Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2022-4235 | RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives. | 5.4 | 0.57% | 2023-01-18 | 2026-06-17 |
| CVE-2022-42743 | deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | 5.3 | 0.61% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42744 | CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks. | 9.8 | 1.20% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42745 | CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE. | 7.5 | 0.80% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42746 | CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | 6.1 | 1.13% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42747 | CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | 6.1 | 1.07% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42748 | CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | 6.1 | 1.07% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42749 | CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | 6.1 | 1.07% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42750 | CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user. | 8.8 | 0.95% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42751 | CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions. | 8.8 | 0.42% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42753 | SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks. | 6.1 | 0.36% | 2022-11-03 | 2026-06-17 |
| CVE-2022-43983 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | 8.2 | 0.64% | 2022-11-25 | 2026-06-17 |
| CVE-2022-43984 | Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | 8.2 | 0.61% | 2022-11-25 | 2026-06-17 |
| CVE-2022-45475 | Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. | 6.5 | 0.85% | 2022-11-25 | 2026-06-17 |
| CVE-2022-45476 | Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. | 9.8 | 0.95% | 2022-11-25 | 2026-06-17 |
| CVE-2023-0164 | OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function. | 8.8 | 1.38% | 2023-01-18 | 2026-06-17 |
| CVE-2023-0265 | Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | 8.8 | 1.60% | 2023-04-04 | 2026-06-17 |
| CVE-2023-0325 | Uvdesk version 1.1.1 allows an unauthenticated remote attacker to exploit a stored XSS in the application. This is possible because the application does not correctly validate the message sent by the clients in the ticket. | 6.1 | 0.69% | 2023-04-04 | 2026-06-17 |
| CVE-2023-0357 | Helpy version 2.8.0 allows an unauthenticated remote attacker to exploit an XSS stored in the application. This is possible because the application does not correctly validate the attachments sent by customers in the ticket. | 6.1 | 0.69% | 2023-04-04 | 2026-06-17 |
| CVE-2023-0454 | OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path. | 8.1 | 0.99% | 2023-01-31 | 2026-06-17 |