub PoC
💉 Blind SQL Injection → RCE exploit for Control Web Panel (CWP) ≤ 0.9.8.1224 — userRes POST → INTO DUMPFILE → cwpsvc shell
CVE-2026-57517CRITICAL04 jul 2026
Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter
48RIESGO
abrir
GitHub PoC
Technical troubleshooting repository for fixing infinite rendering vulnerability loops and resource exhaustion threats under CVE-2026-23869 cleanly.
CVE-2026-23869HIGH04 jul 2026
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-
41RIESGO
abrir
GitHub PoC1
PoC for CVE-2026-53360: guest-triggered heap out-of-bounds read/write in KVM SEV-SNP Page State Change (PSC) handling.
CVE-2026-5336004 jul 2026
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
23RIESGO
abrir
GitHub PoC17
CVE-2026-46242
CVE-2026-46242HIGH04 jul 2026
eventpoll: fix ep_remove struct eventpoll / struct file UAF
41RIESGO
abrir
GitHub PoC5
Apache ActiveMQ Classic RCE research: CVE-2026-34197 / CVE-2026-42588 bypass chain + hardened-6.2.6 audit findings + Crowdfense comparison
CVE-2026-34197HIGHbajo ataque04 jul 2026
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
100RIESGO
abrir
GitHub PoC
CVE-2026-22874 writeup: incomplete SSRF allow-list in Gitea webhook/migration (IPv6 transition and cloud metadata). Fixed in Gitea 1.26.3.
CVE-2026-22874CRITICAL04 jul 2026
Gitea webhook and migration allow-list filtering permits SSRF
48RIESGO
abrir
GitHub PoC3
CVE-2026-54998 RCE Exploit
CVE-2026-54998HIGH04 jul 2026
Microsoft Exchange Online Elevation of Privilege Vulnerability
41RIESGO
abrir
GitHub PoC
Static config scanner that flags nginx configs vulnerable to the complex_value two-pass capture-clobbering bug (regex map + regex capture → heap overflow / info leak).
CVE-2026-42533CRITICAL04 jul 2026
NGINX Map directive and Regex matching vulnerability
45RIESGO
abrir
GitHub PoC2
CVE-2026-8451
CVE-2026-8451HIGH03 jul 2026
Insufficient input validation leading to memory overread
41RIESGO
abrir
GitHub PoC
Pardus Software Local Privilege Escalation PoC - affected from <= 1.0.4
CVE-2026-14459HIGH03 jul 2026
Argument Injection in TUBITAK BILGEM's pardus-software
41RIESGO
abrir
GitHub PoC5
☄️ Mass reconnaissance & exploitation framework for Apache Solr CVE-2026-44825 — Velocity template injection to RCE
CVE-2026-44825HIGH03 jul 2026
Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
41RIESGO
abrir
GitHub PoC1
1beelze/CVE-2026-11387
CVE-2026-11387CRITICAL03 jul 2026
SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset
48RIESGO
abrir
GitHub PoC
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore.
CVE-2026-53753CRITICAL03 jul 2026
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
48RIESGO
abrir
GitHub PoC
CVE-2026-49468 — LiteLLM (<1.84.0) unauthenticated auth bypass via Host-header route confusion. PoC + docker lab.
CVE-2026-49468CRITICAL03 jul 2026
LiteLLM: Authentication Bypass via Host Header Injection
48RIESGO
abrir
GitHub PoC1
Page Builder CK for Joomla - Unauthenticated SSRF / Remote File Write leading to PHP execution Exploiter
CVE-2026-56290CRITICAL03 jul 2026
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0
48RIESGO
abrir
GitHub PoC1
# CVE-2026-28995 Proof of Concept for CVE-2026-28995 — Path Traversal vulnerability in App Intents on iOS 26.4.2 and below.
CVE-2026-28995HIGH03 jul 2026
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 an
41RIESGO
abrir
GitHub PoC
CVE-2026-13768: Privileged iothubowner IoT Hub credential — fleet enumeration, device RCE, home-network pivot — Gardyn (ICSA-26-183-03)
CVE-2026-13768CRITICAL02 jul 2026
Gardyn IoT Hub Use of Hard-coded Credentials
48RIESGO
abrir
GitHub PoC
Gogs has Path Traversal in organization name that results in RCE through Git hooks
CVE-2026-52813CRITICAL02 jul 2026
Gogs: Path Traversal in organization name results in RCE through Git hooks
48RIESGO
abrir
GitHub PoC6
SimpleHelp OIDC Authentication Bypass PoC
CVE-2026-48558CRITICAL02 jul 2026
SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification
48RIESGO
abrir

Indexamos solo el enlace público a la prueba de concepto — nunca alojamos ni redistribuimos código de explotación. Fuentes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit y VulnCheck XDB. La existencia de PoC pública no significa que la falla sea explotable en tu entorno.