CVEリスト - 高リスク・悪用確認済み脆弱性

NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。

Assigner(CNA/発行元):[email protected] この条件を外す

CVSS スコア
表示中 121140 / 751
CVE 説明 CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-22903 An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections. 9.8 0.67% 2026-02-09 2026-06-17
CVE-2022-50981 An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. 9.8 0.53% 2026-02-02 2026-06-17
CVE-2022-50980 A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. 6.5 0.21% 2026-02-02 2026-06-17
CVE-2022-50979 An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). 6.5 0.21% 2026-02-02 2026-06-17
CVE-2022-50978 An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). 7.5 0.45% 2026-02-02 2026-06-17
CVE-2022-50977 An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. 7.5 0.44% 2026-02-02 2026-06-17
CVE-2022-50976 A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. 7.7 0.14% 2026-02-02 2026-06-17
CVE-2022-50975 An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. 8.8 0.23% 2026-02-02 2026-06-17
CVE-2025-41728 A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. 5.3 0.31% 2026-01-27 2026-06-17
CVE-2025-41727 A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. 7.8 0.16% 2026-01-27 2026-06-17
CVE-2025-41726 A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. 8.8 0.35% 2026-01-27 2026-06-17
CVE-2025-41768 An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). 5.5 0.21% 2026-01-20 2026-06-17
CVE-2025-41717 An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’). 8.8 0.50% 2026-01-13 2026-06-17
CVE-2024-2105 An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. 6.5 0.18% 2025-12-10 2026-06-17
CVE-2024-2104 Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. 8.8 0.21% 2025-12-10 2026-06-17
CVE-2025-41732 An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. 9.8 0.37% 2025-12-10 2026-06-17
CVE-2025-41730 An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. 9.8 0.37% 2025-12-10 2026-06-17
CVE-2025-41752 An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is 7.1 8.24% 2025-12-09 2026-06-17
CVE-2025-41751 An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is 7.1 8.24% 2025-12-09 2026-06-17
CVE-2025-41750 An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is 7.1 8.40% 2025-12-09 2026-06-17
cvelogic Threat Intelligence