聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。
指派機構(CNA / 來源):[email protected] 移除此篩選
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2026-50767 | A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg) | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-50766 | A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes). | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-50765 | Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field) | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-38571 | Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-36908 | A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-36907 | A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-36478 | An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-39031 | Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-38641 | An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-38639 | An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input. | 無 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-30041 | An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file. | 7.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-30040 | A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file. | 6.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-57940 | HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a r | 2.1 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-57920 | Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints. | 7.7 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-57918 | libnfs through 6.0.2 before 935b8db has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker. | 7.1 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-57913 | Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts. | 7.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-57912 | Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers. | 7.5 | 無 | 2026-06-26 | 2026-06-26 |
| CVE-2026-38640 | A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string. | 7.5 | 0.17% | 2026-06-25 | 2026-06-26 |
| CVE-2026-38637 | An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input. | 7.5 | 0.17% | 2026-06-25 | 2026-06-26 |
| CVE-2026-37452 | Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component | 7.5 | 0.22% | 2026-06-25 | 2026-06-26 |