本看板同步 CISA 官方「已遭利用漏洞目錄」,聚焦真實在野利用的活躍威脅,支援依 CVE、廠商或產品檢索,快速核對資產風險,以實際威脅而非僅理論分數驅動修復優先級。
| CVE | 漏洞名稱 | 廠商 / 產品 | 收錄日期 | 截止日期 | 摘要 |
|---|---|---|---|---|---|
| CVE-2026-45247 | Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability | Mirasvit / Mirasvit Full Page Cache Warmer | 2026-06-03 | 2026-06-06 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit … |
| CVE-2025-48595 | Android Framework Integer Overflow Vulnerability | Android / Framework | 2026-06-02 | 2026-06-05 | In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2022-0492 | Linux Kernel Improper Authentication Vulnerability | Linux / Kernel | 2026-06-02 | 2026-06-05 | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpecte… |
| CVE-2024-21182 | Oracle WebLogic Server Unspecified Vulnerability | Oracle / WebLogic Server | 2026-06-01 | 2026-06-04 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise… |
| CVE-2026-0257 | Palo Alto Networks PAN-OS Authentication Bypass Vulnerability | Palo Alto Networks / PAN-OS | 2026-05-29 | 2026-06-01 | Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues. |
| CVE-2026-8398 | Daemon Tools Lite Embedded Malicious Code Vulnerability | Daemon / Daemon Tools Lite | 2026-05-27 | 2026-05-30 | A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorize… |
| CVE-2026-48027 | Nx Console Embedded Malicious Code Vulnerability | Nx / Nx Console | 2026-05-27 | 2026-06-10 | Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detec… |
| CVE-2026-45321 | TanStack Unspecified Vulnerability | TanStack / TanStack | 2026-05-27 | 2026-06-10 | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publis… |
| CVE-2026-48172 | LiteSpeed cPanel Plugin Privilege Escalation Vulnerability | LiteSpeed / cPanel Plugin | 2026-05-26 | 2026-05-29 | LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. … |
| CVE-2026-9082 | Drupal Core SQL Injection Vulnerability | Drupal / Core | 2026-05-22 | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.… |
| CVE-2026-34926 | Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability | Trend Micro / Apex One | 2026-05-21 | 2026-06-04 | A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-p… |
| CVE-2025-34291 | Langflow Origin Validation Error Vulnerability | Langflow / Langflow | 2026-05-21 | 2026-06-04 | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite… |
| CVE-2026-45498 | Microsoft Defender Denial of Service Vulnerability | Microsoft / Defender | 2026-05-20 | 2026-06-03 | Microsoft Defender Denial of Service Vulnerability |
| CVE-2026-41091 | Microsoft Defender Link Following Vulnerability | Microsoft / Defender | 2026-05-20 | 2026-06-03 | Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally. |
| CVE-2010-0806 | Microsoft Internet Explorer Use-After-Free Vulnerability | Microsoft / Internet Explorer | 2026-05-20 | 2026-06-03 | Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wi… |
| CVE-2010-0249 | Microsoft Internet Explorer Use-After-Free Vulnerability | Microsoft / Internet Explorer | 2026-05-20 | 2026-06-03 | Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary… |
| CVE-2009-3459 | Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability | Adobe / Acrobat and Reader | 2026-05-20 | 2026-06-03 | Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these de… |
| CVE-2009-1537 | Microsoft DirectX NULL Byte Overwrite Vulnerability | Microsoft / DirectX | 2026-05-20 | 2026-06-03 | Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime medi… |
| CVE-2008-4250 | Microsoft Windows Buffer Overflow Vulnerability | Microsoft / Windows | 2026-05-20 | 2026-06-03 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as explo… |
| CVE-2026-42897 | Microsoft Exchange Server Cross-Site Scripting Vulnerability | Microsoft / Microsoft | 2026-05-15 | 2026-05-29 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |