CVE & Exploit Intelligence Database

Updated 4h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,278 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,568 researchers
1,290 results Clear all
CVE-2021-20389 7.8 HIGH EPSS 0.00
IBM Security Guardium 11.2 - Info Disclosure
IBM Security Guardium 11.2 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 195770.
CWE-522 May 24, 2021
CVE-2020-12061 9.8 CRITICAL 1 Writeup EPSS 0.00
Nitrokey Fido U2f Firmware - Insufficiently Protected Credentials
An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the communication and derive the secrets stored in the microcontroller. As a result, the attacker is able to arbitrarily manipulate the firmware of the microcontroller.
CWE-522 May 21, 2021
CVE-2020-24396 7.5 HIGH EPSS 0.01
homee Brain Cube <2.28.2,2.28.4 - Info Disclosure
homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images. This allows remote attackers to use the support server as a SOCKS proxy.
CWE-522 May 20, 2021
CVE-2021-29043 5.9 MEDIUM EPSS 0.00
Liferay Digital Experience Platform < 7.3.5 - Insufficiently Protected Credentials
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
CWE-522 May 17, 2021
CVE-2021-3528 8.8 HIGH EPSS 0.00
noobaa-operator <5.7.0 - Privilege Escalation
A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
CWE-522 May 13, 2021
CVE-2021-20997 7.5 HIGH EPSS 0.00
WAGO - Info Disclosure
In multiple managed switches by WAGO in different versions it is possible to read out the password hashes of all Web-based Management users.
CWE-522 May 13, 2021
CVE-2021-27941 4.6 MEDIUM 1 Writeup EPSS 0.00
eWeLink <4.9.2-4.9.1 - Info Disclosure
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
CWE-522 May 06, 2021
CVE-2020-21994 9.8 CRITICAL 1 PoC Analysis EPSS 0.05
AVE Dominaplus < 1.10.77 - Insufficiently Protected Credentials
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.
CWE-522 Apr 28, 2021
CVE-2021-30169 5.3 MEDIUM EPSS 0.01
Meritlilin Webcam Devices - Information Disclosure
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential.
CWE-522 Apr 28, 2021
CVE-2021-30168 9.8 CRITICAL EXPLOITED EPSS 0.02
Webcam Device - Info Disclosure
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.
CWE-522 Apr 28, 2021
CVE-2021-30167 9.8 CRITICAL EPSS 0.04
Network Camera Device - Privilege Escalation
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
CWE-522 Apr 28, 2021
CVE-2021-29262 7.5 HIGH EPSS 0.26
Apache Solr < 8.8.2 - Insufficiently Protected Credentials
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
CWE-522 Apr 13, 2021
CVE-2020-15942 4.3 MEDIUM EPSS 0.00
Fortinet Fortiweb < 6.2.3 - Insufficiently Protected Credentials
An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.
CWE-522 Apr 12, 2021
CVE-2021-22115 6.5 MEDIUM EPSS 0.00
Cloudfoundry Capi-release - Insufficiently Protected Credentials
Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.
CWE-522 Apr 08, 2021
CVE-2021-28171 9.8 CRITICAL EPSS 0.00
Vangene deltaFlow E-platform - Privilege Escalation
The Vangene deltaFlow E-platform does not take properly protective measures. Attackers can obtain privileged permissions remotely by tampering with users’ data in the Cookie.
CWE-522 Apr 06, 2021
CVE-2020-11925 8.8 HIGH EPSS 0.00
Luvion Grand Elite 3 Connect Firmware - Insufficiently Protected Cr...
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.
CWE-521 Apr 02, 2021
CVE-2021-21634 6.5 MEDIUM EPSS 0.00
Jenkins Jabber (xmpp) Notifier And Co... - Insufficiently Protected Credentials
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
CWE-522 Mar 30, 2021
CVE-2021-29255 7.5 HIGH EPSS 0.00
Microseven Mym71080i-b Firmware - Insufficiently Protected Credentials
MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007. An attacker on the same network as the device can capture these credentials.
CWE-522 Mar 26, 2021
CVE-2021-27372 9.8 CRITICAL EPSS 0.00
Realtek xPON RTL9601D SDK 1.9 - Privilege Escalation
Realtek xPON RTL9601D SDK 1.9 stores passwords in plaintext which may allow attackers to possibly gain access to the device with root permissions via the build-in network monitoring tool and execute arbitrary commands.
CWE-522 Mar 25, 2021
CVE-2021-1392 7.8 HIGH EPSS 0.00
Cisco Ios - Insufficiently Protected Credentials
A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user. This vulnerability exists because incorrect permissions are associated with the show cip security CLI command. An attacker could exploit this vulnerability by issuing the command to retrieve the password for CIP on an affected device. A successful exploit could allow the attacker to reconfigure the device.
CWE-522 Mar 24, 2021

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF