CVE List – Find High-Risk & Exploited Vulnerabilities

Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.

Assigner (CNA / source):[email protected] Remove this filter

Showing 6180 of 94 results
CVE Description Max CVSS EPSS % Published Updated
CVE-2020-7944 In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report. 7.7 0.86% 2020-03-26 2026-06-16
CVE-2019-10695 When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. 6.5 0.88% 2019-12-11 2026-06-16
CVE-2021-27022 A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). 4.9 0.88% 2021-09-07 2026-06-16
CVE-2022-0675 In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state. 5.6 0.88% 2022-03-02 2026-06-17
CVE-2018-6517 Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is updated so that the user's known_hosts file is not updated by chloride. 7.5 0.89% 2019-03-21 2026-06-16
CVE-2017-2296 In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2. 6.5 0.90% 2018-02-01 2026-06-16
CVE-2023-45319 In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified. Reported by Jason Geffner.  7.5 0.95% 2023-11-08 2026-06-17
CVE-2023-5759 In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified. Reported by Jason Geffner.   7.5 0.95% 2023-11-08 2026-06-17
CVE-2023-35767 In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Jason Geffner.   7.5 0.95% 2023-11-08 2026-06-17
CVE-2017-10690 In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 6.5 1.03% 2018-02-09 2026-06-16
CVE-2021-27020 Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. 8.8 1.07% 2021-08-30 2026-06-16
CVE-2018-11750 Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default. 6.5 1.07% 2018-10-02 2026-06-16
CVE-2019-10694 The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9. 9.8 1.09% 2019-12-11 2026-06-16
CVE-2023-2530 A privilege escalation allowing remote code execution was discovered in the orchestration service. 9.8 1.11% 2023-06-07 2026-06-17
CVE-2023-45849 An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. 9.0 1.11% 2023-11-08 2026-06-17
CVE-2018-6513 Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths. 8.8 1.12% 2018-06-11 2026-06-16
CVE-2021-27025 A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. 6.5 1.15% 2021-11-18 2026-06-16
CVE-2017-2294 Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore. 7.5 1.16% 2017-07-05 2026-06-16
CVE-2017-2290 On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create an executable that will be executed with administrator privileges on the next "mco puppet" run. Puppet Enterprise users are not affected. This is resolved in mcollective-puppet-agent 1.12.1. 8.8 1.23% 2017-03-03 2026-06-16
CVE-2021-27021 A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. 8.8 1.26% 2021-07-20 2026-06-16
cvelogic Threat Intelligence