Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2022-25222 | Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in 'admin/maintenance/manage_branch.php' and 'admin/maintenance/manage_fee.php' via the 'id' parameter. | 9.8 | 1.62% | 2022-03-23 | 2026-06-17 |
| CVE-2022-25226 | ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server. | 10.0 | 10.87% | 2022-04-18 | 2026-06-17 |
| CVE-2022-25227 | Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | 8.8 | 0.62% | 2022-05-20 | 2026-06-17 |
| CVE-2022-41711 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | 9.8 | 1.55% | 2022-10-25 | 2026-06-17 |
| CVE-2022-42750 | CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user. | 8.8 | 0.95% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42751 | CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions. | 8.8 | 0.42% | 2022-11-03 | 2026-06-17 |
| CVE-2022-42744 | CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks. | 9.8 | 1.20% | 2022-11-03 | 2026-06-17 |
| CVE-2022-23044 | Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | 8.8 | 0.42% | 2022-11-25 | 2026-06-17 |
| CVE-2022-43983 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | 8.2 | 0.64% | 2022-11-25 | 2026-06-17 |
| CVE-2022-43984 | Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | 8.2 | 0.61% | 2022-11-25 | 2026-06-17 |
| CVE-2022-41705 | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | 9.8 | 1.81% | 2022-11-25 | 2026-06-17 |
| CVE-2022-41706 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | 8.2 | 0.61% | 2022-11-25 | 2026-06-17 |
| CVE-2022-45476 | Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. | 9.8 | 0.95% | 2022-11-25 | 2026-06-17 |
| CVE-2023-0164 | OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function. | 8.8 | 1.38% | 2023-01-18 | 2026-06-17 |
| CVE-2023-0454 | OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path. | 8.1 | 0.99% | 2023-01-31 | 2026-06-17 |
| CVE-2023-0265 | Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | 8.8 | 1.60% | 2023-04-04 | 2026-06-17 |
| CVE-2023-0480 | VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. | 8.8 | 0.35% | 2023-04-04 | 2026-06-17 |
| CVE-2023-0835 | markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. | 8.2 | 0.60% | 2023-04-04 | 2026-06-17 |
| CVE-2023-1031 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. | 8.8 | 1.42% | 2023-05-08 | 2026-06-17 |
| CVE-2023-1094 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter. | 8.8 | 1.17% | 2023-05-08 | 2026-06-17 |