CVEリスト - 高リスク・悪用確認済み脆弱性

NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。

Assigner(CNA/発行元):[email protected] この条件を外す

CVSS スコア
表示中 120 / 34
«« 先頭 « 前へ 1 / 2 次へ »
CVE 説明 CVSS 最大値 EPSS(%) 公開 更新
CVE-2025-7404 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. 5.9 2.73% 2025-07-24 2026-06-17
CVE-2024-1651 Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to insecure deserialization. 10.0 34.00% 2024-02-19 2026-06-17
CVE-2024-1297 Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. 7.2 2.76% 2024-02-19 2026-06-17
CVE-2023-50760 Online Notice Board System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'f' parameter of user/update_profile_pic.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. 8.8 1.21% 2024-01-04 2026-06-17
CVE-2023-4122 Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. 9.9 1.45% 2023-12-07 2026-06-17
CVE-2023-6199 Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF. 6.5 1.38% 2023-11-20 2026-06-17
CVE-2023-5185 Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. 9.1 1.20% 2023-09-28 2026-06-17
CVE-2023-43740 Online Book Store Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'image' parameter of admin_edit.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. 8.8 1.21% 2023-09-28 2026-06-17
CVE-2023-3550 Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. 7.3 1.15% 2023-09-25 2026-06-17
CVE-2023-2533 KEV A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. 8.4 29.25% 2023-06-20 2026-06-17
CVE-2023-1094 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter. 8.8 1.17% 2023-05-08 2026-06-17
CVE-2023-1031 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. 8.8 1.42% 2023-05-08 2026-06-17
CVE-2023-0842 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. 5.3 1.39% 2023-04-05 2026-06-17
CVE-2023-0670 Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. 7.2 1.02% 2023-04-05 2026-06-17
CVE-2023-0265 Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. 8.8 1.60% 2023-04-04 2026-06-17
CVE-2023-0164 OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function. 8.8 1.38% 2023-01-18 2026-06-17
CVE-2022-41705 Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. 9.8 1.81% 2022-11-25 2026-06-17
CVE-2022-42749 CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. 6.1 1.07% 2022-11-03 2026-06-17
CVE-2022-42748 CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. 6.1 1.07% 2022-11-03 2026-06-17
CVE-2022-42747 CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. 6.1 1.07% 2022-11-03 2026-06-17
«« 先頭 « 前へ 1 / 2 次へ »
cvelogic Threat Intelligence