CVEリスト - 高リスク・悪用確認済み脆弱性

NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。

Assigner(CNA/発行元):[email protected] この条件を外す

CVSS スコア
表示中 6180 / 751
CVE 説明 CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-40813 An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. 8.7 0.32% 2026-05-27 2026-06-17
CVE-2026-40812 An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. 8.7 0.32% 2026-05-27 2026-06-17
CVE-2026-40811 An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. 8.7 0.32% 2026-05-27 2026-06-17
CVE-2026-40810 An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. 8.7 0.32% 2026-05-27 2026-06-17
CVE-2025-41670 A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation. 8.7 0.19% 2026-05-27 2026-06-17
CVE-2025-41669 The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control. 8.7 0.22% 2026-05-27 2026-06-17
CVE-2026-8047 The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device. 8.7 0.45% 2026-05-26 2026-06-17
CVE-2026-8046 The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges. 7.2 0.35% 2026-05-26 2026-06-17
CVE-2026-44469 The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative installation. A low-privileged local attacker can exploit a TOCTOU race condition with a practical time window to replace verified files with malicious ones before installation, resulting in local privilege escalation. 8.5 0.10% 2026-05-26 2026-06-17
CVE-2026-44468 The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary components. 8.5 0.12% 2026-05-26 2026-06-17
CVE-2026-0393 The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session. 6.9 0.24% 2026-05-21 2026-06-17
CVE-2026-35227 An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections. 8.2 0.35% 2026-05-12 2026-06-17
CVE-2024-43384 A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. 8.0 0.34% 2026-05-07 2026-06-17
CVE-2026-3323 An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes. 7.5 0.40% 2026-04-28 2026-06-17
CVE-2026-35225 An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections. 8.7 0.42% 2026-04-23 2026-06-17
CVE-2023-5872 In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. 4.3 0.32% 2026-04-16 2026-06-17
CVE-2023-3634 In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability. 8.8 0.50% 2026-04-16 2026-06-17
CVE-2024-1490 An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device. 7.2 0.73% 2026-04-09 2026-06-17
CVE-2026-33617 An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials. 5.3 0.27% 2026-04-02 2026-06-17
CVE-2026-33616 An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. 7.5 0.34% 2026-04-02 2026-06-17
cvelogic Threat Intelligence