CVE List – Find High-Risk & Exploited Vulnerabilities

Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.

Assigner (CNA / source):[email protected] Remove this filter

Showing 6180 of 395 results
«« First « Prev Page 4 / 20 Next »
CVE Description Max CVSS EPSS % Published Updated
CVE-2023-0480 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. 8.8 0.35% 2023-04-04 2026-06-17
CVE-2023-0486 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS. 6.1 0.36% 2023-04-04 2026-06-17
CVE-2023-0624 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. 6.1 0.49% 2023-02-09 2026-06-17
CVE-2023-0670 Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. 7.2 1.02% 2023-04-05 2026-06-17
CVE-2023-0738 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. 6.1 0.49% 2023-04-04 2026-06-17
CVE-2023-0835 markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. 8.2 0.60% 2023-04-04 2026-06-17
CVE-2023-0842 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. 5.3 1.39% 2023-04-05 2026-06-17
CVE-2023-0944 Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user. 4.3 0.48% 2023-04-05 2026-06-17
CVE-2023-0959 Bhima version 1.27.0 allows a remote attacker to update the privileges of any account registered in the application via a malicious link sent to an administrator. This is possible because the application is vulnerable to CSRF. 6.5 0.75% 2023-04-05 2026-06-17
CVE-2023-0967 Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. 6.5 0.67% 2023-04-05 2026-06-17
CVE-2023-1031 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. 8.8 1.42% 2023-05-08 2026-06-17
CVE-2023-1094 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter. 8.8 1.17% 2023-05-08 2026-06-17
CVE-2023-1721 Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. 9.1 0.99% 2023-06-23 2026-06-17
CVE-2023-1722 Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. 9.1 0.36% 2023-06-23 2026-06-17
CVE-2023-1724 Faveo Helpdesk Enterprise version 6.0.1 allows an attacker with agent permissions to perform privilege escalation on the application. This occurs because the application is vulnerable to stored XSS. 7.3 0.47% 2023-06-23 2026-06-17
CVE-2023-1783 OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF. 6.5 0.58% 2023-06-23 2026-06-17
CVE-2023-2268 Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users. 7.1 0.57% 2023-07-15 2026-06-17
CVE-2023-2507 CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them. 9.3 0.67% 2023-07-15 2026-06-17
CVE-2023-2508 The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc. 5.3 0.23% 2023-09-20 2026-06-17
CVE-2023-2533 KEV A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. 8.4 29.25% 2023-06-20 2026-06-17
«« First « Prev Page 4 / 20 Next »
cvelogic Threat Intelligence