CVE & Exploit Intelligence Database

Updated 5h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,527 CVEs tracked 53,314 with exploits 4,732 exploited in wild 1,543 CISA KEV 3,934 Nuclei templates 48,968 vendors 42,617 researchers
111,005 results Clear all
CVE-2016-6853 6.1 MEDIUM 1 PoC Analysis EPSS 0.01
Open-xchange OX Guard < 2.4.2 - XSS
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6852 4.3 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - Information Disclosure
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.
CWE-200 Dec 15, 2016
CVE-2016-6851 6.1 MEDIUM 1 PoC Analysis EPSS 0.01
Open-xchange OX Guard < 2.4.2 - XSS
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already.
CWE-79 Dec 15, 2016
CVE-2016-6850 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6848 5.5 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - Security Feature Bypass
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution.
CWE-254 Dec 15, 2016
CVE-2016-6847 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6845 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6844 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6843 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-6842 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.2 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-5740 6.1 MEDIUM 1 PoC Analysis EPSS 0.01
Open-Xchange OX App Suite <7.8.2-rev5 - RCE
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CWE-79 Dec 15, 2016
CVE-2016-5124 6.1 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.1 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App Suite, for example E-Mail Compose or OX Text. This specific attack circumvents typical XSS filters and detection mechanisms since the code is not loaded from an external service but injected locally. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this vulnerability, a attacker needs to convince a user to follow specific steps (social-engineering).
CWE-79 Dec 15, 2016
CVE-2016-4048 4.3 MEDIUM EPSS 0.00
Open-Xchange OX App Suite <7.8.1-rev11 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected by third parties as part of social engineering attacks.
Dec 15, 2016
CVE-2016-4047 4.3 MEDIUM EPSS 0.00
Open-Xchange OX App Suite <7.8.1-rev8 - Info Disclosure
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed.
CWE-611 Dec 15, 2016
CVE-2016-4046 5.8 MEDIUM EPSS 0.00
Open-Xchange OX App Suite <7.8.1-rev11 - Info Disclosure
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of hosts and services can be gathered. Attackers can get internal configuration information about the infrastructure of an operator to prepare subsequent attacks.
CWE-918 Dec 15, 2016
CVE-2016-4045 6.1 MEDIUM EPSS 0.00
Open-Xchange OX App Suite <7.8.1-rev11 - RCE
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.
CWE-79 Dec 15, 2016
CVE-2016-4026 6.1 MEDIUM EPSS 0.00
Open-Xchange OX App Suite <7.8.1-rev11 - XSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on.
CWE-79 Dec 15, 2016
CVE-2016-3173 5.4 MEDIUM EPSS 0.00
Open-xchange Appsuite < 7.8.0 - XSS
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Users actively need to add a file to the portal to enable this attack. In case of shared files however, a internal attacker may modify a previously embedded file to carry a malicious file name. Furthermore this vulnerability can be used to persistently execute code that got injected by a temporary script execution vulnerability.
CWE-79 Dec 15, 2016
CVE-2016-2840 6.1 MEDIUM EPSS 0.01
Open-xchange Appsuite < 7.8.0 - XSS
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts.
CWE-79 Dec 15, 2016
CVE-2016-3685 4.7 MEDIUM EPSS 0.00
SAP Download Manager <2.1.142 - Info Disclosure
SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338.
CWE-798 Dec 14, 2016

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-24289: Windows Kernel IOCP Race Condition - The Ghost We Proved by Salting the Circle
Mar 16, 2026
Six AI Agents, One Security Company: The Paperclip AI Experiment
Mar 16, 2026
CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2025-47813
Wftpserver Wing FTP Server < 7.4.4 - Error Information Exposure
 CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload