CVE & Exploit Intelligence Database

Updated 3h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,274 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,563 researchers
2,435 results Clear all
CVE-2020-7610 9.8 CRITICAL EPSS 0.01
Mongodb Bson < 1.1.4 - Insecure Deserialization
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
CWE-502 Mar 30, 2020
CVE-2020-10969 8.8 HIGH 2 PoCs Analysis EPSS 0.01
FasterXML Jackson <2.9.10.4 - RCE
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CWE-502 Mar 26, 2020
CVE-2020-10968 8.8 HIGH 2 PoCs Analysis EPSS 0.04
FasterXML Jackson-Databind <2.9.10.4 - Code Injection
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CWE-502 Mar 26, 2020
CVE-2020-6967 9.8 CRITICAL EPSS 0.02
Rockwellautomation Factorytalk Servic... - Insecure Deserialization
In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.
CWE-502 Mar 23, 2020
CVE-2020-7961 9.8 CRITICAL KEV 16 PoCs Analysis NUCLEI EPSS 0.94
Liferay Portal <7.2.1 CE GA2 - Code Injection
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
CWE-502 Mar 20, 2020
CVE-2020-10673 8.8 HIGH 3 PoCs Analysis EPSS 0.20
FasterXML jackson-databind <2.9.10.4 - Code Injection
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CWE-502 Mar 18, 2020
CVE-2020-10672 8.8 HIGH EPSS 0.35
FasterXML jackson-databind <2.9.10.4 - Code Injection
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CWE-502 Mar 18, 2020
CVE-2019-20453 8.8 HIGH EPSS 0.04
Pydio < 8.2.4 - Insecure Deserialization
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
CWE-502 Mar 17, 2020
CVE-2019-20452 8.8 HIGH EPSS 0.04
Pydio < 8.2.4 - Insecure Deserialization
A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution.
CWE-502 Mar 17, 2020
CVE-2020-1947 9.8 CRITICAL 4 PoCs Analysis EPSS 0.89
Apache Shardingsphere < 4.0.1 - Insecure Deserialization
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
CWE-502 Mar 11, 2020
CVE-2017-10992 9.8 CRITICAL EPSS 0.03
HP Storage Essentials - Insecure Deserialization
In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Deserialization with remote code execution via OS commands in a request to invoker/JMXInvokerServlet, aka PSRT110461.
CWE-502 Mar 10, 2020
CVE-2016-1487 8.8 HIGH EPSS 0.01
Lexmark Markvision Enterprise <2.3.0 - Code Injection
Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization.
CWE-502 Mar 09, 2020
CVE-2020-2158 8.8 HIGH EPSS 0.01
Jenkins Literate < 1.0 - Insecure Deserialization
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
CWE-502 Mar 09, 2020
CVE-2020-5327 8.1 HIGH EPSS 0.05
Dell Security Management Server < 10.2.10 - Insecure Deserialization
Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted Data vulnerability. When the server is exposed to the internet and Windows Firewall is disabled, a remote unauthenticated attacker may exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.
CWE-502 Mar 06, 2020
CVE-2020-10189 9.8 CRITICAL KEV 3 PoCs Analysis NUCLEI EPSS 0.94
Zohocorp Manageengine Desktop Central - Insecure Deserialization
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CWE-502 Mar 06, 2020
CVE-2019-14893 9.8 CRITICAL 2 PoCs Analysis EPSS 0.01
Fasterxml Jackson-databind < 2.8.11.5 - Information Disclosure
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CWE-502 Mar 02, 2020
CVE-2019-14892 9.8 CRITICAL 2 PoCs EPSS 0.01
Fasterxml Jackson-databind < 2.6.7.3 - Information Disclosure
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CWE-502 Mar 02, 2020
CVE-2020-9548 9.8 CRITICAL EXPLOITED 3 PoCs Analysis NUCLEI EPSS 0.58
Fasterxml Jackson-databind < 2.7.9.7 - Insecure Deserialization
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CWE-502 Mar 02, 2020
CVE-2020-9547 9.8 CRITICAL EXPLOITED 3 PoCs Analysis NUCLEI EPSS 0.38
Fasterxml Jackson-databind < 2.7.9.7 - Insecure Deserialization
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CWE-502 Mar 02, 2020
CVE-2020-9546 9.8 CRITICAL 2 PoCs Analysis EPSS 0.02
Fasterxml Jackson-databind < 2.7.9.7 - Insecure Deserialization
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CWE-502 Mar 02, 2020

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF