聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2024-58351 | Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server | 9.3 | 無 | 2026-06-20 | 2026-06-20 |
| CVE-2024-27928 | vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available. | 5.9 | 0.46% | 2026-06-17 | 2026-06-18 |
| CVE-2024-24769 | vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. V | 2.1 | 0.48% | 2026-06-17 | 2026-06-18 |
| CVE-2024-47477 | Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 6.5 | 0.12% | 2026-06-17 | 2026-06-17 |
| CVE-2024-52488 | Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. | 9.9 | 0.47% | 2026-06-17 | 2026-06-17 |
| CVE-2024-49269 | Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. | 7.1 | 0.24% | 2026-06-17 | 2026-06-17 |
| CVE-2024-37496 | Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7. | 4.3 | 0.21% | 2026-06-17 | 2026-06-17 |
| CVE-2024-37210 | Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AliNext: from n/a through 3.3.5. | 6.5 | 0.27% | 2026-06-17 | 2026-06-17 |
| CVE-2024-35690 | Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data. This issue affects Widget Options: from n/a through 4.0.1. | 6.5 | 0.29% | 2026-06-17 | 2026-06-17 |
| CVE-2024-35648 | Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0. | 4.3 | 0.13% | 2026-06-17 | 2026-06-17 |
| CVE-2024-34810 | Cross-Site request forgery (CSRF) vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery. This issue affects Skyline WP: from n/a through 1.0.10. | 4.3 | 0.12% | 2026-06-17 | 2026-06-17 |
| CVE-2024-33909 | Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iPages Flipbook: from n/a through 1.5.1. | 5.3 | 0.25% | 2026-06-17 | 2026-06-17 |
| CVE-2024-33685 | Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1. | 4.3 | 0.15% | 2026-06-17 | 2026-06-17 |
| CVE-2024-32949 | Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8. | 8.3 | 0.29% | 2026-06-17 | 2026-06-17 |
| CVE-2024-32729 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal. This issue affects Conversational Forms for ChatBot: from n/a through 1.1.8. | 7.5 | 0.43% | 2026-06-17 | 2026-06-17 |
| CVE-2024-31435 | : Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6. | 4.3 | 0.21% | 2026-06-17 | 2026-06-17 |
| CVE-2024-24709 | Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shareaholic: from n/a through 9.7.11. | 4.3 | 0.19% | 2026-06-17 | 2026-06-17 |
| CVE-2024-39575 | update_disk_psu_baseline.sh requires password in plain text | 7.4 | 0.10% | 2026-06-16 | 2026-06-17 |
| CVE-2024-38487 | api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions. | 7.0 | 0.08% | 2026-06-16 | 2026-06-17 |
| CVE-2024-30476 | PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser. | 5.4 | 0.20% | 2026-06-16 | 2026-06-17 |