CVE & Exploit Intelligence Database

Updated 1h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,274 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,555 researchers
1,290 results Clear all
CVE-2024-34882 4.9 MEDIUM 1 Writeup EPSS 0.00
Bitrix24 - Insufficiently Protected Credentials
Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request.
CWE-522 Nov 04, 2024
CVE-2023-50310 4.9 MEDIUM EPSS 0.00
IBM Cics Transaction Gateway - Insufficiently Protected Credentials
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-522 Oct 23, 2024
CVE-2024-43812 8.4 HIGH EPSS 0.00
Kieback & Peter's DDC4000 - Info Disclosure
Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.
CWE-522 Oct 22, 2024
CVE-2024-9677 5.5 MEDIUM EPSS 0.00
Zyxel Uos < 1.30 - Insufficiently Protected Credentials
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
CWE-522 Oct 22, 2024
CVE-2024-44000 9.8 CRITICAL EXPLOITED 6 PoCs Analysis NUCLEI EPSS 0.93
Litespeedtech Litespeed Cache - Insufficiently Protected Credentials
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1.
CWE-522 Oct 20, 2024
CVE-2024-7755 8.2 HIGH EPSS 0.00
EWON FLEXY 202 - Info Disclosure
The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.
CWE-522 Oct 17, 2024
CVE-2024-49396 EPSS 0.00
Elvaco - Auth Bypass
The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information.
CWE-522 Oct 17, 2024
CVE-2024-20462 5.5 MEDIUM EPSS 0.00
Cisco ATA 190 Series - Info Disclosure
A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device. This vulnerability is due to incorrect sanitization of HTML content from an affected device. A successful exploit could allow the attacker to view passwords that belong to other users.
CWE-522 Oct 16, 2024
CVE-2024-47161 4.3 MEDIUM EPSS 0.00
JetBrains TeamCity <2024.07.3 - Info Disclosure
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
CWE-522 Oct 08, 2024
CVE-2024-47805 7.5 HIGH EPSS 0.00
Jenkins Credentials Plugin <1380.va - Info Disclosure
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
CWE-522 Oct 02, 2024
CVE-2024-37187 5.7 MEDIUM EPSS 0.00
Advantech Adam-5550 Firmware - Insufficiently Protected Credentials
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
CWE-522 Sep 27, 2024
CVE-2024-34542 5.7 MEDIUM EPSS 0.00
Advantech ADAM-5630 - Info Disclosure
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
CWE-522 Sep 27, 2024
CVE-2024-45744 3.0 LOW EPSS 0.00
TopQuadrant TopBraid EDG <7.1.3 - Info Disclosure
TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.
CWE-312 Sep 27, 2024
CVE-2024-31899 4.3 MEDIUM EPSS 0.00
IBM Cognos Command Center <10.2.5 - Info Disclosure
IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.
CWE-522 Sep 26, 2024
CVE-2024-9014 9.9 CRITICAL EXPLOITED 2 PoCs Analysis NUCLEI EPSS 0.93
Pgadmin 4 < 8.12 - Insufficiently Protected Credentials
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.
CWE-522 Sep 23, 2024
CVE-2024-40703 5.5 MEDIUM EPSS 0.00
IBM Cognos Analytics <12.0.3 - Info Disclosure
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications.
CWE-522 Sep 22, 2024
CVE-2024-47162 4.1 MEDIUM EPSS 0.00
JetBrains YouTrack <2024.3.44799 - Info Disclosure
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
CWE-522 Sep 19, 2024
CVE-2024-8986 EPSS 0.00
Grafana-plugin-sdk-go < 0.250.0 - Insufficiently Protected Credentials
The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.
CWE-522 Sep 19, 2024
CVE-2024-8777 7.5 HIGH EPSS 0.00
OMFLOW - Info Disclosure
OMFLOW from The SYSCOM Group has an information leakage vulnerability, allowing unauthorized remote attackers to read arbitrary system configurations. If LDAP authentication is enabled, attackers can obtain plaintext credentials.
CWE-522 Sep 16, 2024
CVE-2024-31415 6.3 MEDIUM EPSS 0.00
Eaton Foreseer Electrical Power Monit... - Insufficiently Protected Credentials
The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.
CWE-522 Sep 13, 2024

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF