Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2021-25296 KEV | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | 8.8 | 71.74% | 2021-02-15 | 2026-07-06 |
| CVE-2021-25297 KEV | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | 8.8 | 42.94% | 2021-02-15 | 2026-07-06 |
| CVE-2021-25298 KEV | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | 8.8 | 75.16% | 2021-02-15 | 2026-07-06 |
| CVE-2021-42237 KEV | Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | 9.8 | 99.21% | 2021-11-05 | 2026-07-06 |
| CVE-2023-38950 KEV | A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime. | 7.5 | 84.88% | 2023-08-03 | 2026-07-06 |
| CVE-2022-26258 KEV | D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. | 9.8 | 81.19% | 2022-03-27 | 2026-07-06 |
| CVE-2025-67038 KEV | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges. | 9.8 | 1.13% | 2026-03-11 | 2026-07-06 |
| CVE-2025-44619 | Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. | 9.1 | 0.34% | 2025-05-29 | 2026-07-05 |
| CVE-2024-40583 | Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials. | 9.1 | 0.63% | 2024-12-09 | 2026-07-05 |
| CVE-2024-40582 | Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information. | 7.5 | 0.36% | 2024-12-09 | 2026-07-05 |
| CVE-2026-38936 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter | 6.1 | 0.24% | 2026-04-27 | 2026-07-05 |
| CVE-2026-38935 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter | 6.1 | 0.24% | 2026-04-27 | 2026-07-05 |
| CVE-2026-38934 | Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php | 8.8 | 0.23% | 2026-04-27 | 2026-07-05 |
| CVE-2026-38931 | A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | 5.4 | 0.21% | 2026-05-27 | 2026-07-05 |
| CVE-2026-38930 | OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter. | 6.5 | 0.32% | 2026-05-27 | 2026-07-05 |
| CVE-2026-36356 | The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint. | 9.1 | 14.41% | 2026-05-05 | 2026-07-05 |
| CVE-2026-36239 | PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality | 4.3 | 0.31% | 2026-05-26 | 2026-07-05 |
| CVE-2026-36182 | GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack. | 9.8 | 0.23% | 2026-06-04 | 2026-07-05 |
| CVE-2026-36180 | A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack. | 4.6 | 0.14% | 2026-06-04 | 2026-07-05 |
| CVE-2026-36178 | The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data. | 4.6 | 0.16% | 2026-06-04 | 2026-07-05 |