NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2023-4624 | Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08. | 2.4 | 0.48% | 2023-08-30 | 2024-11-21 |
| CVE-2022-3301 | Improper Cleanup on Thrown Exception in GitHub repository ikus060/rdiffweb prior to 2.4.8. | 2.4 | 0.54% | 2022-09-26 | 2024-11-21 |
| CVE-2022-0536 | Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. | 2.6 | 1.25% | 2022-02-09 | 2026-02-24 |
| CVE-2024-7038 | An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information. | 2.7 | 0.34% | 2024-10-09 | 2024-11-03 |
| CVE-2025-6088 | In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conver | 3.1 | 0.27% | 2025-09-11 | 2025-10-16 |
| CVE-2024-2032 | A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identifi | 3.1 | 0.29% | 2024-06-06 | 2024-11-21 |
| CVE-2024-4841 | A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoi | 3.3 | 0.67% | 2024-06-23 | 2025-11-07 |
| CVE-2024-4839 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Succ | 3.3 | 0.16% | 2024-06-24 | 2025-07-07 |
| CVE-2024-4330 | A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to acce | 3.3 | 0.29% | 2024-05-30 | 2025-07-09 |
| CVE-2024-3121 | A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands. | 3.3 | 0.45% | 2024-06-24 | 2024-11-21 |
| CVE-2024-2213 | An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3. | 3.3 | 0.24% | 2024-06-06 | 2025-10-15 |
| CVE-2023-5862 | Missing Authorization in GitHub repository hamza417/inure prior to Build95. | 3.3 | 0.25% | 2023-10-31 | 2024-11-21 |
| CVE-2023-3291 | Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.2. | 3.3 | 0.38% | 2023-06-16 | 2024-11-21 |
| CVE-2023-1176 | Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. | 3.3 | 0.58% | 2023-03-24 | 2024-11-21 |
| CVE-2022-2061 | Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior to 1.12.0. | 3.3 | 0.42% | 2022-06-13 | 2024-11-21 |
| CVE-2022-1722 | SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses | 3.3 | 0.51% | 2022-05-16 | 2024-11-21 |
| CVE-2022-0158 | vim is vulnerable to Heap-based Buffer Overflow | 3.3 | 1.71% | 2022-01-10 | 2024-11-21 |
| CVE-2025-3777 | Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1 | 3.5 | 0.33% | 2025-07-07 | 2025-08-07 |
| CVE-2023-5901 | Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | 3.5 | 0.46% | 2023-11-07 | 2024-11-21 |
| CVE-2023-5900 | Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | 3.5 | 0.24% | 2023-11-07 | 2024-11-21 |