Critical Vulnerabilities with Public Exploits

Updated 6h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

346,402 CVEs tracked 53,629 with exploits 4,859 exploited in wild 1,583 CISA KEV 4,077 Nuclei templates 52,301 vendors 43,863 researchers
4,101 results Clear all
CVE-2017-17643 9.8 CRITICAL 1 PoC Analysis EPSS 0.02
Lynda Clone - SQL Injection
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
CWE-89 Dec 18, 2017
CVE-2017-10682 9.8 CRITICAL 1 PoC Analysis EPSS 0.00
Piwigo < 2.9.1 - SQL Injection
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CWE-89 Jun 29, 2017
CVE-2017-17872 9.8 CRITICAL 1 PoC Analysis EPSS 0.01
Jextn Video Gallery - SQL Injection
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.
CWE-89 Dec 27, 2017
CVE-2017-17871 9.8 CRITICAL 1 PoC Analysis EPSS 0.01
Jextn Question And Answer - SQL Injection
The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter.
CWE-89 Dec 27, 2017
CVE-2017-17672 9.8 CRITICAL 1 PoC Analysis EPSS 0.15
Vbulletin < 5.3.3 - Insecure Deserialization
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
CWE-502 Dec 14, 2017
CVE-2017-17870 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Jbuildozer - SQL Injection
The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action.
CWE-89 Dec 27, 2017
CVE-2017-16949 9.8 CRITICAL 1 PoC Analysis EPSS 0.39
AccessKeys AccessPress Anonymous Post Pro <3.1.9 - Code Injection
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.
CWE-434 Dec 19, 2017
CVE-2017-17873 9.8 CRITICAL 1 PoC Analysis EPSS 0.01
Vanguard Marketplace Digital Products Php - SQL Injection
Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.
CWE-89 Dec 27, 2017
CVE-2017-17642 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Basic Job Site Script - SQL Injection
Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job.
CWE-89 Dec 13, 2017
CVE-2017-17641 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Resume Clone Script - SQL Injection
Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter.
CWE-89 Dec 13, 2017
CVE-2017-17640 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Advanced World Database - SQL Injection
Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter.
CWE-89 Dec 13, 2017
CVE-2017-17639 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Muslim Matrimonial Script - SQL Injection
Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter.
CWE-89 Dec 13, 2017
CVE-2017-17638 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Groupon Clone Script - SQL Injection
Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter.
CWE-89 Dec 13, 2017
CVE-2017-17637 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Car Rental Script - SQL Injection
Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter.
CWE-89 Dec 13, 2017
CVE-2017-17636 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Mlm Forced Matrix - SQL Injection
MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter.
CWE-89 Dec 13, 2017
CVE-2017-17635 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Mlm Forex Market Plan Script - SQL Injection
MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter.
CWE-89 Dec 13, 2017
CVE-2017-17634 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Single Theater Booking Script - SQL Injection
Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
CWE-89 Dec 13, 2017
CVE-2017-17633 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Multiplex Movie Theater Booking Script - SQL Injection
Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter.
CWE-89 Dec 13, 2017
CVE-2017-17632 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Responsive Events And Movie Ticket Booking Script - SQL Injection
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
CWE-89 Dec 13, 2017
CVE-2017-17631 9.8 CRITICAL 1 PoC Analysis EPSS 0.03
Multireligion Responsive Matrimonial - SQL Injection
Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter.
CWE-89 Dec 13, 2017

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest CVEs with Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-35414: Three Bugs, One Commit, and Two More Nobody Mentioned
Apr 03, 2026
WP Google Map Plugin - Three Weak Links, One Critical Chain
Mar 29, 2026
CVE-2026-24289: Windows Kernel IOCP Race Condition - The Ghost We Proved by Salting the Circle
Mar 16, 2026
CVE-2026-3910: The Type the Compiler Promised -- A V8 JIT Story in Seven Acts
Mar 16, 2026
Six AI Agents, One Security Company: The Paperclip AI Experiment
Mar 16, 2026
CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
CVE-2025-12421 CRITICAL
Mattermost <11.0.2, 10.12.1, 10.11.4, 10.5.12 - Auth Bypass
 View all labs →

KEV Gaps

CVE-2025-29635
Dlink Dir-823x Firmware - Command Injection
 CVE-2024-57728
Simple-help Simplehelp < 5.5.8 - Symlink Following
 CVE-2024-57726
Simple-help Simplehelp < 5.5.8 - Missing Authorization
 CVE-2026-20133
Cisco Catalyst SD-WAN Manager - Info Disclosure
 CVE-2026-20128
Cisco Catalyst SD-WAN Manager - Privilege Escalation
 CVE-2026-20122
Cisco Catalyst SD-WAN Manager - Path Traversal
 CVE-2025-32975
Quest KACE SMA <14.1.101 - Auth Bypass
 CVE-2025-48700
Zimbra Collaboration <10.1 - XSS
 CVE-2025-2749
Kentico Xperience < 13.0.178 - Path Traversal
 CVE-2023-27351
Papercut MF < 20.1.7 - Authentication Bypass
 CVE-2009-0238
Microsoft Office <2007 SP1 - RCE
 CVE-2012-1854
Microsoft Office <2010 - Privilege Escalation