聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。
指派機構(CNA / 來源):[email protected] 移除此篩選
| CVE | 描述 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|
| CVE-2026-8804 | Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0. | 6.7 | 0.08% | 2026-07-03 | 2026-07-06 |
| CVE-2024-9160 | In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered. | 5.4 | 0.16% | 2024-09-27 | 2026-06-17 |
| CVE-2025-2903 | An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM, install malicious software, and disrupt or disable the functionality of the VM. | 8.5 | 0.17% | 2025-04-17 | 2026-06-17 |
| CVE-2024-3825 | Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw which results in credential enumeration | 4.3 | 0.17% | 2024-04-17 | 2026-06-17 |
| CVE-2025-10360 | In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise | 6.9 | 0.17% | 2025-09-24 | 2026-06-17 |
| CVE-2024-7141 | Versions of Gliffy Online prior to versions 4.14.0-7 contains a Cross Site Request Forgery (CSRF) flaw. | 5.9 | 0.19% | 2025-02-20 | 2026-06-17 |
| CVE-2024-8067 | In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified. | 5.8 | 0.20% | 2024-09-24 | 2026-06-17 |
| CVE-2025-13472 | A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | 5.3 | 0.21% | 2025-12-03 | 2026-06-17 |
| CVE-2024-5249 | In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed. | 5.4 | 0.22% | 2024-07-30 | 2026-06-17 |
| CVE-2026-8654 | Improper input validation in Delphix Continuous Data connectors allows an authenticated user to execute arbitrary operating system commands on the staging or target host. | 8.7 | 0.23% | 2026-05-15 | 2026-06-17 |
| CVE-2021-27026 | A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 4.4 | 0.24% | 2021-11-18 | 2026-06-16 |
| CVE-2025-14591 | In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | 5.3 | 0.24% | 2025-12-19 | 2026-06-17 |
| CVE-2016-9690 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none | 無 | 0.27% | 2017-05-11 | 2023-11-06 |
| CVE-2016-9689 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none | 無 | 0.27% | 2017-05-11 | 2023-11-06 |
| CVE-2016-9688 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none | 無 | 0.27% | 2017-05-11 | 2023-11-06 |
| CVE-2016-9687 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none | 無 | 0.27% | 2017-05-11 | 2023-11-06 |
| CVE-2018-11752 | Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release. | 5.5 | 0.27% | 2018-10-02 | 2026-06-16 |
| CVE-2018-11748 | Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. This issue has been resolved as of device_manager 2.7.0. | 7.8 | 0.28% | 2018-10-02 | 2026-06-16 |
| CVE-2024-5250 | In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations | 3.5 | 0.29% | 2024-07-30 | 2026-06-17 |
| CVE-2020-7945 | Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. | 5.5 | 0.31% | 2020-09-18 | 2026-06-16 |