聚合 NVD、CVE 及多源情报,深度解析 RCE 等高危风险。系统集成 CVSS 与 EPSS 模型,动态追踪 Exploit 资源与 PoC 公开状态,研判可利用性。结合官方补丁与修复方案,优化漏洞管理优先级,缩短响应周期,保障资产安全。
分配机构(CNA / 来源):[email protected] 移除此筛选
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2025-15265 | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | 5.3 | 0.04% | 2026-01-15 | 2026-01-23 |
| CVE-2025-15056 | A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. | 5.1 | 0.06% | 2026-01-13 | 2026-04-20 |
| CVE-2025-14979 | AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. | 8.5 | 0.01% | 2026-01-06 | 2026-04-09 |
| CVE-2025-13733 | BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2. | 8.5 | 0.01% | 2025-12-12 | 2026-01-15 |
| CVE-2025-12843 | Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2. | 6.9 | 0.02% | 2025-12-12 | 2026-01-05 |
| CVE-2025-9638 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint. This issue affects i-Educar: 2.10.0. | 4.8 | 0.03% | 2025-12-09 | 2025-12-11 |
| CVE-2025-10655 | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0. | 8.6 | 0.03% | 2025-12-09 | 2026-04-14 |
| CVE-2025-11461 | Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1. | 7.1 | 0.04% | 2025-11-26 | 2025-12-19 |
| CVE-2025-9624 | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4. | 8.3 | 0.02% | 2025-11-25 | 2025-12-15 |
| CVE-2025-11921 | iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | 8.5 | 0.08% | 2025-11-24 | 2026-04-15 |
| CVE-2025-10751 | MacForge contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects MacForge: 1.2.0 Beta 1. | 8.5 | 0.01% | 2025-10-04 | 2025-12-22 |
| CVE-2025-10696 | OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0. | 7.1 | 0.04% | 2025-10-03 | 2026-06-01 |
| CVE-2025-10695 | Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects OpenSupports: 4.11.0. | 6.9 | 0.05% | 2025-10-03 | 2025-12-22 |
| CVE-2025-10692 | The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0. | 7.1 | 0.05% | 2025-10-03 | 2026-04-15 |
| CVE-2025-9960 | A restriction bypass vulnerability in is-localhost-ip could allow attackers to perform Server-Side Request Forgery (SSRF). This issue affects is-localhost-ip: 2.0.0. | 6.9 | 0.06% | 2025-09-22 | 2026-04-15 |
| CVE-2025-9862 | Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3. | 6.1 | 0.02% | 2025-09-17 | 2026-02-24 |
| CVE-2025-54084 | OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. | 8.5 | 0.23% | 2025-09-09 | 2026-04-15 |
| CVE-2025-54083 | Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. | 5.1 | 0.02% | 2025-09-09 | 2026-04-15 |
| CVE-2025-7635 | Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. | 8.7 | 0.02% | 2025-09-09 | 2025-12-22 |
| CVE-2025-53914 | Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G. | 7.0 | 0.02% | 2025-09-09 | 2026-04-15 |