本看板同步 CISA 官方「已遭利用漏洞目录」,聚焦真实在野利用的活跃威胁,支持按 CVE、厂商或产品检索,快速核对资产风险,以实际威胁而非仅理论分数驱动修复优先级。
| CVE | 漏洞名称 | 厂商 / 产品 | 收录日期 | 截止日期 | 摘要 |
|---|---|---|---|---|---|
| CVE-2026-56291 | Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability | Balbooa / Forms | 2026-07-10 | 2026-07-13 | The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. |
| CVE-2026-48939 | iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability | iCagenda / iCagenda | 2026-07-10 | 2026-07-13 | A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. |
| CVE-2026-56290 | Joomlack Page Builder Improper Access Control Vulnerability | Joomlack / Page Builder | 2026-07-07 | 2026-07-10 | The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. |
| CVE-2026-55255 | Langflow Authorization Bypass Through User-Controlled Key Vulnerability | Langflow / Langflow | 2026-07-07 | 2026-07-10 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the v… |
| CVE-2026-48908 | JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability | JoomShaper / SP Page Builder | 2026-07-07 | 2026-07-10 | A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. |
| CVE-2026-48282 | Adobe ColdFusion Path Traversal Vulnerability | Adobe / ColdFusion | 2026-07-07 | 2026-07-10 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not requ… |
| CVE-2026-45659 | Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability | Microsoft / SharePoint Server | 2026-07-01 | 2026-07-04 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
| CVE-2026-48558 | SimpleHelp Authentication Bypass Vulnerability | SimpleHelp / SimpleHelp | 2026-06-29 | 2026-07-02 | SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic sign… |
| CVE-2026-20230 | Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability | Cisco / Unified Communications Manager | 2026-06-25 | 2026-06-28 | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected devi… |
| CVE-2026-12569 | PTC Windchill and FlexPLM Improper Input Validation Vulnerability | PTC / Windchill and FlexPLM | 2026-06-25 | 2026-06-28 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability… |
| CVE-2026-34910 | Ubiquiti UniFi OS Improper Input Validation Vulnerability | Ubiquiti / UniFi OS | 2026-06-23 | 2026-06-26 | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. |
| CVE-2026-34909 | Ubiquiti UniFi OS Path Traversal Vulnerability | Ubiquiti / UniFi OS | 2026-06-23 | 2026-06-26 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. |
| CVE-2026-34908 | Ubiquiti UniFi OS Improper Access Control Vulnerability | Ubiquiti / UniFi OS | 2026-06-23 | 2026-06-26 | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. |
| CVE-2025-67038 | Lantronix EDS5000 Code Injection Vulnerability | Lantronix / EDS5000 | 2026-06-23 | 2026-06-26 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS comman… |
| CVE-2026-20253 | Splunk Enterprise Missing Authentication for Critical Function Vulnerability | Splunk / Enterprise | 2026-06-18 | 2026-06-21 | In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authenticat… |
| CVE-2026-48907 | Widget Factory Joomla Content Editor Improper Access Control Vulnerability | Widget Factory / Joomla Content Editor | 2026-06-16 | 2026-06-19 | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. |
| CVE-2026-54420 | LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability | LiteSpeed / cPanel Plugin | 2026-06-15 | 2026-06-18 | LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026. |
| CVE-2026-20262 | Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability | Cisco / Catalyst SD-WAN Manager | 2026-06-15 | 2026-06-29 | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does n… |
| CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability | Oracle / PeopleSoft Enterprise PeopleTools | 2026-06-12 | 2026-06-15 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP t… |
| CVE-2026-10520 | Ivanti Sentry OS Command Injection Vulnerability | Ivanti / Sentry | 2026-06-11 | 2026-06-14 | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution |