CVE & Exploit Intelligence Database

Updated 2h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,274 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,555 researchers
1,290 results Clear all
CVE-2024-28971 3.5 LOW EPSS 0.00
Dell Update Manager Plugin <1.5.0 - Info Disclosure
Dell Update Manager Plugin, versions 1.4.0 through 1.5.0, contains a Plain-text Password Storage Vulnerability in Log file. A remote high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
CWE-522 May 08, 2024
CVE-2024-22266 6.5 MEDIUM EPSS 0.00
VMware Avi Load Balancer - Info Disclosure
 VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext.
CWE-522 May 08, 2024
CVE-2024-23551 6.5 MEDIUM EPSS 0.00
Database Scanning - Info Disclosure
Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe consequences such as data breaches, unauthorized data manipulation, and compromised system integrity.
CWE-522 May 07, 2024
CVE-2024-4536 6.8 MEDIUM 1 Writeup EPSS 0.00
Eclipse Edc Connector < 0.6.3 - Insufficiently Protected Credentials
In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL. This feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.
CWE-201 May 07, 2024
CVE-2024-29941 8.0 HIGH EPSS 0.00
ICT MIFARE/DESFire - Info Disclosure
Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption.
CWE-522 May 06, 2024
CVE-2023-40511 7.5 HIGH EPSS 0.00
LG Simple Editor - Auth Bypass
LG Simple Editor checkServer Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the checkServer method. The issue results from the exposure of plaintext credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20013.
CWE-522 May 03, 2024
CVE-2023-40510 7.5 HIGH EPSS 0.00
LG Simple Editor - Auth Bypass
LG Simple Editor getServerSetting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getServerSetting method. The issue results from the exposure of plaintext credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20012.
CWE-522 May 03, 2024
CVE-2024-3543 6.4 MEDIUM EPSS 0.00
Reversible Password Encryption - Info Disclosure
Use of reversible password encryption algorithm allows attackers to decrypt passwords.  Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system.
CWE-522 May 02, 2024
CVE-2024-34147 4.3 MEDIUM EPSS 0.00
Jenkins Telegram Bot Plugin <1.4.0 - Info Disclosure
Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
CWE-522 May 02, 2024
CVE-2024-28961 6.3 MEDIUM EPSS 0.00
Dell Openmanage Enterprise - Information Disclosure
Dell OpenManage Enterprise, versions 4.0.0 and 4.0.1, contains a sensitive information disclosure vulnerability. A local low privileged malicious user could potentially exploit this vulnerability to obtain credentials leading to unauthorized access with elevated privileges. This could lead to further attacks, thus Dell recommends customers to upgrade at the earliest opportunity.
CWE-522 Apr 29, 2024
CVE-2024-28325 6.1 MEDIUM EPSS 0.00
Asus RT-N12+ B1 - Info Disclosure
Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.
CWE-522 Apr 26, 2024
CVE-2024-32238 9.8 CRITICAL EXPLOITED 2 PoCs Analysis NUCLEI EPSS 0.90
H3C ER8300G2-X - Info Disclosure
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
CWE-522 Apr 22, 2024
CVE-2023-37400 7.8 HIGH EPSS 0.00
IBM Aspera Faspex < 5.0.8 - Insufficiently Protected Credentials
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to escalate their privileges due to insecure credential storage. IBM X-Force ID: 259677.
CWE-522 Apr 19, 2024
CVE-2024-29992 5.5 MEDIUM EPSS 0.01
Azure Identity Library for .NET - Info Disclosure
Azure Identity Library for .NET Information Disclosure Vulnerability
CWE-522 Apr 09, 2024
CVE-2023-41677 7.5 HIGH EPSS 0.00
Fortinet FortiProxy/FortiOS <7.4.1 - RCE
A insufficiently protected credentials in Fortinet FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17 allows attacker to execute unauthorized code or commands via targeted social engineering attack
CWE-522 Apr 09, 2024
CVE-2024-20282 6.0 MEDIUM EPSS 0.00
Cisco Nexus Dashboard - Privilege Escalation
A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected device.
CWE-269 Apr 03, 2024
CVE-2023-50311 3.1 LOW EPSS 0.00
IBM Cics Transaction Gateway - Insufficiently Protected Credentials
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 could disclose sensitive path information to an attacker that could reveal through debugging or error messages.
CWE-522 Mar 31, 2024
CVE-2024-29216 6.1 MEDIUM EPSS 0.00
cg6kwin2k.sys <2.1.7.0 - Privilege Escalation
Exposed IOCTL with insufficient access control issue exists in cg6kwin2k.sys prior to 2.1.7.0. By sending a specific IOCTL request, a user without the administrator privilege may perform I/O to arbitrary hardware port or physical address, resulting in erasing or altering the firmware.
CWE-522 Mar 25, 2024
CVE-2024-29071 8.8 HIGH EPSS 0.00
HGW BL1500HM <002.001.013 - Info Disclosure
HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings.
CWE-522 Mar 25, 2024
CVE-2022-47037 7.5 HIGH EPSS 0.00
Siklu TG Terragraph <2.1.1 - Info Disclosure
Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.
CWE-284 Mar 18, 2024

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF