NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2024-7340 | The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin. | 8.8 | 5.01% | 2024-07-31 | 2026-06-17 |
| CVE-2024-6961 | RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity. | 5.9 | 0.41% | 2024-07-21 | 2026-06-17 |
| CVE-2024-6960 | The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. | 7.5 | 0.68% | 2024-07-21 | 2026-06-17 |
| CVE-2024-6507 | Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API | 8.1 | 1.14% | 2024-07-04 | 2026-06-17 |
| CVE-2024-5565 | The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution. | 8.1 | 14.96% | 2024-05-31 | 2026-06-17 |
| CVE-2024-2248 | A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email. | 6.4 | 0.27% | 2024-05-15 | 2026-06-17 |
| CVE-2024-34394 | libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution. | 8.1 | 0.99% | 2024-05-02 | 2026-06-17 |
| CVE-2024-34393 | libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled). | 8.1 | 0.96% | 2024-05-02 | 2026-06-17 |
| CVE-2024-34392 | libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes _wrap__xmlNode_nsDef_get()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution. | 8.1 | 1.14% | 2024-05-02 | 2026-06-17 |
| CVE-2024-34391 | libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled). | 8.1 | 1.10% | 2024-05-02 | 2026-06-17 |
| CVE-2024-4142 | An Improper input validation vulnerability that could potentially lead to privilege escalation was discovered in JFrog Artifactory. Due to this vulnerability, users with low privileges may gain administrative access to the system. This issue can also be exploited in Artifactory platforms with anonymous access enabled. | 9.0 | 0.67% | 2024-05-01 | 2026-06-17 |
| CVE-2024-4340 | Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. | 7.5 | 3.21% | 2024-04-30 | 2026-06-17 |
| CVE-2024-3505 | JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. This does not affect JFrog cloud deployments. | 4.3 | 0.41% | 2024-04-15 | 2026-06-17 |
| CVE-2024-2247 | JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism. | 8.8 | 0.50% | 2024-03-13 | 2026-06-17 |
| CVE-2023-42661 | JFrog Artifactory prior to version 7.76.2 is vulnerable to Arbitrary File Write of untrusted data, which may lead to DoS or Remote Code Execution when a specially crafted series of requests is sent by an authenticated user. This is due to insufficient validation of artifacts. | 7.2 | 0.88% | 2024-03-07 | 2026-06-17 |
| CVE-2023-42509 | JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data. | 6.6 | 0.44% | 2024-03-07 | 2026-06-17 |
| CVE-2023-42662 | JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration. | 9.3 | 0.47% | 2024-03-07 | 2026-06-17 |
| CVE-2024-27133 | Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. | 7.5 | 0.65% | 2024-02-23 | 2026-06-17 |
| CVE-2024-27132 | Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables. | 7.5 | 0.87% | 2024-02-23 | 2026-06-17 |
| CVE-2024-0879 | Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address. | 6.5 | 0.38% | 2024-01-25 | 2026-06-17 |