聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2023-54365 | Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability. | 8.7 | 0.43% | 2026-06-23 | 2026-06-23 |
| CVE-2023-33854 | IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data using man in the middle techniques. | 5.3 | 0.20% | 2026-06-22 | 2026-06-23 |
| CVE-2023-45796 | A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability. | 8.1 | 0.35% | 2026-06-22 | 2026-06-22 |
| CVE-2023-45795 | A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device. | 7.8 | 0.15% | 2026-06-22 | 2026-06-22 |
| CVE-2023-54357 | Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration. | 8.7 | 0.35% | 2026-06-19 | 2026-06-22 |
| CVE-2023-54353 | Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot. | 8.5 | 0.12% | 2026-06-19 | 2026-06-23 |
| CVE-2023-32959 | Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2. | 4.3 | 0.18% | 2026-06-11 | 2026-06-17 |
| CVE-2023-25969 | Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4. | 5.4 | 0.18% | 2026-06-11 | 2026-06-17 |
| CVE-2023-40200 | Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Logo Showcase Responsive Slider and Carousel: from n/a through 3.6. | 5.3 | 0.19% | 2026-06-11 | 2026-06-17 |
| CVE-2023-33999 | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2. | 7.1 | 0.27% | 2026-06-11 | 2026-06-17 |
| CVE-2023-43688 | An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). There is a Heap buffer overflow in various buffer encryption utilities. | 7.5 | 0.22% | 2026-06-09 | 2026-06-17 |
| CVE-2023-43686 | An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). A large number of Firefox preference files can cause the parser to ignore other browser configuration files, leading to a denial of service. | 6.2 | 0.12% | 2026-06-09 | 2026-06-17 |
| CVE-2023-29146 | The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size. | 8.2 | 0.12% | 2026-06-09 | 2026-06-17 |
| CVE-2023-54352 | WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access. | 9.3 | 0.61% | 2026-06-07 | 2026-06-17 |
| CVE-2023-54351 | WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages. | 5.1 | 0.17% | 2026-06-07 | 2026-06-17 |
| CVE-2023-54350 | WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server. | 8.7 | 0.53% | 2026-06-07 | 2026-06-17 |
| CVE-2023-5502 | On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication. | 8.2 | 0.32% | 2026-06-04 | 2026-06-17 |
| CVE-2023-52951 | A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. | 5.9 | 0.13% | 2026-06-03 | 2026-06-17 |
| CVE-2023-52945 | Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. | 7.8 | 0.14% | 2026-05-27 | 2026-06-17 |
| CVE-2023-7346 | Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses. | 4.1 | 0.14% | 2026-05-20 | 2026-06-17 |