Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2023-5900 | Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | 3.5 | 0.24% | 2023-11-06 | 2026-06-17 |
| CVE-2023-4654 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1. | 3.5 | 0.29% | 2023-08-30 | 2026-06-17 |
| CVE-2023-3303 | Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9. | 3.5 | 0.36% | 2023-06-23 | 2026-06-17 |
| CVE-2023-2590 | Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. | 3.5 | 0.46% | 2023-05-09 | 2026-06-17 |
| CVE-2022-3274 | Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7. | 3.5 | 0.36% | 2022-09-22 | 2026-06-17 |
| CVE-2022-1180 | Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | 3.5 | 0.57% | 2022-03-30 | 2026-06-17 |
| CVE-2023-4304 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | 3.8 | 0.48% | 2023-08-10 | 2026-06-17 |
| CVE-2023-1541 | Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6. | 3.8 | 0.64% | 2023-03-21 | 2026-06-17 |
| CVE-2023-1367 | Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | 3.8 | 0.43% | 2023-03-13 | 2026-06-17 |
| CVE-2023-5084 | Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. | 3.9 | 0.40% | 2023-09-20 | 2026-06-17 |
| CVE-2026-1163 | An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the | 4.1 | 0.21% | 2026-04-07 | 2026-06-17 |
| CVE-2024-2260 | A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | 4.2 | 0.43% | 2024-04-15 | 2026-06-17 |
| CVE-2024-8143 | In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's priv | 4.3 | 0.48% | 2024-10-29 | 2026-06-17 |
| CVE-2024-8057 | In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that should be restricted to admin users. This can lead to excessive resource consumption, potentially resulting in a Denial of Service (DoS) and other significant issues, impacting the system's stability and security. | 4.3 | 0.36% | 2025-03-20 | 2026-06-17 |
| CVE-2024-7476 | A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3. | 4.3 | 1.40% | 2025-03-20 | 2026-06-17 |
| CVE-2024-7046 | An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/auths/admin/details interface to retrieve the first admin (owner) details. | 4.3 | 0.37% | 2025-03-20 | 2026-06-17 |
| CVE-2024-7045 | In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt information created by the admin, which includes the ID values. Subsequently, the attacker can exploit the /api/v1/prompts/command/{command_id} interface to obtain arbitrary prompt information. | 4.3 | 0.37% | 2025-03-20 | 2026-06-17 |
| CVE-2024-6583 | A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request. | 4.3 | 0.51% | 2025-03-20 | 2026-06-17 |
| CVE-2024-6582 | A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known. | 4.3 | 0.41% | 2024-09-13 | 2026-06-17 |
| CVE-2024-6086 | In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization. | 4.3 | 0.41% | 2024-06-27 | 2026-06-17 |