NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2013-10075 | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted. | 9.1 | 0.01% | 2026-05-08 | 2026-05-08 |
| CVE-2013-10056 | Rejected reason: This CVE has the been REJECTED and will not be published by the CNA. | 該当なし | 該当なし | 2026-04-22 | 2026-04-22 |
| CVE-2013-10045 | Rejected reason: This CVE has the been REJECTED and will not be published by the CNA. | 該当なし | 該当なし | 2026-04-22 | 2026-04-22 |
| CVE-2013-10041 | Rejected reason: This CVE has the been REJECTED and will not be published by the CNA. | 該当なし | 該当なし | 2026-04-22 | 2026-04-22 |
| CVE-2013-20006 | Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in admin | 8.7 | 0.06% | 2026-03-16 | 2026-04-15 |
| CVE-2013-20005 | Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent. | 6.9 | 0.03% | 2026-03-16 | 2026-04-15 |
| CVE-2013-10031 | Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks | 7.5 | 0.04% | 2025-12-09 | 2025-12-16 |
| CVE-2013-10074 | Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | 5.1 | 0.50% | 2025-10-30 | 2025-11-06 |
| CVE-2013-10073 | Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service. | 8.7 | 1.94% | 2025-10-30 | 2025-11-06 |
| CVE-2013-10072 | Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations. | 7.2 | 0.10% | 2025-10-30 | 2025-11-06 |
| CVE-2013-10071 | Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | 5.1 | 0.51% | 2025-10-30 | 2025-11-06 |
| CVE-2013-10070 | PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of | 10.0 | 73.70% | 2025-08-05 | 2026-04-15 |
| CVE-2013-10069 | The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root. | 10.0 | 81.15% | 2025-08-05 | 2025-09-23 |
| CVE-2013-10068 | Foxit Reader versions through 5.4.5.0114, including the bundled Foxit Reader Plugin 2.2.1.530, contains a stack-based buffer overflow vulnerability in the npFoxitReaderPlugin.dll module. When a PDF file is loaded from a remote host, an overly long query string in the URL can overflow a buffer, allowing remote attackers to execute arbitrary code. | 9.4 | 74.89% | 2025-08-05 | 2026-05-26 |
| CVE-2013-10067 | Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows users with administrator privileges to upload files to the gw_temp/a/ directory. Due to insufficient validation of file type and path, attackers can upload and execute PHP payloads, resulting in remote code execution. | 9.4 | 52.99% | 2025-08-05 | 2026-04-15 |
| CVE-2013-10066 | An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request. | 10.0 | 82.42% | 2025-08-05 | 2026-04-15 |
| CVE-2013-10065 | A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter. | 8.7 | 71.07% | 2025-08-05 | 2025-10-02 |
| CVE-2013-10064 | A stack-based buffer overflow vulnerability exists in ActFax Server version 5.01. The server's RAW protocol interface fails to safely process user-supplied data in @F506 fax header fields due to insecure usage of strcpy. Remote attackers can exploit this vulnerability by sending specially crafted @F506 fields, potentially leading to arbitrary code execution. Successful exploitation requires network access to TCP port 4559 and does not require authentication. | 9.3 | 76.01% | 2025-08-05 | 2026-04-15 |
| CVE-2013-10054 | An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager plugin. The upload handler located at adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php fails to properly validate file extensions, allowing attackers to upload files with misleading extensions and subsequently rename them to executable .php scripts. This enables remote code execution on the se | 9.3 | 82.42% | 2025-08-04 | 2026-04-15 |
| CVE-2013-10052 | ZPanel includes a helper binary named zsudo, intended to allow restricted privilege escalation for administrative tasks. However, when misconfigured in /etc/sudoers, zsudo can be invoked by low-privileged users to execute arbitrary commands as root. This flaw enables local attackers with shell access to escalate privileges by writing a payload to a writable directory and executing it via zsudo. The vulnerability is particularly impactful in post-exploitation scenarios following web server compro | 8.5 | 4.95% | 2025-08-04 | 2026-04-15 |