Latest Vulnerabilities with Public Exploits

Updated 2h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

346,876 CVEs tracked 53,708 with exploits 4,860 exploited in wild 1,585 CISA KEV 4,078 Nuclei templates 53,663 vendors 43,954 researchers
53,708 results Clear all
CVE-2024-10479 2.4 LOW SSVC PoC 1 PoC EPSS 0.00
Pb-cms < 2.0.1 - XSS
A vulnerability, which was classified as problematic, was found in LinZhaoguan pb-cms up to 2.0.1. Affected is an unknown function of the file /admin#themes of the component Theme Management Module. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CWE-79 Oct 29, 2024
CVE-2024-10478 2.4 LOW 1 PoC EPSS 0.00
Pb-cms < 2.0.1 - XSS
A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CWE-79 Oct 29, 2024
CVE-2024-10477 2.4 LOW 1 PoC EPSS 0.00
Pb-cms < 2.0.1 - XSS
A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CWE-79 Oct 29, 2024
CVE-2024-27489 7.5 HIGH SSVC PoC 1 PoC EPSS 0.00
WMCMS <4.4 - File Deletion
An issue in the DelFile() function of WMCMS v4.4 allows attackers to delete arbitrary files via a crafted POST request.
CWE-473 Jul 19, 2024
CVE-2024-24291 6.1 MEDIUM 1 PoC EPSS 0.00
Yzmcms - Open Redirect
An issue in the component /member/index/login of yzmcms v7.0 allows attackers to direct users to malicious sites via a crafted URL.
CWE-601 Feb 06, 2024
CVE-2024-24029 9.8 CRITICAL SSVC PoC 1 PoC EPSS 0.00
Jfinalcms - SQL Injection
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
CWE-89 Feb 02, 2024
CVE-2024-22533 9.8 CRITICAL 1 PoC EPSS 0.01
Before Beetl <3.15.12 - Code Injection
Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.
CWE-94 Feb 02, 2024
CVE-2024-40545 8.8 HIGH 1 PoC EPSS 0.00
PublicCMS <4.0.202302.e - RCE
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CWE-434 Jul 12, 2024
CVE-2024-40544 8.8 HIGH SSVC PoC 1 PoC EPSS 0.00
PublicCMS <4.0.202302.e - SSRF
PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/#maintenance_sysTask/edit.
CWE-918 Jul 12, 2024
CVE-2024-40543 8.8 HIGH SSVC PoC 1 PoC EPSS 0.00
PublicCMS v4.0.202302.e - SSRF
PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/ueditor?action=catchimage.
CWE-918 Jul 12, 2024
CVE-2024-40542 9.8 CRITICAL SSVC PoC 1 PoC EPSS 0.00
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/role?offset.
CWE-89 Jul 12, 2024
CVE-2024-40541 9.8 CRITICAL SSVC PoC 1 PoC EPSS 0.00
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept/build.
CWE-89 Jul 12, 2024
CVE-2024-40540 9.8 CRITICAL SSVC PoC 1 PoC EPSS 0.00
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept.
CWE-89 Jul 12, 2024
CVE-2024-40539 9.8 CRITICAL SSVC PoC 1 PoC EPSS 0.00
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/user.
CWE-89 Jul 12, 2024
CVE-2024-37732 6.1 MEDIUM SSVC PoC 1 PoC EPSS 0.14
Anchorcms Anchor Cms - Basic XSS
Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file.
CWE-80 Jun 24, 2024
CVE-2024-34959 5.5 MEDIUM SSVC PoC 1 PoC EPSS 0.00
Dedecms - XSS
DedeCMS V5.7.113 is vulnerable to Cross Site Scripting (XSS) via sys_data_replace.php.
CWE-79 May 17, 2024
CVE-2024-33371 6.1 MEDIUM SSVC PoC 1 PoC EPSS 0.00
Dedecms - XSS
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to execute arbitrary code via the typeid parameter in the makehtml_list_action.php component.
CWE-79 Apr 30, 2024
CVE-2024-33401 4.4 MEDIUM SSVC PoC 1 PoC EPSS 0.00
Dedecms - XSS
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to run arbitrary code via the mnum parameter.
CWE-79 Apr 29, 2024
CVE-2024-3311 6.3 MEDIUM SSVC PoC 1 PoC EPSS 0.00
Dreamer CMS <4.1.3.0 - Path Traversal
A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259369 was assigned to this vulnerability.
CWE-22 Apr 04, 2024
CVE-2024-2828 6.3 MEDIUM SSVC PoC 1 PoC 1 Writeup EPSS 0.00
Lakernote Easyadmin < 2024-03-15 - SSRF
A vulnerability, which was classified as critical, was found in lakernote EasyAdmin up to 20240315. Affected is the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/IndexController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 23165d8cb569048c531150f194fea39f8800b8d5. It is recommended to apply a patch to fix this issue. VDB-257718 is the identifier assigned to this vulnerability.
CWE-918 Mar 22, 2024

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest CVEs with Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-35414: Three Bugs, One Commit, and Two More Nobody Mentioned
Apr 03, 2026
WP Google Map Plugin - Three Weak Links, One Critical Chain
Mar 29, 2026
CVE-2026-24289: Windows Kernel IOCP Race Condition - The Ghost We Proved by Salting the Circle
Mar 16, 2026
CVE-2026-3910: The Type the Compiler Promised -- A V8 JIT Story in Seven Acts
Mar 16, 2026
Six AI Agents, One Security Company: The Paperclip AI Experiment
Mar 16, 2026
CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
CVE-2025-12421 CRITICAL
Mattermost <11.0.2, 10.12.1, 10.11.4, 10.5.12 - Auth Bypass
 View all labs →

KEV Gaps

CVE-2026-32202
Windows Shell Spoofing Vulnerability
 CVE-2025-29635
Dlink Dir-823x Firmware - Command Injection
 CVE-2024-57728
Simple-help Simplehelp < 5.5.8 - Symlink Following
 CVE-2024-57726
Simple-help Simplehelp < 5.5.8 - Missing Authorization
 CVE-2026-20133
Cisco Catalyst SD-WAN Manager - Info Disclosure
 CVE-2026-20128
Cisco Catalyst SD-WAN Manager - Privilege Escalation
 CVE-2026-20122
Cisco Catalyst SD-WAN Manager - Path Traversal
 CVE-2025-32975
Quest KACE SMA <14.1.101 - Auth Bypass
 CVE-2025-48700
Zimbra Collaboration <10.1 - XSS
 CVE-2025-2749
Kentico Xperience < 13.0.178 - Path Traversal
 CVE-2023-27351
Papercut MF < 20.1.7 - Authentication Bypass
 CVE-2009-0238
Microsoft Office <2007 SP1 - RCE