Exploração pública
Catálogo de exploits
Todo exploit público que catalogamos, num índice só. Busque por CVE, nome do exploit ou tecnologia — e veja, ao lado, o que a falha realmente vale: severidade, probabilidade de exploração e se já está sob ataque.
71.114exploits catalogados
31.649CVEs com exploração pública
0testados em laboratório
TodosExploit-DB 22.469Referência 19.810GitHub PoC 13.116VulnCheck XDB 8.069Nuclei 4.188Metasploit 3.462✓ só verificadosrecentespopularesrisco
4.188 exploits
Nucleihigh
OpenEMR <5.0.2 - Local File Inclusion
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can
50RISCO
abrir ↗Nucleimedium
Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
43RISCO
abrir ↗Nucleimedium
osTicket < 1.12.1 - Cross-Site Scripting
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It w
43RISCO
abrir ↗Nucleimedium
Custom 404 Pro < 3.2.8 - Cross-Site Scripting
The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.
18RISCO
abrir ↗Nucleimedium
WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
18RISCO
abrir ↗Nucleimedium
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
50RISCO
abrir ↗Nucleihigh
Grafana - Improper Access Control
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run
30RISCO
abrir ↗Nucleicritical
Webmin <= 1.920 - Unauthenticated Remote Command Execution
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnera
100RISCO
abrir ↗Nucleimedium
L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.
38RISCO
abrir ↗Nucleihigh
Webmin < 1.920 - Authenticated Remote Code Execution
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise
50RISCO
abrir ↗Nucleimedium
WordPress My Calendar <= 3.1.9 - Cross-Site Scripting
The my-calendar plugin before 3.1.10 for WordPress has XSS.
18RISCO
abrir ↗Nucleimedium
ND Booking < 2.5 - Unauthenticated Options Change
The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting
18RISCO
abrir ↗Nucleimedium
DomainMOD <=4.13.0 - Cross-Site Scripting
In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
38RISCO
abrir ↗Nucleihigh
WPS Hide Login <= 1.5.2.2 - Login Page Bypass
The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass.
18RISCO
abrir ↗Nucleimedium
Gallery Photoblocks < 1.1.43 - Cross-Site Scripting
The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.
18RISCO
abrir ↗Nucleihigh
WordPress Woody Ad Snippets <2.2.5 - Cross-Site Scripting/Remote Code Execution
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthentica
23RISCO
abrir ↗Nucleicritical
Socomec DIRIS A-40 Devices Password Disclosure
Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get f
30RISCO
abrir ↗Nucleimedium
WordPress Download Manager <2.9.94 - Cross-Site Scripting
The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by t
53RISCO
abrir ↗Nucleicritical
D-Link DNS-320 - Remote Code Execution
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
95RISCO
abrir ↗Nucleicritical
Enigma NMS < 65.0.0 - Authenticated OS Command Injection
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows
43RISCO
abrir ↗Nucleimedium
Harbor <=1.82.0 - Privilege Escalation
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users A
23RISCO
abrir ↗Nucleihigh
PilusCart <=1.4.1 - Local File Inclusion
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File D
23RISCO
abrir ↗Nucleicritical
nostromo 1.9.6 - Remote Code Execution
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote co
100RISCO
abrir ↗Nucleihigh
ifw8 Router ROM v4.31 - Credential Discovery
ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.
30RISCO
abrir ↗Nucleimedium
WordPress API Bearer Auth <20190907 - Cross-Site Scripting
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagg
18RISCO
abrir ↗Nucleihigh
Adobe Experience Manager - Expression Language Injection
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability.
23RISCO
abrir ↗Nucleimedium
WordPress Checklist <1.1.9 - Cross-Site Scripting
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filt
18RISCO
abrir ↗Nucleihigh
Cisco Small Business WAN VPN Routers - Sensitive Information Disclosure
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
100RISCO
abrir ↗Nucleicritical
rConfig 3.9.2 - Remote Code Execution
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to a
60RISCO
abrir ↗Nucleicritical
vBulletin 5.0.0-5.5.4 - Remote Command Execution
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge
100RISCO
abrir ↗Indexamos apenas o link público para a prova de conceito — nunca hospedamos nem redistribuímos código de exploração. Fontes: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit e VulnCheck XDB. A existência de PoC pública não significa que a falha seja explorável no seu ambiente.