Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2023-54351 | WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages. | 5.1 | 0.17% | 2026-06-07 | 2026-06-17 |
| CVE-2023-54350 | WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server. | 8.7 | 0.53% | 2026-06-07 | 2026-06-17 |
| CVE-2023-5502 | On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication. | 8.2 | 0.32% | 2026-06-04 | 2026-06-17 |
| CVE-2023-52951 | A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. | 5.9 | 0.13% | 2026-06-03 | 2026-06-17 |
| CVE-2023-52945 | Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. | 7.8 | 0.14% | 2026-05-27 | 2026-06-17 |
| CVE-2023-7346 | Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses. | 4.1 | 0.14% | 2026-05-20 | 2026-06-17 |
| CVE-2023-7345 | Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts. | 6.9 | 0.26% | 2026-05-19 | 2026-06-17 |
| CVE-2023-24215 | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | 9.1 | 0.25% | 2026-05-18 | 2026-07-05 |
| CVE-2023-31317 | Improper restriction of operations within the bounds of a memory buffer in the AMD secure processer (ASP) could allow an attacker to read or write to protected memory potentially resulting in arbitrary code execution. | 8.8 | 0.10% | 2026-05-14 | 2026-06-17 |
| CVE-2023-31316 | Improperly preserved integrity of hardware configuration state during a power save/restore operation in the AMD Secure Processor (ASP) could allow an attacker with the ability to write outside the trusted memory range (TMR) to change the execution flow of the Video Core Next (VCN) firmware potentially impacting confidentiality, integrity, or availability. | 7.1 | 0.10% | 2026-05-14 | 2026-06-17 |
| CVE-2023-31309 | Improper validation in Power Management Firmware (PMFW) may allow an attacker with privileges to pass malformed workload arguments when exporting table data from SMU to DRAM potentially resulting in a loss of confidentiality and/or availability. | 6.8 | 0.11% | 2026-05-14 | 2026-06-17 |
| CVE-2023-30059 | An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request. | 5.4 | 0.17% | 2026-05-12 | 2026-06-17 |
| CVE-2023-27753 | An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 8.0 | 0.33% | 2026-05-12 | 2026-06-17 |
| CVE-2023-46453 | Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | 9.8 | 0.76% | 2026-05-08 | 2026-06-17 |
| CVE-2023-47268 | In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. | 5.3 | 0.73% | 2026-05-08 | 2026-06-17 |
| CVE-2023-42346 | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | 7.5 | 0.23% | 2026-05-08 | 2026-06-17 |
| CVE-2023-42345 | A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | 6.1 | 0.08% | 2026-05-08 | 2026-06-17 |
| CVE-2023-42344 | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | 7.3 | 2.23% | 2026-05-08 | 2026-06-17 |
| CVE-2023-42343 | A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | 6.1 | 0.59% | 2026-05-08 | 2026-06-17 |
| CVE-2023-54349 | AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed. | 5.1 | 0.27% | 2026-05-05 | 2026-06-17 |