Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-22903 | An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections. | 9.8 | 0.67% | 2026-02-09 | 2026-06-17 |
| CVE-2022-50981 | An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | 9.8 | 0.53% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50980 | A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | 6.5 | 0.21% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50979 | An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | 6.5 | 0.21% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50978 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). | 7.5 | 0.45% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50977 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | 7.5 | 0.44% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50976 | A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. | 7.7 | 0.14% | 2026-02-02 | 2026-06-17 |
| CVE-2022-50975 | An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | 8.8 | 0.23% | 2026-02-02 | 2026-06-17 |
| CVE-2025-41728 | A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. | 5.3 | 0.31% | 2026-01-27 | 2026-06-17 |
| CVE-2025-41727 | A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | 7.8 | 0.16% | 2026-01-27 | 2026-06-17 |
| CVE-2025-41726 | A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. | 8.8 | 0.35% | 2026-01-27 | 2026-06-17 |
| CVE-2025-41768 | An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). | 5.5 | 0.21% | 2026-01-20 | 2026-06-17 |
| CVE-2025-41717 | An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’). | 8.8 | 0.50% | 2026-01-13 | 2026-06-17 |
| CVE-2024-2105 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. | 6.5 | 0.18% | 2025-12-10 | 2026-06-17 |
| CVE-2024-2104 | Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | 8.8 | 0.21% | 2025-12-10 | 2026-06-17 |
| CVE-2025-41732 | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 9.8 | 0.37% | 2025-12-10 | 2026-06-17 |
| CVE-2025-41730 | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 9.8 | 0.37% | 2025-12-10 | 2026-06-17 |
| CVE-2025-41752 | An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is | 7.1 | 8.24% | 2025-12-09 | 2026-06-17 |
| CVE-2025-41751 | An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is | 7.1 | 8.24% | 2025-12-09 | 2026-06-17 |
| CVE-2025-41750 | An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is | 7.1 | 8.40% | 2025-12-09 | 2026-06-17 |