Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2018-11751 | Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0. | 5.4 | 0.61% | 2019-12-16 | 2026-06-16 |
| CVE-2020-7945 | Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. | 5.5 | 0.31% | 2020-09-18 | 2026-06-16 |
| CVE-2018-11752 | Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release. | 5.5 | 0.27% | 2018-10-02 | 2026-06-16 |
| CVE-2017-10689 | In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. | 5.5 | 0.37% | 2018-02-09 | 2026-06-16 |
| CVE-2022-0675 | In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state. | 5.6 | 0.88% | 2022-03-02 | 2026-06-17 |
| CVE-2024-8067 | In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified. | 5.8 | 0.20% | 2024-09-24 | 2026-06-17 |
| CVE-2024-7141 | Versions of Gliffy Online prior to versions 4.14.0-7 contains a Cross Site Request Forgery (CSRF) flaw. | 5.9 | 0.19% | 2025-02-20 | 2026-06-17 |
| CVE-2024-3930 | In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. | 6.3 | 0.31% | 2024-07-30 | 2026-06-17 |
| CVE-2024-11084 | Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists. | 6.3 | 0.39% | 2025-04-15 | 2026-06-17 |
| CVE-2023-5214 | In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified. | 6.5 | 0.37% | 2023-10-06 | 2026-06-17 |
| CVE-2021-27025 | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. | 6.5 | 1.15% | 2021-11-18 | 2026-06-16 |
| CVE-2020-7942 | Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes | 6.5 | 0.82% | 2020-02-19 | 2026-06-16 |
| CVE-2019-10695 | When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. | 6.5 | 0.88% | 2019-12-11 | 2026-06-16 |
| CVE-2018-11750 | Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default. | 6.5 | 1.07% | 2018-10-02 | 2026-06-16 |
| CVE-2017-2298 | The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem". | 6.5 | 1.49% | 2017-06-30 | 2026-06-16 |
| CVE-2017-2296 | In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2. | 6.5 | 0.90% | 2018-02-01 | 2026-06-16 |
| CVE-2017-10690 | In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 | 6.5 | 1.03% | 2018-02-09 | 2026-06-16 |
| CVE-2021-27017 | Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release. | 6.6 | 0.53% | 2025-02-07 | 2026-06-16 |
| CVE-2023-5309 | Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. | 6.8 | 0.50% | 2023-11-07 | 2026-06-17 |
| CVE-2025-1714 | Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to enumerate valid user emails and potentially DOS the server | 6.9 | 0.34% | 2025-03-05 | 2026-06-17 |