Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-8654 | Improper input validation in Delphix Continuous Data connectors allows an authenticated user to execute arbitrary operating system commands on the staging or target host. | 8.7 | 0.23% | 2026-05-15 | 2026-05-15 |
| CVE-2026-6043 | P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces se | 8.8 | 0.46% | 2026-04-24 | 2026-04-24 |
| CVE-2025-5459 | A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0. | 8.6 | 0.43% | 2025-06-26 | 2025-10-14 |
| CVE-2025-3113 | A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to explore the internal database schema and export its data, including the properties of Connecters and Rule Sets. | 9.0 | 0.34% | 2025-04-17 | 2026-04-15 |
| CVE-2025-2903 | An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM, install malicious software, and disrupt or disable the functionality of the VM. | 8.5 | 0.17% | 2025-04-17 | 2026-04-15 |
| CVE-2024-10345 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Karol Więsek. | 8.7 | 0.47% | 2024-11-11 | 2026-04-15 |
| CVE-2024-10344 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the refuse function was identified. Reported by Karol Więsek. | 8.7 | 0.47% | 2024-11-11 | 2026-04-15 |
| CVE-2024-10314 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the auto-generation function was identified. Reported by Karol Więsek. | 8.7 | 0.47% | 2024-11-11 | 2026-04-15 |
| CVE-2024-9129 | In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino | 9.3 | 0.41% | 2024-10-22 | 2026-04-15 |
| CVE-2024-6726 | Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE). | 8.8 | 0.74% | 2024-07-29 | 2026-04-15 |
| CVE-2024-3826 | In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality. | 8.6 | 0.34% | 2024-07-02 | 2026-04-15 |
| CVE-2024-2796 | A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson. | 9.3 | 0.38% | 2024-04-18 | 2026-04-15 |
| CVE-2023-45849 | An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. | 9.0 | 1.11% | 2023-11-08 | 2024-11-21 |
| CVE-2023-2530 | A privilege escalation allowing remote code execution was discovered in the orchestration service. | 9.8 | 1.11% | 2023-06-07 | 2025-08-26 |
| CVE-2022-3276 | Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | 8.4 | 1.57% | 2022-10-07 | 2024-11-21 |
| CVE-2022-3275 | Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | 8.4 | 2.09% | 2022-10-07 | 2024-11-21 |
| CVE-2021-27024 | A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being able to access a Puppet Enterprise API token. This issue is resolved in CD4PE 4.10.0 | 8.1 | 0.79% | 2021-11-18 | 2024-11-21 |
| CVE-2021-27023 | A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 | 9.8 | 1.33% | 2021-11-18 | 2024-11-21 |
| CVE-2021-27020 | Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | 8.8 | 1.03% | 2021-08-30 | 2024-11-21 |
| CVE-2021-27021 | A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. | 8.8 | 1.26% | 2021-07-20 | 2024-11-21 |