CVE List – Find High-Risk & Exploited Vulnerabilities

Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.

Assigner (CNA / source):[email protected] Remove this filter

Showing 120 of 204 results
«« First « Prev Page 1 / 11 Next »
CVE Description Max CVSS EPSS % Published Updated
CVE-2026-14871 osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. 7.1 0.31% 2026-07-17 2026-07-17
CVE-2026-10850 Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint. 6.9 0.24% 2026-06-17 2026-06-23
CVE-2026-8406 openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value. 7.1 0.24% 2026-06-11 2026-06-17
CVE-2026-2638 A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption. 7.3 0.08% 2026-06-09 2026-06-17
CVE-2026-5385 An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7. 8.4 0.42% 2026-06-02 2026-06-17
CVE-2026-7460 mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b. 7.4 0.32% 2026-05-20 2026-06-17
CVE-2026-6093 Corteza contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8. 6.0 0.21% 2026-05-11 2026-06-17
CVE-2026-5394 An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3. 7.0 0.35% 2026-04-27 2026-06-17
CVE-2026-2637 iBoysoft NTFS for Mac contains a local privilege escalation vulnerability in its privileged helper daemon ntfshelperd. The daemon exposes an NSConnection service that runs as root without implementing any authentication or authorization checks. This issue affects iBoysoft NTFS: 8.0.0. 8.5 0.17% 2026-03-03 2026-06-17
CVE-2026-2293 A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13. 8.2 0.68% 2026-02-27 2026-07-14
CVE-2026-0924 BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoCleaner: 1.15.2. 7.3 0.16% 2026-02-02 2026-06-17
CVE-2025-15104 Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f 6.9 0.43% 2026-01-16 2026-06-17
CVE-2025-14979 AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. 8.5 0.15% 2026-01-06 2026-06-17
CVE-2025-13733 BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2. 8.5 0.19% 2025-12-12 2026-06-17
CVE-2025-12843 Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2. 6.9 0.18% 2025-12-12 2026-06-17
CVE-2025-10655 SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0. 8.6 0.47% 2025-12-09 2026-06-17
CVE-2025-11461 Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1. 7.1 0.30% 2025-11-26 2026-06-17
CVE-2025-9624 A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4. 8.3 0.45% 2025-11-25 2026-06-17
CVE-2025-11921 iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. 8.5 0.56% 2025-11-24 2026-06-17
CVE-2025-10751 MacForge contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects MacForge: 1.2.0 Beta 1. 8.5 0.18% 2025-10-03 2026-06-17
«« First « Prev Page 1 / 11 Next »
cvelogic Threat Intelligence