Critical Vulnerabilities with Public Exploits

Updated 4h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

346,363 CVEs tracked 53,626 with exploits 4,858 exploited in wild 1,583 CISA KEV 4,077 Nuclei templates 52,288 vendors 43,844 researchers
4,101 results Clear all
CVE-2014-8361 9.8 CRITICAL KEV 3 PoCs Analysis EPSS 0.94
Realtek SDK - RCE
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.
May 01, 2015
CVE-2014-3206 9.8 CRITICAL EXPLOITED 2 PoCs Analysis NUCLEI EPSS 0.92
Seagate Blackarmor Nas 220 Firmware - Improper Input Validation
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
CWE-20 Feb 23, 2018
CVE-2014-8731 9.8 CRITICAL 1 PoC Analysis EPSS 0.47
PHPMemcachedAdmin <1.2.2 - RCE
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.
CWE-502 Mar 23, 2017
CVE-2014-0030 9.8 CRITICAL 1 PoC Analysis EPSS 0.29
Apache Roller <5.0.3 - XXE
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
CWE-611 Oct 10, 2017
CVE-2014-0780 9.8 CRITICAL KEV 1 PoC Analysis EPSS 0.89
Indusoft Web Studio - Path Traversal
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
CWE-22 Apr 25, 2014
CVE-2014-7920 9.8 CRITICAL 2 PoCs Analysis EPSS 0.10
Google Android - Access Control
mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to gain privileges. NOTE: This is a different vulnerability than CVE-2014-7921.
CWE-264 Apr 13, 2017
CVE-2014-2323 9.8 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.90
lighttpd <1.4.35 - SQL Injection
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
CWE-89 Mar 14, 2014
CVE-2014-9613 9.8 CRITICAL 1 PoC Analysis EPSS 0.06
Netsweeper <2.6.29.10 - SQL Injection
Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to webadmin/auth/verification.php or (2) dpid parameter to webadmin/deny/index.php.
CWE-89 Feb 19, 2020
CVE-2014-9612 9.8 CRITICAL 1 PoC Analysis EPSS 0.06
Netsweeper <4.1.2 - SQL Injection
SQL injection vulnerability in remotereporter/load_logfiles.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to execute arbitrary SQL commands via the server parameter.
CWE-89 Feb 19, 2020
CVE-2014-9618 9.8 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.68
Netsweeper <3.1.10, <4.0.9, <4.1.2 - Auth Bypass
The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.
CWE-287 Sep 19, 2017
CVE-2014-9611 9.8 CRITICAL 1 PoC Analysis EPSS 0.29
Netsweeper <4.0.5 - Auth Bypass
Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.
CWE-287 Sep 19, 2017
CVE-2014-8673 9.8 CRITICAL 1 PoC Analysis EPSS 0.50
SOPPlanning <1.33 - SQL Injection
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.
CWE-89 Jan 07, 2020
CVE-2014-9148 9.8 CRITICAL 1 PoC Analysis EPSS 0.24
Fiyo CMS 2.0.1.8 - Auth Bypass
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
CWE-284 Oct 16, 2017
CVE-2014-7279 9.8 CRITICAL 1 PoC Analysis EPSS 0.58
Konke Smart Plug K - Info Disclosure
The Konke Smart Plug K does not require authentication for TELNET sessions, which allows remote attackers to obtain "equipment management authority" via TCP traffic to port 23.
CWE-264 Mar 23, 2017
CVE-2014-2023 9.8 CRITICAL 1 PoC Analysis EPSS 0.09
Tapatalk plugin <4.9.0, 5.x-5.2.1 - SQL Injection
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
CWE-89 Oct 26, 2017
CVE-2014-8322 9.8 CRITICAL 1 PoC Analysis EPSS 0.32
Aircrack-ng < 1.1 - Out-of-Bounds Write
Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value.
CWE-787 Jan 31, 2020
CVE-2014-5289 9.8 CRITICAL 1 PoC Analysis EPSS 0.23
Senkas Kolibri - Improper Input Validation
Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.
CWE-20 Dec 27, 2019
CVE-2014-6437 9.8 CRITICAL 1 PoC Analysis EPSS 0.23
Aztech ADSL - Info Disclosure
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remote attackers to obtain sensitive device configuration information via vectors involving the ROM file.
CWE-200 Jan 12, 2018
CVE-2014-6436 9.8 CRITICAL 1 PoC Analysis EPSS 0.40
Aztech ADSL - Privilege Escalation
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
CWE-287 Jan 12, 2018
CVE-2014-5007 9.8 CRITICAL 3 PoCs Analysis EPSS 0.50
Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
CWE-22 Jan 17, 2020

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest CVEs with Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-35414: Three Bugs, One Commit, and Two More Nobody Mentioned
Apr 03, 2026
WP Google Map Plugin - Three Weak Links, One Critical Chain
Mar 29, 2026
CVE-2026-24289: Windows Kernel IOCP Race Condition - The Ghost We Proved by Salting the Circle
Mar 16, 2026
CVE-2026-3910: The Type the Compiler Promised -- A V8 JIT Story in Seven Acts
Mar 16, 2026
Six AI Agents, One Security Company: The Paperclip AI Experiment
Mar 16, 2026
CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
CVE-2025-12421 CRITICAL
Mattermost <11.0.2, 10.12.1, 10.11.4, 10.5.12 - Auth Bypass
 View all labs →

KEV Gaps

CVE-2025-29635
Dlink Dir-823x Firmware - Command Injection
 CVE-2024-57728
Simple-help Simplehelp < 5.5.8 - Symlink Following
 CVE-2024-57726
Simple-help Simplehelp < 5.5.8 - Missing Authorization
 CVE-2026-20133
Cisco Catalyst SD-WAN Manager - Info Disclosure
 CVE-2026-20128
Cisco Catalyst SD-WAN Manager - Privilege Escalation
 CVE-2026-20122
Cisco Catalyst SD-WAN Manager - Path Traversal
 CVE-2025-32975
Quest KACE SMA <14.1.101 - Auth Bypass
 CVE-2025-48700
Zimbra Collaboration <10.1 - XSS
 CVE-2025-2749
Kentico Xperience < 13.0.178 - Path Traversal
 CVE-2023-27351
Papercut MF < 20.1.7 - Authentication Bypass
 CVE-2009-0238
Microsoft Office <2007 SP1 - RCE
 CVE-2012-1854
Microsoft Office <2010 - Privilege Escalation