聚合 NVD、CVE 及多源情报,深度解析 RCE 等高危风险。系统集成 CVSS 与 EPSS 模型,动态追踪 Exploit 资源与 PoC 公开状态,研判可利用性。结合官方补丁与修复方案,优化漏洞管理优先级,缩短响应周期,保障资产安全。
分配机构(CNA / 来源):[email protected] 移除此筛选
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2026-57871 | Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 7.1 | 0.36% | 2026-07-07 | 2026-07-07 |
| CVE-2026-57870 | Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 5.3 | 0.21% | 2026-07-07 | 2026-07-07 |
| CVE-2026-57869 | Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 7.1 | 0.21% | 2026-07-07 | 2026-07-07 |
| CVE-2026-57868 | MicroRealEstate is affected by broken object-level access controls in PDF generator functionality. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 7.1 | 0.21% | 2026-07-07 | 2026-07-07 |
| CVE-2026-57867 | MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords (OTP) to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 8.8 | 0.34% | 2026-07-07 | 2026-07-07 |
| CVE-2025-5591 | Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | 7.7 | 0.14% | 2026-01-04 | 2026-06-17 |
| CVE-2024-12223 | Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | 9.3 | 0.31% | 2025-08-19 | 2026-06-17 |
| CVE-2025-2394 | Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure. | 4.7 | 0.18% | 2025-05-22 | 2026-06-17 |
| CVE-2024-28097 | Calendar functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users. | 7.3 | 0.37% | 2024-03-06 | 2026-06-17 |
| CVE-2024-28096 | Class functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users. | 7.3 | 0.37% | 2024-03-06 | 2026-06-17 |
| CVE-2024-28095 | News functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users. | 7.3 | 0.33% | 2024-03-06 | 2026-06-17 |
| CVE-2024-28094 | Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records. | 8.8 | 0.55% | 2024-03-06 | 2026-06-17 |
| CVE-2023-6451 | Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms. | 8.6 | 0.53% | 2024-02-15 | 2026-06-17 |
| CVE-2023-4393 | HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | 5.4 | 0.33% | 2023-10-29 | 2026-06-17 |
| CVE-2023-27377 | Missing authentication in the StudentPopupDetails_EmergencyContactDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers. | 7.5 | 0.69% | 2023-10-25 | 2026-06-17 |
| CVE-2023-27376 | Missing authentication in the StudentPopupDetails_StudentDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers. | 7.5 | 0.69% | 2023-10-25 | 2026-06-17 |
| CVE-2023-27375 | Missing authentication in the StudentPopupDetails_ContactDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers. | 7.5 | 0.69% | 2023-10-25 | 2026-06-17 |
| CVE-2023-27262 | Unauthenticated SQL injection in the GetAssignmentsDue method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | 9.8 | 0.76% | 2023-10-25 | 2026-06-17 |
| CVE-2023-27261 | Missing authentication in the DeleteAssignments method in IDAttend’s IDWeb application 3.1.052 and earlier allows deletion of data by unauthenticated attackers. | 5.3 | 0.53% | 2023-10-25 | 2026-06-17 |
| CVE-2023-27260 | Unauthenticated SQL injection in the GetAssignmentsDue method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | 9.8 | 0.55% | 2023-10-25 | 2026-06-17 |