聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2025-32423 | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in ExtractTextInformationBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32. | 5.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-32394 | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32. | 5.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-11919 | The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically | 9.6 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-68075 | Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions. | 6.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-68074 | Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions. | 6.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-68064 | Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions. | 7.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-68063 | Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions. | 7.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-68052 | Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions. | 8.8 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-66123 | Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions. | 5.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-64637 | Unauthenticated Content Injection in Auros Core <= 5.3.1 versions. | 5.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-64636 | Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions. | 5.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-63079 | Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions. | 4.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-63078 | Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions. | 4.3 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-63041 | Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. | 5.4 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-64152 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue. | 9.1 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-55017 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue. | 9.1 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-7958 | A Code Injection vulnerability existed in Trellix Network Security CM and NX. A locally authenticated admin user can execute arbitrary code using the web interface and Alert artifact details. | 7.1 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2025-10268 | The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server. | 5.3 | 0.16% | 2026-06-26 | 2026-06-26 |
| CVE-2025-71340 | picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load(), enabling supply chain attacks on PyTorch models and saved Python objects. This is fixed in version 0.0.30. | 7.6 | 0.30% | 2026-06-25 | 2026-06-26 |
| CVE-2025-71338 | Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts. | 10.0 | 0.61% | 2026-06-25 | 2026-06-26 |