NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2024-1651 | Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to insecure deserialization. | 10.0 | 34.00% | 2024-02-20 | 2025-02-12 |
| CVE-2023-2533 KEV | A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. | 8.4 | 29.46% | 2023-06-20 | 2026-02-26 |
| CVE-2022-23046 | PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php | 7.2 | 25.24% | 2022-01-19 | 2024-11-21 |
| CVE-2022-25226 | ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server. | 10.0 | 10.87% | 2022-04-18 | 2024-11-21 |
| CVE-2022-23050 | ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality. | 7.2 | 4.65% | 2022-05-24 | 2024-11-21 |
| CVE-2022-23049 | Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session. | 5.4 | 2.99% | 2022-02-09 | 2024-11-21 |
| CVE-2022-23047 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | 4.8 | 2.89% | 2022-02-09 | 2024-11-21 |
| CVE-2022-25225 | Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue. | 7.2 | 2.78% | 2022-03-10 | 2024-11-21 |
| CVE-2024-1297 | Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. | 7.2 | 2.76% | 2024-02-20 | 2026-04-20 |
| CVE-2025-7404 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | 5.9 | 2.73% | 2025-07-24 | 2026-01-16 |
| CVE-2022-23048 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands. | 7.2 | 2.10% | 2022-02-09 | 2024-11-21 |
| CVE-2022-41705 | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | 9.8 | 1.81% | 2022-11-25 | 2025-04-29 |
| CVE-2022-25222 | Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in 'admin/maintenance/manage_branch.php' and 'admin/maintenance/manage_fee.php' via the 'id' parameter. | 9.8 | 1.62% | 2022-03-23 | 2024-11-21 |
| CVE-2023-0265 | Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | 8.8 | 1.60% | 2023-04-04 | 2025-02-13 |
| CVE-2022-41711 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | 9.8 | 1.55% | 2022-10-25 | 2025-05-07 |
| CVE-2023-4122 | Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. | 9.9 | 1.45% | 2023-12-07 | 2024-11-21 |
| CVE-2022-23043 | Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server. | 7.2 | 1.44% | 2022-02-24 | 2024-11-21 |
| CVE-2023-1031 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. | 8.8 | 1.42% | 2023-05-08 | 2025-01-29 |
| CVE-2023-0842 | xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. | 5.3 | 1.39% | 2023-04-05 | 2025-09-24 |
| CVE-2023-6199 | Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF. | 6.5 | 1.38% | 2023-11-20 | 2025-05-19 |