Critical Vulnerabilities with Public Exploits
Updated 26m agoSearch and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.
4,101 results
Clear all
CVE-2015-6018
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.22
ZyXEL PMG5318-B20A <1.00(AANC.2)C0 - RCE
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter.
CWE-264
Dec 31, 2015
CVE-2015-6970
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.09
Bosch Security Systems NBN-498 Dinion2X - XML Injection
The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to rcp.xml.
CWE-91
Feb 18, 2020
CVE-2015-7241
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.27
SAP Netweaver < 7.0 - XXE
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
CWE-611
Sep 06, 2017
CVE-2015-6834
9.8
CRITICAL
2 PoCs
Analysis
EPSS 0.37
Php < 5.4.44 - Use After Free
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
May 16, 2016
CVE-2015-9263
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.63
Idera Uptime Infrastructure Monitor - Unrestricted File Upload
An issue was discovered in post2file.php in Up.Time Monitoring Station 7.5.0 (build 16) and 7.4.0 (build 13). It allows an attacker to upload an arbitrary file, such as a .php file that can execute arbitrary OS commands.
CWE-434
Aug 27, 2018
CVE-2015-4664
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.51
Broadcom Privileged Access Manager - Improper Input Validation
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
CWE-20
Jun 18, 2018
CVE-2015-4667
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.24
Xceedium Xsuite - Hard-coded Credentials
Multiple hardcoded credentials in Xsuite 2.x.
CWE-798
Sep 25, 2017
CVE-2015-4073
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.10
Helpdesk Pro < 1.3.0 - SQL Injection
Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary SQL commands via the filter_order parameter.
CWE-89
Sep 20, 2017
CVE-2015-2279
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.42
Airlive Bu-2015 Firmware - OS Command Injection
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.
CWE-78
Jul 25, 2017
CVE-2015-3043
9.8
CRITICAL
KEV
2 PoCs
Analysis
EPSS 0.87
Adobe Flash Player <14.x - Memory Corruption
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2015, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042.
CWE-787
Apr 14, 2015
CVE-2015-3934
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.01
Fiyo CMS 2.0_1.9.1 - SQL Injection
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
CWE-89
Nov 21, 2017
CVE-2015-4683
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.34
Polycom Realpresence Resource Manager < 8.3.2 - Access Control
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
CWE-264
Sep 19, 2017
CVE-2015-4633
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.04
Koha < 3.14.16 - SQL Injection
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
CWE-89
Oct 18, 2018
CVE-2015-3933
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.02
MetalGenix GeniXCMS <0.0.3-patch - SQL Injection
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
CWE-89
Nov 08, 2017
CVE-2015-7346
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.04
Zcms - SQL Injection
SQL injection vulnerability in ZCMS 1.1.
CWE-89
Jun 07, 2017
CVE-2015-4455
9.8
CRITICAL
EXPLOITED
1 PoC
Analysis
NUCLEI
EPSS 0.80
Aviary Image Editor Add-on For Gravit... - Unrestricted File Upload
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary.
CWE-434
May 23, 2017
CVE-2015-3313
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.18
WordPress Community Events <1.4 - SQL Injection
SQL injection vulnerability in WordPress Community Events plugin before 1.4.
CWE-89
Sep 07, 2017
CVE-2015-2798
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.01
Web-dorado Contact Form Maker - SQL Injection
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CWE-89
Jul 25, 2017
CVE-2015-2780
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.32
Berta Cms < 0.8.9b - Unrestricted File Upload
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
CWE-434
Oct 16, 2017
CVE-2015-0565
10.0
CRITICAL
2 PoCs
Analysis
EPSS 0.19
Google Native Client - Memory Corruption
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
CWE-119
Feb 25, 2020